Contact Us

Privacy Policy

Privacy and Information Storage Policy

Introduction

ELEV8 Consulting is committed to protecting the privacy and confidentiality of personal information that we collect, use, store, and disclose in the course of providing our services.

This policy outlines our approach to privacy and information storage, and explains the measures that we have put in place to ensure compliance with privacy laws and best practices.

Purpose and Scope

This Privacy and Information Storage Policy applies to all personal, health and sensitive information collected, held, used or disclosed by ELEV8 Consulting in the delivery of services across all programs and schemes.

This includes, but is not limited to, services delivered under:

  • the NSW workers compensation scheme (SIRA)
  • the Comcare scheme
  • the National Disability Insurance Scheme (NDIS)
  • Aged Care programs, including the Support at Home program

This policy supports compliance with applicable privacy, health records, information security and scheme-specific legislative and regulatory obligations.

Roles and Responsibilities

All employees of ELEV8 Consulting Pty Ltd are responsible for complying with this policy and ensuring the protection of personal information. The Managing Director is responsible for monitoring compliance with this policy and ensuring that all employees are trained on privacy and confidentiality requirements.

Legislative and Regulatory Framework

ELEV8 Consulting’s Privacy and Information Storage Policy is underpinned by a comprehensive framework of Commonwealth, state, and territory legislation, as well as relevant industry standards. As a workplace rehabilitation provider and registered NDIS service provider, our organisation is committed to upholding the highest standards of privacy, security, and ethical information management in compliance with the following laws and regulations:

Commonwealth Legislation

  • Privacy Act 1988 (Cth)
    Including compliance with the Australian Privacy Principles (APPs), which set out how we collect, use, disclose, and store personal information and manage privacy-related requests.
  • Notifiable Data Breaches (NDB) Scheme (under the Privacy Act 1988)
    Requiring mandatory reporting of data breaches likely to result in serious harm to individuals.
  • National Disability Insurance Scheme (NDIS) Act 2013
    Governs the handling of personal and sensitive information of NDIS participants and enforces the NDIS Practice Standards, including expectations around participant confidentiality and privacy.
  • Fair Work Act 2009 (Cth)
    Relevant where personal information relates to employment or HR practices.
  • Safety, Rehabilitation and Compensation Act 1988 (Cth)
    Relevant for cases managed under the Comcare scheme, including obligations regarding secure handling of rehabilitation and injury-related information.

State and Territory Legislation

  • Workers Compensation Act 1987 (NSW) and
    Workplace Injury Management and Workers Compensation Act 1998 (NSW)
    Provide the framework for handling and storing health and rehabilitation information related to workplace injury cases.
  • Health Records and Information Privacy Act 2002 (NSW)
    Governs the collection, storage, access, and use of health information in NSW.
  • Work Health and Safety Act 2011 (Cth and State-based variants)
    Ensures the safe management of health-related information in the context of workplace rehabilitation services.
  • Workers Compensation Act 1951 (ACT)
    Guides the management of personal and health information for services delivered under the ACT WorkSafe scheme.

Our Commitment

This legislation and regulatory framework ensures that all personal and health information collected and managed by ELEV8 Consulting is handled lawfully, transparently, and ethically. It supports our responsibility to safeguard the rights of clients, employees, NDIS participants, and all other stakeholders, and is embedded into the procedures and systems used across our operations.

Collection, Use, and Disclosure of Personal Information

ELEV8 Consulting collects, uses, and discloses personal information only for purposes that are relevant to our services, and that have been consented to by the individuals concerned. We obtain consent through a detailed consent form that outlines the purposes for which personal information will be collected, used, and disclosed, and we review this consent annually to ensure that it remains valid and up-to-date.

ELEV8 Consulting limits the collection of personal information to what is necessary for the intended purpose, and ensures that any personal information that we collect is accurate, complete, and up-to-date. We use and disclose personal information only for the purpose for which it was collected, unless we obtain consent or are required by law to do so.

ELEV8 Consulting does not sell, trade, or rent personal information to third parties. We only disclose personal information to third parties when it is necessary to provide our services, or when we are required by law to do so.

As part of service delivery, ELEV8 Consulting uses digital forms to obtain consent and complete biopsychosocial screenings, ensuring a seamless and secure process. The information collected through these forms is securely stored using a system that aligns its data storage with Amazon Web Services (AWS) and Google Cloud, both of which adhere to industry-leading security protocols.

These platforms provide automatic encryption, access controls, and regular security audits to safeguard sensitive data. In line with HIPAA compliance regulations, the data is automatically encrypted during collection and storage, ensuring the confidentiality and protection of personal health information at all times.

Consent Management and Withdrawal of Consent

ELEV8 Consulting ensures that individuals provide informed and voluntary consent for the collection, use, and disclosure of their personal information. For sensitive information, such as health records, we take extra steps to obtain explicit consent. Individuals have the right to withdraw consent at any time by contacting us directly. Upon withdrawal of consent, ELEV8 Consulting will cease any further use or disclosure of the individual’s personal information unless required by law.

Information Integrity and Accuracy

Information collected, recorded and stored by ELEV8 Consulting must be accurate, complete and reflect actual service delivery, assessment findings and professional judgement.

Records must not be altered, withheld, selectively presented or manipulated in a manner that could mislead workers, insurers, employers, regulators or other stakeholders, including within the NSW workers compensation scheme.

Regulatory Access and Disclosure

Where required by law, scheme conditions or regulatory authority, ELEV8 Consulting may disclose relevant information to oversight bodies, including SIRA, Comcare, the NDIS Quality and Safeguards Commission and the Aged Care Quality and Safety Commission.

Such disclosures are limited to what is lawful, necessary and proportionate, and are managed in accordance with this policy and applicable legislative requirements.

This includes access to records required for SIRA audits, evaluations, compliance reviews or investigations conducted in accordance with the Workplace Rehabilitation Provider Approval Framework.

Independence and Appropriate Information Sharing

Personal and health information must only be shared with insurers, employers or other third parties where lawful, appropriate and consistent with informed consent and scheme requirements.

Information must not be disclosed in a manner that compromises worker choice, independence of service delivery or ethical decision-making under the NSW workers compensation scheme.

Information shared with insurers or claims service providers is limited to what is lawful, necessary and scheme-appropriate, and must not be provided in a manner that influences claims decision-making, service selection or return-to-work outcomes.

Information Storage and Security

ELEV8 Consulting stores personal information in a secure manner to prevent unauthorised access, use, or disclosure. We use a case management system that is designed to ensure the security of personal information. Only appropriate people have access to the case and its details, and all activity and communication related to the case are completed through the system to minimise the risk of privacy breaches.

Any personal information that we collect as part of assessments or attendance at appointments is transferred onto the case management system in electronic form, and hard copies are then destroyed to further minimize the risk of unauthorised access.

ELEV8 Consulting uses appropriate physical, technical, and administrative safeguards to protect personal information against loss, theft, unauthorised access, use, or disclosure. We regularly review and update our security measures to ensure that they remain effective and up-to-date.

Records relating to NSW workers compensation matters are maintained in a manner that supports scheme-specific compliance, traceability and auditability, including clear identification of service type, reporting obligations and decision-making records.

Australian Privacy Principles (APPs) Compliance

ELEV8 Consulting is committed to complying with the Australian Privacy Principles (APPs) as set out in the Privacy Act 1988. These principles govern the collection, use, storage, and disclosure of personal information.

Data Access, Correction and Protection

ELEV8 Consulting recognises the right of individuals to access and correct their personal information that we hold. We provide individuals with access to their personal information upon request, and we allow them to correct any errors or omissions that they identify.

Access to personal information must be granted on a need-to-know basis, and employees are prohibited from sharing or disclosing any personal information with unauthorised individuals.

All ELEV8 Consulting employees are required to use a strong password to protect access to ELEV8 Consulting’s information systems. All ELEV8 Consulting data is backed up regularly and securely.

Personal information is deleted or destroyed in accordance with the Privacy Act 1988 when it is no longer required, and ELEV8 Consulting ensures that all hard copies of personal information are securely destroyed.

Retention and Destruction of Personal Information

ELEV8 Consulting retains personal information only for as long as necessary to fulfil the purposes for which it was collected, in accordance with the Privacy Act 1988 and any contractual obligations. Personal information will be securely destroyed or de-identified when it is no longer required. Our retention periods vary depending on the nature of the information:

  • Client records: Retained for a minimum of seven years after the last contact or as required by law.
  • Employee records: Retained in accordance with applicable employment and taxation laws. We use secure methods for the destruction of physical documents (e.g., shredding) and digital data (e.g., permanent deletion from systems).

Privacy Breaches and Data Incidents

ELEV8 Consulting takes privacy breaches seriously. A privacy breach includes any unauthorised access to, disclosure of, or loss of personal or health information that may result in harm.

All suspected or actual privacy breaches must be reported internally as soon as practicable in accordance with the Incident Response Procedure.

Where a privacy breach, data loss or unauthorised disclosure occurs, ELEV8 Consulting will assess whether notification to affected individuals and/or regulators is required, including SIRA where the incident relates to NSW workers compensation services.

Where required by law, scheme conditions or contractual obligations, ELEV8 Consulting will also assess whether notification to relevant insurers, claims service providers (CSPs) or state regulatory bodies is required.

Breach assessment, response actions, notifications and any associated remedial actions are managed in accordance with the Incident Response Procedure.

Notifiable Data Breaches (NDB) Scheme

ELEV8 Consulting complies with the Notifiable Data Breaches (NDB) Scheme, as outlined in the Privacy Act 1988. In the event of an eligible data breach, where there is unauthorised access to, disclosure of, or loss of personal information likely to result in serious harm, ELEV8 Consulting will:

  • Notify affected individuals as soon as practicable, providing recommendations on how they can mitigate potential harm.
  • Notify the Office of the Australian Information Commissioner (OAIC) within 30 days of becoming aware of the breach.
  • Follow our Incident Response Procedure to mitigate the breach and prevent future occurrences.

Complaints Mechanism and Escalation

ELEV8 Consulting is committed to addressing privacy-related complaints promptly and transparently. Complaints regarding our handling of personal information can be made to our Privacy Officer. We aim to:

  • Acknowledge receipt of complaints within five business days.
  • Investigate and respond to complaints within 30 business days.
  • If a complaint cannot be resolved internally, we will inform the individual of their right to escalate the matter to the Office of the Australian Information Commissioner (OAIC) for further review. Individuals may contact the OAIC through their website or by phone for more information on lodging a complaint.

Risk Assessment Process

ELEV8 Consulting ensure the security and integrity of personal data through systematic risk assessments aligned with ISO 27001 standards. These assessments help identify, assess, and effectively manage risks related to the confidentiality, integrity, and availability of personal data.

Process:

  1. Annual Assessments: Conduct comprehensive risk assessments annually to evaluate the vulnerabilities, threats, and impacts associated with the handling and storage of personal data within all systems used by ELEV8 Consulting.
  2. Assessment on Significant Changes: In addition to annual assessments, perform risk assessments whenever significant changes occur in our operational environment or IT systems. These changes may include new software implementations, major updates, or changes in data processing activities.
  3. Methodology: Utilise the ISO 27001 framework to guide the risk assessment process. This involves:
    • Identification of Risks: Map out areas where personal data is stored, processed, or transmitted and identify potential threats to these data assets.
    • Risk Analysis: Assess the potential impact and likelihood of identified risks, considering both the physical and digital landscapes of our operations.
    • Risk Evaluation: Prioritize risks based on their potential impact on our operations and the sensitivity of the personal data affected.

Documentation and Record-Keeping:

  • Maintain thorough documentation of all risk assessments, including the methodology used, risks identified, decisions made, and actions taken. This documentation will be reviewed as part of our annual compliance audit and will be available for regulatory review upon request.

Responsibility:

The Strategic Growth and Operations Manager (Data Protection Officer) is responsible for operational oversight of privacy risk management, breach response coordination and regulatory notification assessments, with escalation to the Managing Director where required.

Detailed Controls on Access Management

Our commitment at ELEV8 Consulting is to safeguard personal data by ensuring access is granted strictly on a need-to-know basis. This is achieved through the implementation of Role-Based Access Control (RBAC) systems, which are integral to our standard operational protocols.

Access Control Strategy:

  1. Role-Based Access Control (RBAC):
    • Standard Operating Procedure:
      • Role Definition and Access Assignment: We systematically define roles within our organisation and assign access permissions based on the specific needs of each role. Access is meticulously calibrated to ensure each role receives only the essential permissions necessary to perform its functions.
      • Ongoing Management and Updates: Our access controls are regularly updated to respond to changes in job roles, operational needs, or organisational structure. This includes routine additions, removals, or adjustments of access rights, ensuring they remain precisely aligned with current job responsibilities.
    • Example of Implementation:
      • Within our HR management system, access to sensitive employee personal records is restricted exclusively to members of the HR department. This access control is rigorously enforced to maintain confidentiality and data integrity.
  1. Periodic Review of Access Rights:
    • Routine Review Process:
      • Scheduled Reviews: We conduct annual reviews of all access rights to ensure they continue to meet the necessary standards of security and appropriateness. These reviews are an integral part of our commitment to maintaining robust security protocols.
      • Responsive Reviews: Beyond scheduled audits, we perform ad-hoc reviews in response to specific triggers such as organisational changes, role modifications, or departures. These reviews help us to swiftly adapt access rights to evolving needs and circumstances.
    • Procedural Detail:
      • Each review, whether scheduled or event-driven, involves a comprehensive assessment of current access configurations against defined role requirements. Adjustments are made to ensure continuous alignment with our strict security standards and operational needs.

Documentation and Compliance Assurance:

  • Audit Trails and Record Keeping: We maintain detailed records of all defined roles and their corresponding access rights within our secure management systems. Changes to access rights are logged meticulously to create an audit trail that supports compliance and internal audits.
  • Security Measures: Robust security measures are in place to protect these records and logs from unauthorised access or tampering, reinforcing our commitment to data security.

Through these detailed controls on access management, ELEV8 Consulting not only ensures the protection of personal data but also embeds data privacy into the fabric of our operational processes. This structured approach underpins our ongoing commitment to upholding the highest standards of data security and regulatory compliance.

Training and Accountability

ELEV8 Consulting provides ongoing training to all employees and contractors on privacy and confidentiality requirements and processes. We ensure that they understand and follow these requirements and processes to protect personal information.

ELEV8 Consulting management is accountable for compliance with privacy and confidentiality requirements. We complete a privacy and confidentiality accountability self-assessment on an annual basis to ensure that effective measures are in place and to consider continuous improvement initiatives for ongoing compliance with privacy laws and best practices.

Complaints and Enquiries

ELEV8 Consulting takes privacy complaints and enquiries seriously. We have procedures in place to receive and respond to complaints and enquiries about our privacy practices. We investigate all complaints and take appropriate measures to address any privacy concerns that are raised.

Breach Response

ELEV8 Consulting has developed an Incident Response Procedure to respond promptly to any suspected or confirmed data breaches. The Incident Response Plan outlines the steps to be taken in the event of a breach, including notification of affected individuals, regulatory bodies, and other relevant stakeholders.

Monitoring and Review

ELEV8 Consulting regularly reviews and monitors its policies and procedures to ensure they are up-to-date and effective in protecting personal information. Any changes to policies and procedures will be communicated to employees and other relevant stakeholders. This policy will be reviewed annually or as necessary to ensure compliance with the Privacy Act 1988 and other relevant privacy and confidentiality requirements.

We may make changes to this Privacy and Information Storage and Use Policy from time to time. Any updates will be posted on our website.

PDCA Cycle for Continuous Improvement

At ELEV8 Consulting, we employ the Plan-Do-Check-Act (PDCA) cycle as a fundamental approach to continuously improving our privacy management practices. This systematic process ensures that our privacy policies and practices not only comply with current regulations but also adapt proactively to changes in the legal landscape and technology.

Implementation of the PDCA Cycle:

  1. Plan:
    • Identify Improvements: Assess current privacy management practices to identify areas for improvement. This includes reviewing recent audit findings, stakeholder feedback, and changes in privacy legislation.
    • Develop Action Plans: Based on the assessment, develop detailed action plans that outline the steps necessary to enhance our privacy practices. These plans specify objectives, resources needed, responsibilities, and timelines.
  2. Do:
    • Execute Action Plans: Implement the improvements as planned. This may involve revising existing privacy policies, deploying new security technologies, or conducting training sessions for staff on updated privacy procedures.
    • Documentation: Ensure all changes and implementations are well-documented. Documentation serves as a reference for future audits and compliance checks.
  3. Check:
    • Monitor and Evaluate: Regularly monitor the effectiveness of implemented changes. Use performance metrics and feedback mechanisms to gather quantitative and qualitative data on how the changes are performing.
    • Review Results: Conduct a thorough review of this monitoring data to evaluate whether the privacy enhancements are meeting their intended goals.
  4. Act:
    • Adjustments and Optimisations: Based on the review, make necessary adjustments to the privacy management practices. This could involve fine-tuning policies, further training for employees, or additional changes to security measures.
    • Continuous Improvement: Formalize the changes that have proven effective, integrating them into the regular operational processes. Identify any new areas for improvement and repeat the cycle, ensuring ongoing enhancement of our privacy practices.

Benefits:

  • Adaptability: This cyclical process enables ELEV8 Consulting to remain agile and responsive to new challenges and opportunities in privacy management.
  • Compliance Assurance: Regular updates and improvements help ensure compliance with evolving legal requirements and industry standards.
  • Stakeholder Confidence: By continuously enhancing our privacy practices, we build and maintain trust with clients, employees, and partners.

Through the diligent application of the PDCA cycle, ELEV8 Consulting ensures that our privacy management system is dynamic, robust, and aligned with best practices. This commitment to continuous improvement reflects our dedication to protecting personal information and maintaining high standards of privacy and security across all operations.

Conclusion

ELEV8 Consulting takes the protection of personal information seriously and has implemented policies and procedures to ensure compliance with the Privacy Act 1988. These policies and procedures provide a strong foundation for protecting personal information and ensuring ongoing compliance with privacy and confidentiality requirements.

Scroll to Top