top of page

Privacy, Confidentiality and Information Management Policy

Purpose

Bodyfocus Wellness Centre is committed to protecting the privacy, confidentiality, integrity, and security of information collected, used, stored, and managed in the course of providing services and conducting business operations.

 

This policy outlines the organisation's approach to information management and establishes expectations for all personnel regarding the handling of confidential and sensitive information.

Scope

This policy applies to all employees, contractors, students, volunteers, and other personnel engaged by Bodyfocus Wellness Centre.

 

The policy applies to all information held by the organisation, including patient information, employee information, business records, and other confidential information.

Policy Statement

Bodyfocus Wellness Centre is committed to:

  • Respecting the privacy and confidentiality of patients, employees, and other stakeholders.

  • Protecting information from unauthorised access, use, disclosure, alteration, or loss.

  • Maintaining accurate and secure records.

  • Ensuring information is accessed only by authorised persons for legitimate business purposes.

  • Complying with applicable privacy, health records, and information management requirements.

  • Promoting responsible use of organisational information systems and technology.

 
Confidential Information

 

Confidential information may include, but is not limited to:

  • patient records and health information

  • Personal information

  • Employee records

  • Financial information

  • Business records

  • Incident reports

  • Complaint records

  • Organisational documents

  • Information obtained through professional duties

 

Personnel must not disclose confidential information except where authorised, required for legitimate work purposes, required by law, or where appropriate consent has been obtained.

Collection and Use of Information

 

Information will be collected, used, and disclosed only for legitimate business, clinical, operational, or legal purposes.

 

Personnel must only access information necessary to perform their duties.

Access to information must be restricted according to role, responsibilities, and operational requirements.

Information Systems

 

Bodyfocus Wellness Centre utilises electronic systems to manage clinical, workforce, governance, and training information.

 

Information must be stored within approved organisational systems and managed in accordance with organisational policies and procedures.

Personnel must not establish unofficial records or store organisational information in unauthorised locations.

Patient Records

 

Patient records are maintained within approved clinical information systems.

Personnel may access patient information only where necessary for the provision of services or the performance of authorised duties.

 

Patient information must be recorded accurately, professionally, and in a timely manner.

Employee Records

 

Employee records are maintained within approved workforce management systems and are accessible only to authorised personnel.

Employee information will be managed confidentially and in accordance with applicable legal and organisational requirements.

Information Security

 

Personnel are responsible for taking reasonable steps to protect information from unauthorised access, loss, misuse, or disclosure.

This includes:

  • Maintaining secure passwords

  • Protecting login credentials

  • Logging out of systems when not in use

  • Securing devices used for work purposes

  • Following organisational cybersecurity requirements

  • Reporting suspected security incidents

 

Passwords and system access credentials must not be shared with others.

Portable Devices and Personal Storage

 

Patient information and other confidential organisational information must not be stored on personal devices, personal cloud storage services, portable storage devices, or unauthorised systems unless specifically authorised by management.

Personnel must take reasonable precautions to protect information when accessing organisational systems remotely.

Remote Access

 

Approved organisational systems may be accessed remotely where authorised and appropriate to an employee's role.

Personnel accessing information remotely must ensure:

  • Information is protected from unauthorised viewing or access.

  • Devices are appropriately secured.

  • Confidentiality is maintained at all times.

Artificial Intelligence and Approved Technologies

 

Personnel must only use organisation-approved technologies, software platforms, and artificial intelligence tools when collecting, processing, storing, transmitting, analysing, or documenting organisational information.

Unauthorised use of artificial intelligence tools or external services involving confidential or patient information is prohibited.

Additional requirements relating to approved technologies may be addressed in separate organisational procedures.

Information Sharing and Disclosure

 

Information may only be disclosed:

  • With appropriate consent;

  • For legitimate clinical or business purposes;

  • Where required or authorised by law;

  • To manage risks to health, safety, or wellbeing;

  • In accordance with organisational policies and procedures.

 

Only the minimum necessary information should be disclosed to achieve the intended purpose.

Records Retention and Disposal

 

Records will be retained and disposed of in accordance with applicable legal, professional, and organisational requirements.

 

When records are no longer required, they will be securely destroyed or disposed of using approved methods.

Breaches of Privacy or Confidentiality

 

Any actual or suspected privacy breach, confidentiality breach, information security incident, or unauthorised disclosure must be reported to management as soon as practicable.

 

Such incidents may be managed in accordance with the Incident Management Policy and other relevant organisational procedures.

Training and Awareness

 

Personnel will receive information, training, or guidance regarding privacy, confidentiality, and information management requirements appropriate to their role.

Compliance with this policy forms part of each employee's professional responsibilities.

Responsibilities

 
Management

 

Management is responsible for:

  • Maintaining appropriate information management systems;

  • Implementing reasonable security measures;

  • Providing training and guidance;

  • Managing privacy and confidentiality incidents;

  • Monitoring compliance with organisational requirements.

Employees and Other Personnel

 

Personnel are responsible for:

  • Protecting confidential information;

  • Accessing information only where authorised;

  • Following organisational policies and procedures;

  • Reporting privacy, confidentiality, or security concerns;

  • Maintaining professional and ethical standards.

bottom of page