Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

ACT – Department of Disability, Housing and Community Services, The Office for Children, Youth and Family Support Audit Report

Final audit report
Information Privacy Principles audit
Section 27(1)(h) Privacy Act 1988

Audit undertaken: November 2010
Draft report issued: May 2011
Final report issued: July 2011

Part 1 — Introduction

1.1 Background

A Memorandum of Understanding (MoU) exists between the Commonwealth of Australia and the Australian Capital Territory (ACT) Government for the Provision of privacy services in relation to ACT Government Agencies.

Under the terms of the MoU, the Office of the Australian Information Commissioner (the Office) conducted an audit of the ACT Department of Disability, Housing and Community Services' (DHCS') Office for Children, Youth and Family Support (OCYFS) under section 27(1)(h) of the Privacy Act1988 (Cth) (the Act). 

Back to Contents

Part 2 — Description of audit

2.1 Purpose

The purpose of the audit was to ascertain OCYFS' compliance with the Information Privacy Principles (IPPs) contained in section 14 of the Act.  The audit involved a review of OCYFS' policies and procedures around the handling of personal information.  In particular, that of the Care and Protection Services (CPS) branch within OCYFS.

2.2 Scope

The audit was conducted in relation to the way CPS handles personal information about its clients, while performing its functions under the Children and Young People Act 2008 (ACT) (the CYP Act) and related instruments.  The audit was specifically focused on the collection, storage and security, quality, use and disclosure of client personal information.

CPS is situated within the Office for Children, Youth and Family Support (OCYFS), an administrative unit of DHCS.

2.3 Timing and Location

The audit was conducted on 10 and 11 November 2010, at CPS's offices in Canberra City.

2.4 Description of Auditee

CPS is a statutory child protection agency servicing the ACT region.  It has legislative responsibility for facilitating coordination across government for the care and protection of children and young people believed to be at risk of harm.

CPS consists of several operational areas:

  1. Centralised Intake Service (including After Hours Crisis Service)
  2. Response Intervention Team
  3. Care Orders Team
  4. Practice Support Unit
  5. Integrated Court Service

The auditors observed OCYFS' personal information handling practices across three different sections of CPS.  A summary of these sections and their functions and activities is set out below.

Centralised Intake Service (CIS)

CIS is responsible for taking reports from members of the public and mandated reporters. As well as taking reports, CIS staff assesses the need for an appraisal response including the urgency rating.  A large component of CIS work involves an initial safety visit to the family in order to complete the risk assessment.  An outcome of this may include an assessment and support intervention or referral to the Response Intervention Team for appraisal.

CIS also consists of an After Hours Crisis Team which services the community after work hours and on weekends.  The work undertaken by this team is dependent on immediate crises that arise.

Response Intervention Team (RIT)

The main focus of RIT is appraising child protection reports and providing ongoing case management.  RIT's intervention can be voluntary and work with children/young people and their families can be for a defined period of time.  An integral part of RIT's intervention is linking families with services and addressing risk issues.  Alternatively, the work of the team can be more intrusive and involve court orders if the risk of abuse and harm warrants such a response.

Care Orders Team (COT)

COT works with children and young people who are on final court orders. Children on such orders can live at home or in foster care, kinship care or residential care. Care Orders staff work closely with non-government agencies particularly foster care agencies to ensure good outcomes for children who can't live with their families. COT has a responsibility to undertake tasks such as cultural care plans, leaving care plans and annual reviews.

2.5 Information sought prior to the audit

The following documentation was sought from OCYFS prior to the commencement of the audit:

  • a copy of DHCS's latest annual report
  • a current organisation chart for OCYFS
  • copies of staff instructions or memorandums addressing legal and privacy obligations around the handling of client personal information
  • details of OCYFS staff training concerning legal and privacy obligations around the handling of client personal information, including copies of training materials presented to staff
  • any forms or notices provided to clients about the way OCYFS handles their personal information
  • details of who whithin OCYFS has access to records containing client personal information
  • information about the way OCYFS stores and archives records containing client personal information
  • copies of OCYFS data security policies and procedures
  • information about OCYFS's computer systems and IT policies as they relate to the handling of electronic records containing client personal information
  • outlines of client personal information data flows both within OCYFS and external to third parties

2.6 Audit Opinion

The audit revealed that CPS manages client personal information in accordance with the IPPs.  Consequently, the opinion of the audit team was that CPS was compliant in meeting its obligations under the Act.

However, the auditors noted some areas where CPS could take further steps to strengthen its privacy practices. 

These steps relate to notice given to clients under IPP 2 about the collection of their personal information, and were discussed with DHCS and CPS senior staff at the closing conference.  These matters are also set out in Section 3 of this report, and have informed the recommendations summarised in Section 4 of this report.

It is the auditors' view that addressing these recommendations will assist CPS to maintain a ‘best privacy practice' approach to handling client information.

2.7 Follow up review

A fllow up review may be undertaken after six months has elapsed from the date of the final report or as indicated by the Director, Compliance.

2.8 Reporting

Completed audit reports of ACT and Australian government agencies commenced after 1 July 2002 are generally published on the Office of the Australian Information Commissioner's web site.

Findings and recommendations from IPP audits that are considered relevant to good privacy practice across the public sector generally are also discussed in the Office of the Australian Information Commissioner's Annual Report.

Back to Contents

Part 3 — Audit issues

3.1 IPPs 1-3 Issues — Collection of personal information

  • IPP 1 provides that personal information shall not be collected unless the collection is for a lawful purpose directly related to the collector's functions and activities and necessary or directly related to that purpose.
  • IPP 2 provides that, where a collector solicits and collects personal information directly from an individual, it must inform the individual of the purpose of collection, any legal authorisation or requirement for the collection, and any person, body or agency to which it usually discloses that information.
  • IPP 3 provides that, where a collector solicits and collects personal information generally it must take steps reasonable in the circumstances to ensure that, having regard to the purpose for which the information is collected, the information is relevant to that purpose, up to date and complete, and that the collection does not intrude to an unreasonable extent on the individuals' personal affairs.

Observations

3.1.1 CPS collects client personal information under the CYP Act for the purpose of protecting and promoting the health, safety and wellbeing of children and young people.

3.1.2 The first point of collection of client personal information usually occurs when a report is made to CIS. This could include a Child Concern Report, Prenatal Report, Confidential Report, or an Interstate Care and Protection Report.

3.1.3 Both mandated and non-mandated reporters can make a report to CIS by telephone, email or fax. Client personal information associated with reports can include information about children or young people, people connected with children and young people, or pregnant women. Personal information will also be collected about the person who made the report. All reports must be recorded.

3.1.4 When a report is received, a file is raised and any hardcopy notes or documents regarding the report are added to the file. All reports are also recorded on CPS' electronic client information database and case management system (CHYPS).

3.1.5 People who make reports are given verbal advice about how the information they provide will be handled, and about the confidentiality of their identity. Staff members give this notice contemporaneously when a report is received by telephone or during a follow-up telephone call when a report is received by email or fax.

3.1.6 When collecting information directly from parents and other clients, such as carers and residential workers, including at initial safety and home visits, staff members give a verbal explanation about the way CPS handles personal information. Specifically, staff are advised to inform individuals about their authority to collect information under the CYP Act, that the information will be recorded and stored in a secure manner, and the purposes for which the information will be used.

3.1.7 Team leaders make decisions about whether to interview children on a case by case basis, and staff members generally seek consent from parents beforehand. The age and understanding of the child will determine the level of explanation the child is given about CPS' processes, the kinds of records maintained by CPS, and their rights of access to their information.

3.1.8 CPS uses a number of pro forma documents which provide clients with notice about the way it collects and handles client information under the CYP Act. These include a ‘Consent to Obtain/Share Information Form', an ‘Appraisal Consent Form', an Information Sheet for parents and carers about appraisals, and a Declared Care Team Fact Sheet. Signed consent forms are placed on client files.

3.1.9 CPS is in the processing of developing a publication to leave with parents and other clients about the way it handles personal information, particularly at safety and home visits.

3.1.10 CPS provides an information pack to carers entitled A Guide for Foster Carers and Kinship Carers, which contains information about CPS' communication and information sharing practices.

3.1.11 CPS also collects client information from third parties as authorised by the CYP Act, and will generally seek the consent of a child's parent or carer beforehand. This might include collecting information from an ACT Education provider, a health facility, people with parental responsibility or who provide out of home care, or community based services involved with the child and their family.

3.1.12 CPS uses pro forma documents when collecting client information from third parties, and also provides Information Sheets to these parties. These documents set out the legislative authority under which CPS can request client information, and provides notice as to the purpose for collection and how the information will be used.

3.1.13 Requests for client information from third parties must be targeted, in writing, and signed and approved by an appropriate supervisor. This requirement ensures unnecessary or irrelevant client personal information is not collected.

3.1.14 CPS' website contains a link to DHCS' online privacy statement.

Privacy issues

3.1.15 Where reasonable to do so, when collecting information directly from an individual, it is generally preferable to provide individuals with notice about what happens to their information, before the collection takes place, or as close to the point of collection as possible.

This kind of notice allows individuals to make a more informed decision about providing information, in situations where they have a choice about whether they will provide information to CPS.  It also helps ensure that individuals know who is collecting their personal information, and how it may be used and disclosed.

Recommendations

3.1.16 That CPS considers strengthening its IPP 2 notice practices in relation to people who make Reports.

Taking into account the different ways reports may be received, this could include playing a recorded privacy message to incoming callers, providing a privacy notice in an auto email response, and providing privacy information on CPS' website for people considering making a report. 

3.2 IPP 4 Issues — Storage and security of personal information

IPP 4(a) requires a record keeper who has possession or control of a record that contains personal information to ensure that the record is protected by security safeguards reasonable in the circumstances against loss, unauthorised access, use, modification, disclosure and other misuse.

IPP 4(b) requires that, if it is necessary for the record to be given to a person in connection with the provision of a service to the record keeper, everything reasonably within the record keeper's power be done to prevent unauthorised use or disclosure of information contained in the record.

Observations

3.2.1 CPS' offices are located in a secure building. Entrance to offices requires the use of a staff access card with photographic ID in the main building entrance, lifts and doors.

3.2.2 All staff, except the After Hours Crisis Team, can only access CPS offices between 7am and 7pm. Access for the After Hours Crisis Team is as per operational needs. Staff access is audited every 6 months and staff are required to undergo police checks before working at CPS.

3.2.3 CPS has a clean desk policy. Only the particular file a staff member is working on is allowed to be on the desk, and only while the staff member is present at their desk. All files are kept in lockable storage cabinets. Keys are kept separate from cabinets.

3.2.4 At the end of each work day, team leaders and operational managers do a sweep of the office and remove and securely store any files that have been improperly left out. Where team leaders and supervisor find files that have not been securely stored away as per the policy, the staff responsible are counselled and reminded of the data security requirements.

3.2.5 Before a staff member with appropriate delegation can access either CHYPS or the CPS email inbox, their access must be approved by a supervisor, who also has the appropriate delegation, on CHYPS User Access Form. This form, which is signed by the staff member, sets out the privacy responsibilities staff have when using CHYPS. Staff members are also required to undertake CHYPS user training.

3.2.6 Access to CHYPS is limited by a series of layered logins. Staff have individual login details to access their computer desktop and the CPS network, and then separate login details to enter CHYPS. CHYPS passwords expire every 30 days. Level of access to CHYPS is determined by a staff member's duties at CPS, and is assessed on a ‘need to know' basis.

3.2.7 Movement of hardcopy files are tracked using the CHYPS database. CHYPS designates the location of files to named staff members and specific locations.

3.2.8 When staff members leave the office for initial safety visits, they are only permitted to take empty note books and pens. Reports cannot leave the office. Staff members (as mandated reporters) do not record reports out in the field. Reports are created as soon as staff members return to the office.

3.2.9 Staff members are personally responsible for the safety and security of notebooks used for making records out in the field. At all other times notebooks remain the property of CPS and are kept in the office.

3.2.10 Staff members use CPS vehicles when carrying out fieldwork outside of the office, and they must be returned to the office before the staff member can go home for the day. This helps to ensure that staff members return all records to the office as per CPS's procedures. Staff are required to leave vehicles clean and to return keys to CPS.

3.2.11 Any information collected on pagers during CPS's after hours service is deleted nightly.

3.2.12 CPS maintains a security policy for physically transferring hardcopy client files, both within CPS and between its archiving facility. Depending on the classification of the information contained in the file, these steps could include (but are not limited to) placing files in single or double envelopes with appropriate address information, and may be passed hand to hand, delivered direct by an authorised messenger, or by a SCEC (Security Transport for Government Departments and Agencies) endorsed courier.

3.2.13 Team leaders oversee the transfer of client files between different teams and different floors in accordance with CPS' policy.

3.2.14 When a client file is closed, it is signed off by a supervisor and without delay is sent to CPS's Records Management Unit (RMU). RMU staff log the movements of the file, and secure files in taped boxes. Files are moved to a separate secure storage facility, and can only be retrieved with a formal request signed off by a supervisor. Staff work in this area is monitored, and the CHYPS system is checked weekly to ensure closed files are handled appropriately.

3.2.15 CPS has special procedures in place for restricting access to client records where there may be a conflict of interest. Restricted files are stored separately from other files, and are kept in a locked cabinet to which a team leader controls the key.

3.2.16 CHYPS also has mechanisms to limit electronic access to restricted files that come into effect as soon as a team leader has designated the file as such. Only staff members with specific authorised delegations are able to access restricted files, while attempts to access the files by other staff members are denied and logged. No restricted information is available (including a client's identity) to staff without authorisation.

3.2.17 Restricted files are reviewed monthly, including any access attempts through CHYPS. Where there is a high risk of improper access, CHYPS audit logs are reviewed weekly.

3.2.18 The CHYPS system also maintains an audit log of who has accessed an electronic file and who has changed a document. Audits can be searched by user or client, or by a comprehensive log showing all activity. Audit logs cannot be amended by anyone, including CHYPS administrators.

3.2.19 CPS' policy states that client files cannot be taken out of the office, except for court hearings, and when they are being archived. When files are taken to court hearings, they are kept in a secure locked bag, which stays with the officer at all times.

3.2.20 When Declared Care Teams are established, members are provided with Information Sheets about their confidentiality obligations. A verbal reminder of these obligations is provided by CPS at Team meetings.

3.2.21 CPS does not allow staff members to have remote access to its IT systems.

3.2.22 Staff members cannot delete data once it has been entered on the CHYPS system. Data can only be deleted by an administrator in response to a formal request.

3.2.23 If it is suspected that a staff member has misused the CHYPS system and their access to classified information, all of their access to CHYPS is shut down until the matter has been investigated and resolved in line with CPS' policy for dealing with suspected misuse of access to classified information ‘When Misuse of Access to Classified Information Occurs Guidelines and Procedures'.

3.2.24 The Guidelines and Procedures set out measures to prevent misuse, examples of misuse, reasons to suspect misuse, the steps that must be followed if misuse is suspected (including disciplinary actions and procedures), appeal rights for employees against disciplinary action, and information on criminal charges and offences.

3.2.25 The CHYPS system is backed-up nightly, including its audit logs, to prevent loss of client information even in the event of a system break down. Taped back-ups are also maintained monthly.

3.2.26 The CHYPS system only has a limited number of administrators.

3.2.27 InTACT (the information and communication technology service organisation within the ACT Department of Territory and Municipal Services) has full access to the CHYPS system. InTACT staff with access to CHYPS have high level security clearances, and must comply with confidentiality requirements. Access to CHYPS and CPS servers by InTACT staff is also logged, and these audit logs cannot be amended.

3.2.28 When client files are closed, CPS' Records Management Unit (RMU) organises for files to be transferred and stored at an offsite secondary secure facility. This facility is managed by a contract service provider which has national security classifications applicable to its premises.

Privacy issues

3.2.29 There were no specific issues identified in the audit in relation to CPS's security and storage practices.

3.3 IPP 8 Issues — Record-keeper to check accuracy etc of personal information before use

  • IPP 8 provides that a record keeper who has possession or control of a record that contains personal information shall not use that information without taking steps that are reasonable in the circumstances to ensure that, having regard for the purpose for which the information is proposed to be used, the information is accurate, up to date, and complete.

Observations

3.3.1 Reports are approved by team leaders before they can be entered and finalised into CHYPS.

3.3.2 After receiving a report, CPS collects further information about its clients directly from them and from authorised third parties to test the veracity of the information contained in the report.

3.3.3 Any hand written notes taken in the field are added to the hardcopy client file upon return to the office in order to ensure completeness of the file.

3.3.4 Any client observations made out in the field are recorded as soon as possible after the staff member has returned to CPS's office. Recording this information as contemporaneously as possible helps ensure the quality of the records.

3.3.5 Staff are encouraged to create clear, objective and descriptive file notes to ensure the accuracy of client information maintained on file. CPS provides training in this regard as part of its Introduction to Records Management training module.

3.3.6 Team leaders conduct random audits of client files managed case officers as a quality assurance check. Also, before client files are closed and transferred to RMU, team leaders audit all files to ensure both the hardcopy and electronic file reconcile with each other and that the information contained in the file is complete.

3.3.7 The CHYPS system maintains user version control in relation to electronic documents until changes are finalised. The CHYPS system also ensures that progress notes are automatically finalised within 5-7 days to ensure data integrity.

3.3.8 Staff receive CHYPS training on their responsibility to maintain the integrity of the data they enter. The integrity of data entered into the CHYPS system is checked via reporting and manually. The CHYPS system sends an alert when a record is created for a client already in the system, in order to avoid improper duplication of records.

Privacy issues

3.3.9 There were no specific issues identified in the audit in relation to CPS's IPP 8 practices.

3.4 IPPs 10-11 — Limits on use and disclosure of personal information

  • IPP 10.1 provides that a record keeper who has possession or control of a record that contains personal information that was obtained for a particular purpose shall not use the information for any other purpose unless one or more of certain exceptions apply.
  • IPP 10.2 provides that, where personal information is used under IPP 10.1(d) the record keeper shall include in the record containing that information a note of the use.
  • IPP 11 provides that a record keeper who has possession or control of a record that contains personal information shall not disclose the information to a person, body or agency (other than the individual concerned) unless one or more of certain exceptions apply.
  • IPP 11.2 provides that, where personal information is disclosed under IPP 11.1(e) the record keeper shall include in the record containing that information a note of the disclosure.

Observations

3.4.10 CPS uses and discloses client information to protect and promote the health, safety and wellbeing of children and young people, and to develop interventions where appropriate. The CYP Act sets out CPS's authority to use and disclose client information when performing its functions under the Act.

3.4.11 Only staff with the appropriate delegations are authorised to disclose client information under the CYP Act. CPS maintains its current delegations on its intranet.

3.4.12 CPS must take into account the best interests of a child or young person when making any decision to share or disclose information under the CYP Act.

3.4.13 CPS generally seeks the informed and written consent of individuals before sharing their personal information. CPS staff members also discuss decisions about information sharing with children and young people in an age appropriate way, depending on their level of understanding.

3.4.14 CPS can also share certain client information without consent where legislative processes under the CYP Act are invoked. The CYP Act authorises CPS to disclose client information to third parties and designated ‘information sharing entities' and in certain circumstances, if it is in the best interests of a child or young person to do so.

3.4.15 The CYP Act also authorises CPS to disclose information to members of a Declared Care Team. Members of Declared Care Teams are made aware of their information sharing responsibilities through a Fact Sheet and verbal notice in order to prevent improper disclosure of client information outside of the Team. Care Teams are generally established for limited periods.

3.4.16 CPS may disclose client information to a limited number of other third parties, including a court, an investigative entity, or an interstate child protection agency where authorised or required to do so under the CYP Act.

3.4.17 CPS can also disclose client information when required or authorised to do so under another law in force in the ACT.

3.4.18 CPS must not disclose information that identifies an individual who made a report or that would allow the identity of that individual to be worked out, except when ordered to do so by a court in certain circumstances.

Privacy Issues

3.4.19 There were no specific issues identified in the audit in relation to the way CPS uses and discloses client information.

3.5 Other Privacy Matters

Privacy training and knowledge

Observations

3.5.1 CPS delivers induction and regular privacy training to staff members. These modules include, but are not limited to:

  • Orientation training
  •  Information Sharing training
  •  Introduction to Record Keeping
  • Introduction to Records Management
  •  Records Management training
  • Children and Young People Act 2008 training
  • Records and Reporting training
  • Charter of Rights for Children and Young People in Our of Home Care training
  • Provision of Information, Review of Decisions and Complaints - Policies and Procedures training, and
  • CHYPS training.

The auditors sighted training material for all of these modules.

3.5.2 CPS maintains a record of staff attendence to ensure that all staff are up-to-date with their training sessions.

3.5.3 CPS maintains a policy where staff members receive one and a half hours of professional supervison every fortnight regarding performance and case management, including compliance and accountability in terms of record-keeping. Time spent on supervision is recorded and lodged with the Operations Manager.

3.5.4 CPS uses outsourced training about interviewing children to ensure the quality of information collected using this method, including avoiding misleading questions and strategies for checking a child's understanding.

3.5.5 Adminstrative staff are trained in line with CPS's records mangagment policies regarding the packing and transferring of client files.

3.5.6 CPS maintains a number of doucumented policies for staff regarding privacy and information handling responsbilities. These include, but are not limited to:

  • Orientation Reference Guide
  • OCYFS Information Sharing Policy and Procedures
  • CPS  Policy and Procedure Manual
  • CHYPS confidentiality information
  • Records Management Program Policy and Procedures
  • ICT Polices, Standards and Guidelines
  • CHYPS Senior Staff Guide
  •  CHYPS manual for staff
  • DHCS Code of Conduct
  • DHCS Client Service Standards, and
  • Declared Care Teams - A guide for team members and staff.

The auditors sighted all of these documented policies.

3.5.7 CPS provides staff with access to relevant legislation, polices and procedures and directions via its intranet portal.

3.5.8 The auditors noted that CPS staff are acutely aware of privacy issues in their work as well as the relevant privacy and information handling policies and legal requirements in operation .

Privacy Issues

3.5.9 There were no other issues identified in the audit in relation to other privacy matters.

Back to Contents

Part 4 — Summary of recommendations

Recommendation

4.1 That CPS considers strengthening its IPP 2 notice practices in relation to people who make Reports.

Auditee Response

The auditee accepted this recommendation and made the following comments:

  • In carrying out its work, the Directorate of the auditee strives to improve the privacy of individuals. As such, the auditee welcomes the recommendation made by our Office, that it strengthen its IPP 2 notice practices
  • The auditee proposes to implement this recommendation by 1 July 2011. Its first measure involves a privacy message recording, targetted at the Centralised Intake Service's incoming callers. Secondly, the auditee will insert privacy notices in its automatic email response to child concern reports. Finally, the auditee has indicated that privacy information will be available on its website, to educate individuals who are considering making a child protection report. The web address provided is http://www.dhcs.act.gov.au/
  • In addition to the above, CPS has published a pamphlet entitled ‘What happens when a care and protection worker visits you'. This pamphlet will be provided to parents and other stakeholders, so as to inform them on the auditee's information handling practices.

Back to Contents