Confidentiality and Privacy Policy

Heal Through Play is committed to protecting the confidentiality and privacy of personal information which the organisation collects, stores, and administers and that persons dealing with us understand our practices in relation to the management of personal information.

Scope and purpose

This policy applies to all staff (paid and unpaid), contractors, participants, and online users. This policy has been developed to provide a framework for Heal Through Play’s legal and ethical expectations in dealing with confidentiality and privacy matters.


Personal information (as defined by the Privacy Act 1988)
Is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.

Sensitive information (As defined by the Privacy Act 1988)
Is information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record, or health, genetic or biometric templates, which is also personal information.

Implies the relationship of confidence between the organisation and individuals.

General matters

We recognise the rights of participants and employees for Heal Through Play to maintain their privacy and confidentiality and to have their information administered in ways which they would reasonably expect.

As a ‘contracted service provider’ in both the state and commonwealth jurisdictions, where a service agreement exists:

  • in the commonwealth jurisdiction (as a contract between a commonwealth government agency and Heal Through Play, the Privacy Act 1988 will prevail and apply, and
  • in the state jurisdiction (as a contract between a state government agency and Heal Through Play the Information Privacy Act 2009 will prevail and apply.

All new and current records will be administered in accordance with the Australian Privacy Principles (APPs) and Heal Through Play’s Recordkeeping Policy. When the personal information is no longer required, it will be destroyed in a secure manner, deleted or de-identified in accordance with legal or compliance requirements.

Staff members will receive training in awareness of the privacy principles and this policy.

Dignity and privacy will also be extended to participants when they visit our premises with the provision of private meeting rooms to undertake confidential discussions, when it is applicable and available to do so.

It is a criminal offence for any individual to falsify records and any staff member who is aware of this occurring is to report it immediately to their supervisor or senior management.

Collection, use and disclosure of information

Heal Through Play collects personal or health information for the purpose of delivering direct services, administering processes associated with service delivery e.g. referrals, meeting any requirements for government funding, monitoring, or evaluating the services we provide, to comply with legal obligations or to produce annual reports or for research purposes. Heal Through Play also collects personal information from employees for the purpose of administering their employment conditions. The nature and extent of the information collected by Heal Through Play varies depending on the individual’s interaction with us.

Such information may include:

  • Contact details (name, address, email, etc.)
  • Personal details (date of birth, gender, income, emergency contacts, etc.)
  • Information on personal issues and experiences, areas of interest or relationships
  • Family background or supports that participants may have in the community
  • Health information and/or medical history
  • Criminal history
  • Credit card or bank account details, donation history
  • Australian Business Number (ABN)
  • Server address and online visit information

This information may be collected by Heal Through Play using in-person interviews, intake, registration, or application processes, online or electronic registration or communications, questionnaires or over the telephone. Any individual who accesses external links via our website will need to check that particular website’s privacy policy.

If participants would like to access any Heal Through Play services on an anonymous basis or using pseudonym, the participant is required to advise us and, if it is possible and lawful, we will take all reasonable steps to comply with the request. However, Heal Through Play may not be able to provide the services in question if we are not provided with the personal information requested.

Heal Through Play only uses personal information for the purposes for which it was given to us, or for purposes which are relation to one of our services. We may also disclose information to other external organisations such as funding bodies, contractors who work for us, health care professionals who assist us to deliver services, other regulatory bodies, referees, or our professional advisors including our accountants, auditors, and solicitors.

Any personal or health details collected will not be disclosed to any other person or agency external to Heal Through Play without the individual’s written consent or unless required or authorised by law. If we receive information about an individual from a third party, Heal Through Play will take all reasonable steps to contact that individual to ensure that you are aware of the purposes for which we are collecting that information.

It should be noted that ‘use’ and ‘disclosure’ are separate practices, with ‘use’ being the handling or management of information within Heal Through Play, whereas ‘disclosure’ is when information is released from our control to another individual or entity.

Exemptions for disclosure

A legal requirement to disclose personal information may override the APPs; this is known as a ‘duty of care.’ Situations where this may occur include the following:

  • Where there is serious risk of abuse or physical harm to the individual or other person, including our participants, the general public and own employees
  • Where the disclosure if required under a law
  • Where the individual would reasonably expect us to use or give that information, e.g. referral processes
  • When the disclosure is necessary by or for a law enforcement agency (e.g. prevention, investigation, prosecution of punishment of criminal offences, protection of public revenue, preparation or implementation of a court or tribunal order.)

In the event that a legal need for disclosure arises, the employee will inform their supervisor or manager prior to making the decision to breach confidentiality and privacy. This decision will also be communicated to the individual unless such advice to the individual is not allowed by legislation.

Information quality and alterations

Heal Through Play takes steps to ensure that information that it collects is accurate, up-to-date, and complete. These steps may include maintaining and updating information either proactively or when we are advised by individuals that the information has changed and can include checking information that is provided by a person about another individual is correct.

Should any information be deemed to be inaccurate or require deletion, the individual can discuss the required amendments with the relevant manager. In the event that a manager declines the request to have information amended, the individual has the right to lodge an appeal of this decision with the Director using the Feedback and Complaint Management Policy and associated procedure.

Information security and access

Heal Through Play ensures that safeguards are in place to protect the personal information it administers against loss, interference, unauthorised access, inappropriate disclosure, modification, or other misuse. These safeguards include reasonable physical and technical steps for both electronic and hard copy records. Some of these include, but are not limited to:

  • Securing information in lockable storage cabinets
  • Not storing personal information in public areas
  • Restricting physical access
  • Positioning electronic equipment so that they cannot be seen or accessed by unauthorised persons, and/or
  • Using passwords, various levels of information systems access, anti-viral software, and firewalls to restrict unauthorised use.

The Code of Conduct also outlines the expectations of staff and contractors to take all reasonable steps to protect organisational and personal information and all employees and third party contractors are required to sign a confidentiality and privacy agreement to that effect.

Requests to access personal information are required in writing and need to be submitted to the relevant Coordinator or Manager. Staff are encouraged to assist participants in completing any written requests for access where required or appropriate to do so. Proof of identity of the individual will be required before any access is granted. To process access requests, refer to the Access to Information Requests section of the Confidentiality and Privacy Procedure.

Heal Through Play reserves the right to charge a reasonable fee as reimbursement for any costs we incur relating to an individual’s request for access to information, including photocopying information or accessing information stored off site.

Privacy for Fundraising Donors

Donors, being individuals or entities that make a contribution of value to Heal Through Play to further our organisational objectives, are generally asked to provide name and contact details which we will keep confidential. We do not hold any sensitive information about our donors and the information we do collect will only be used for the purpose of requesting donations, processing donations, fundraising and keeping records as a history of the donations made.

Donor information will not be disclosed, sold, traded, or rented for any purpose, and will be stored in accordance with the APPs and our own Recordkeeping Policy.

Breach of policy

If a staff member is dissatisfied with the conduct of a colleague regarding privacy and confidentiality of information, the matter should be raised with the staff member’s direct supervisor. If this is not possible or appropriate, follow the steps indicated in the Grievance Policy. Staff members who are deemed to have breached privacy and confidentiality standards set out in this policy may be subject to disciplinary action. An employee’s obligation with respect to confidentiality survives the termination of their employment with Heal Through Play.

If a user of our services is dissatisfied with the conduct of one or more of our staff members regarding privacy and confidentiality of information, the participant is encouraged to have their concern addressed using Heal Through Play’s Feedback and Complaints Management Policy and associated procedures.

Should the individual not be satisfied with the complaint management, they can report their concern to the Office of Australian Information Commissioner (for commonwealth jurisdiction issues) or Office of Information Commissioner Queensland (for state jurisdiction issues).

Review and changes

This policy is to be reviewed every two years. This policy remains in effect unless otherwise determined by the Director.
March 2022.