Provider Factsheet - Management of Client Records

The Department of Health (the department) is responsible for managing and administering the Australian Government Hearing Services Program (the program).

As specified in the Service Provider Contract (the contract), program client records are owned by the Commonwealth. Contracted Service Providers (providers) must manage, store, transfer and dispose of program client records in accordance with the contract, program legislation, the Archives Act 1983, the Privacy Act 1988 and the Freedom of Information Act 1982.

Client personal and health information is deemed sensitive information under the Australian Privacy Principles (APP) and extra precautions are required in the management of this information.

Records Management Policies and Procedures

Ownership and custody

The contract specifies at clause 11.2 that program client records, and any copies of client records, are Commonwealth Records. Clause 11.3 of the contract requires providers to comply with all requests of the Commonwealth in relation to program client records.

Access to client records

Creation of records

Complete client records consist of all the information relating to a client.

Digitisation of paper records

The department encourages all providers to move to electronic records. The National Archives of Australia (NAA) guide Digitising accumulated physical records provides useful information and tips on digitisation of paper documents.

Storage

Providers are obligated by the APP (under the Privacy Act) to take steps to protect information from misuse, interference, loss, unauthorised access or disclosure. This includes the use of physical and/or software based security systems.

Whether kept in paper or electronic format, the storage of client records must meet the following requirements:

Paper Record Storage                             

Electronic Record Storage

Cloud Storage

Cloud storage allows for shared access to documents via the internet or a company network, but must still ensure the protection of client records. Under clause 17.5 of the contract, program client records must not be taken outside Australia without prior written approval from the Commonwealth. This includes storing client records on overseas servers.

The Australian Signals Directorate (the ASD) no longer certifies cloud service providers and all previous certifications are now void. Providers can continue to use their previously certified cloud services. Any new providers entering the program or existing providers wishing to change their cloud provider or start using cloud services must contact the Program at hearing@health.gov.au before storing client records on a new service.

Non-Program Information

It is a private business decision how pre-program information is held (i.e. records created prior to the client becoming a program client). However, records of private services provided to clients while they are a program client must be kept with the client record. Refer to the Private Services and Devices factsheet for further details.

Backup

To ensure the integrity and availability of client records in electronic storage systems, providers must have disaster recovery and business continuity plans that include the backup of client records.

File Transfers

Provider Closures

If a provider ceases providing services under the contract all client records that are not to be transferred to a new provider must be returned to the department. These client records must be transferred in the same format as they are held, must not be split between paper and electronic records and any results and reports from systems such as NOAH, Simply Hearing or Fitting Wizard must be included in a format that is accessible (i.e. printed for paper records and PDF for electronic records).

Destruction

Please note from 21 June 2019 there is a freeze on the destruction of Commonwealth records. Providers must not destroy any program client records until the Department of Health advises that the freeze has ended. This includes records of program clients who are deceased or who have not accessed the program for seven or more years.

Where a paper client record has been digitised, and the electronic client record is to become the original record, the source record (paper client record) can be destroyed. Please contact the program via hearing@health.gov.au for requirements.

The disposal freeze on all program client records falls under the terms of reference for the Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability.

Providers must hold all records until they are informed they can be destroyed, or they are required for the Royal Commission.

As per section 24(1) of the Archives Act 1983 (Cth) penalties apply for records disposed of in breach of this freeze order.

More information, including the Notice of Disposal Freeze, is available on the Disposal freezes and retention notices page of the National Archives Authority website.

Data Breaches

Under the Notifiable Data Breaches (NDB) scheme (Part IIIC of the Privacy Act), a notifiable data breach occurs if

If a notifiable data breach occurs, providers must advise the client/s and the Office of the Australian Information Commissioner (OAIC), and follow the requirements under the NDB scheme. Under clauses 20.6 and 24.1 of the contract, the department must also be notified of any notifiable data breaches.

Further information regarding identifying eligible data breaches and determining serious harm is available on the NDB scheme page of the OAIC website.

Compliance Monitoring

Program requirements are monitored in accordance with the program Compliance Monitoring and Support Framework. Where required, the department will notify the OAIC of any identified breaches of the Privacy Act and will follow the instructions of the OAIC in relation to any notified breaches.

Persistent or significant non-compliance with any of the legislative or contractual requirements in relation to program records management may result in referral for compliance actions up to and including actions under Part 6 of the contract (Breach and Termination) and/or referral to the OAIC for actions under Part V of the Privacy Act (Investigations etc.).

Further Information

Answers to frequently asked questions on program records management requirements are available on the program website. Further advice and guidance on general records management is available on the NAA website.

Management of client records (PDF 241 KB)

Management of Client Records Frequently asked Questions

Provider Factsheet - Documentation and Record Keeping