Australian Government - Department of Health - Office of Hearing Services
Hearing Services Program

Provider Factsheet 6 - Management of Client Records

Clients have the right to privacy and confidentiality of their personal information. Contracted Service Providers (providers) are required to comply with a range of legislative, contractual and Department of Health (department) requirements regarding the management of client records.

This includes the management, storage, transfer and disposal of program client records in accordance with the Service Provider Contract (the Contract), program legislation, the Archives Act 1983 (the Archives Act), the Privacy Act 1988 (the Privacy Act) and the Freedom of Information Act 1982 (the FOI Act).

Records Management Policies and Procedures

Ownership and custody

The Archives Act classifies program client records as Commonwealth Records[i]. The Contract, clause 4.1(g), requires acknowledgement that the Commonwealth is the owner of program client records.

  • Transfer of physical client records does not transfer the ownership of the records.
  • Client records must be transferred to the department when a provider ceases to be contracted by the program or to the new provider when a client relocates. Copies of these client records must not be kept except where required by the Contract (for example original claim forms and copies of client receipts).

Access to client records

  • Access to client records must be restricted to only those who require it.
  • Clients can request access to the personal information held on their client record under the Privacy Act. Access can be given by providing a copy of the record or by allowing the client to view the record.
  • Access to information does not give someone ownership of a client record.

Creation of records

Complete client records consist of all the information relating to a client.

  • Complete client records must be accessible and remain complete for seven years from the date the client record was last amended (the minimum retention period).
  • Separate electronic systems records relating to clients do not need to be combined into a single client record unless the complete client record is requested by the Commonwealth or a new provider when the client relocates.
  • Electronic records must also be in a format which is accessible to others such as PDF.

Digitisation of paper records

The department encourages all providers to move to electronic records. The National Archives of Australia (NAA)’s Guide ‘Digitising accumulated physical records’ provides useful information and tips on digitisation of paper documents.

  • When digitising client records, the entire record must be digitised.
  • Digitised records must restrict alteration or record all alterations.
  • Digitised records must be in a format which is accessible to others.
  • Digitised paper client records must be carefully checked to ensure the record remains complete and accurate (nothing is missed during digitisation). Certification that this check was done must be included with the record. Information about what is required on the certification is included in the Management of Client Records Frequently Asked Questions.

Storage

Providers are obligated by the Australian Privacy Principles (under the Privacy Act) to take steps to protect information from misuse, interference, loss, unauthorised access, modification or disclosure. This includes the use of physical and/or software based security systems.

Whether kept in paper or electronic format, the storage of client records must meet the following requirements

  • Confidentiality - access must be restricted to only those who require it
  • Integrity - records must be accurate and complete for at least the minimum retention period
  • Availability - records must be accessible for at least the minimum retention period.

Paper Record Storage                           

  • Paper documents must be kept in a locked cabinet that cannot be accessed by anyone who does not require access and protected by a physical security system.
  • If records are removed (for example to take to a visiting site or home visit), they should be locked in a secure, lockable container and kept out of sight.
  • The paper used must not be able to be easily damaged or degraded. Loose notes (for example sticky notes), should be discouraged. If used they must be secured in a way that will prevent them being lost.
  • If client records are required by the department or another provider for a relocating client, documents produced in any electronic systems must be printed and provided with the paper file. Providers must have a process in place to ensure the complete record is provided.

Electronic Record Storage

  • Electronic client records must be stored in a password-protected system that cannot be accessed by anyone who does not require access, and be protected with security software.
  • An Electronic Digital Records Management System (EDRMS) with metadata should be used, rather than a standard computer folder system.
  • Electronic documents must be saved in a format which is accessible to others.
  • Providers must have an electronic record disaster recovery/business continuity plan.

Cloud Storage

Cloud storage allows for the access of documents via the internet but must still ensure the protection of client records. Some cloud services have been assessed by the Australian Signals Directorate (the ASD) as meeting a base level of security. A list of certified cloud service providers can be found on the Australian Cyber Security Centre website, noting that not all cloud service products listed are available to private businesses.

  • Providers must not use unsecured cloud services, such as Google Drive, Google Docs, Dropbox etc, as these may be hosted overseas and do not have Privacy Act protections.
  • If a preferred cloud storage service has not been certified by the ASD, providers must have the security of the service assessed. Only an independent Information Security Registered Assessors Program (IRAP) assessor can perform this assessment.
  • Any agreement with a supplier of cloud storage services must include an agreement that the client records will be hosted on an Australian server, will not be disclosed outside Australia and that the records will be encrypted to at least the equivalent of Unclassified with a Dissemination Limiting Marker (DLM) of Sensitive:Personal.
  • Providers should request a copy of the cloud service’s ASD Certification.

Non-Program Information

It is a private business decision how non-program information is held (e.g. records created prior to the client becoming a program client).

Backup

To ensure the integrity and availability of client records in electronic storage systems, providers must have disaster recovery and business continuity plans that include the backup of client records.

  • Internal (on-site) backup must take into consideration the risk of a disaster occurring at the site and destroying both the original and backup copies of the client records.
  • External (off-site) backup must take into consideration the location of the backup server (which must be in Australia) and the backup service disaster recovery and business continuity plans.
  • Either system must have protections at least equivalent to the storage system, and must restrict access to only those who require it.

Top of Page

File Transfers

  • Providers must send complete client records to the department or a new provider when directed. Providers must have a process in place to ensure the complete record is provided.
  • Client records can only be transferred between providers where the client has given their authorisation. See the ‘Managing client relocations’ provider factsheet.
  • Transfer of paper client records must be by registered mail or by courier and must contain a printout of any electronic system documents. Records from electronic systems may also be included on a USB.
  • Electronic client records can be sent on a USB drive secured with a password, by registered mail or courier, or by secured and/or encrypted email. The client record must include copies of any results and reports from any electronic system in a format that is accessible.
  • Electronic client records must not be transferred by unsecured email. Email systems are not secure enough for the transfer of personal health information. If a provider wishes to use a secure and/or encrypted email system for the transfer of electronic client records, the location of any storage, the security and compliance with the Privacy Act, the Archive Act and program requirements must be taken into consideration.
  • Electronic records must not be printed and sent in paper format. When an electronic client record is printed and then scanned to create a new electronic copy, the quality of the record can become degraded. This does not meet departmental requirements for integrity, and may result in the record or parts of the record being inaccessible for at least the minimum retention period. The transferred record also must not be split between paper and electronic formats.

Provider Closures

Prior to a provider ceasing to be a contracted service provider, all client records that are not to be transferred to a new provider must be returned to the department. These client records must be transferred in the same format as they are held, must not be split between paper and electronic records and any results and reports from electronic systems must be included in a format that is accessible.

  • Providers must not keep a copy of a client record, or part of any client record, except where required under the Contract (for example original claim forms and copies of client receipts).

Destruction

Where all documents on a client record are older than seven years, the record may be destroyed.

Where a paper client record has been digitised, confirmed as true and correct, and the electronic client record is to become the original record, the source record (paper client record) should be destroyed.

If a client record is destroyed, the department must be notified via email to hearing@health.gov.au. Information about what is required on the notification is included in the Management of Client Records Frequently Asked Questions.

To destroy a Commonwealth record, it must be made unreadable and irretrievable. Paper documents must be cross-shredded (Class B shredder with maximum particle size 2.3mm x 25mm) or they can be destroyed using a destruction provider who can provide a certificate of destruction.

To ensure the complete destruction of an electronic client record, all copies should be found and destroyed. This includes removing and destroying copies contained in system backups and cloud storage.

Data Breaches

Under the Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act), a notifiable data breach occurs if

  • there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity; and
  • the access, loss or disclosure is likely to result in serious harm to any of the individuals to whom the information relates.

If a notifiable data breach occurs, providers must advise the client/s, the department and the Office of the Australian Information Commissioner (OAIC), and follow the requirements under the NDB scheme.

Further information regarding identifying eligible data breaches and determining serious harm is available on the NDB scheme page of the OAIC website.

Compliance Monitoring

The department will check compliance with record keeping requirements as part of its compliance monitoring activities as outlined in the Compliance Monitoring and Support Framework.

Where required, the department will notify the OAIC of any identified breaches of the Privacy Act and will follow the instructions of the OAIC in relation to any notified breaches.

Persistent or significant non-compliance with any of the legislative or contractual requirements in relation to program records management may result in referral for compliance actions up to and including actions under Section 6 of the Contract (Breach and Termination) and/or referral to the OAIC for actions under Part V of the Privacy Act (Investigations etc.).

Further Information

Answers to frequently asked questions on records management are available on the program website. Further advice and guidance on records management is available on the NAA website.

Top of Page


[i] Section 3 (6) of the Archives Act and Records Authority 2011/00395196.

 

PF6 - Management of client records (PDF 130 KB)

Management of Client Records Frequently asked Questions

Provider Factsheet 1 - Documentation and Record Keeping

Complementary Content