Privacy Policy

Version: 1.2

Effective Date: 25/10/2024

Applies To: All Santegis employees

Approved By: Principal Consultant, Director 

In Australia, the Privacy Act 1988 regulates how personal information is handled. 

Santegis formally commits to protect privacy in accordance with the Privacy Act 1988, The Privacy Amendment (Enhancing Privacy Protection) Act 2012 and the Australian Privacy Principles and recognises the importance of ensuring that all clients understand and trust the systems in place. 

All Santegis employees are required to undertake Privacy training within their first year of employment. 

The Principal/National Rehabilitation Manager is appointed as Santegis’ Privacy Officer, responsible for overseeing compliance with this policy, responding to privacy queries, and managing any data breach notifications in accordance with the Notifiable Data Breaches (NDB) scheme. 

Personal Information 

Workers compensation, information privacy and health records laws regulate the exchange of personal and health information. 

The Privacy Act defines personal information to mean “information or an opinion about an identified individual, or an individual who is reasonable identifiable, whether the information or option is true or not and whether recorded in a material form or not” 

The type of information this can include is: 

  • Name 

  • Date of birth 

  • Address 

  • Telephone number 

  • Medical records 

  • Bank details 

  • Opinions about an individual 

Santegis’ collects some of this information when a referral is received. This information is stored in Vinci (File management software/CRM), and is added to during the life of a case. Additions include case notes, reports, emails etc. 

Health Information includes information or opinions regarding an individual’s: 

  • Physical or psychological health 

  • Treatment 

  • Training 

  • Rehabilitation 

  • Injury management 

  • Claim details 

Sensitive Information 

Sensitive information is defined in the Privacy Act to include information or opinion about such things as an individual's racial or ethnic origin, political opinions, membership of a political association, religious or philosophical beliefs, membership of a trade union or other professional body, criminal record or health information. 

Sensitive information will be used by Santegis only: 

For the primary purpose for which it was obtained 

For a secondary purpose that is directly related to the primary purpose 

With your consent; or where required or authorised by law. 

Collection and Storage of Information 

It is Santegis’ practice to collect personal information directly from the individual such as: 

medical condition 

psychosocial details 

functional capacity 

recovery at, or return to work goals and beliefs 

impact of injury on activities of daily living 

All information obtained from a client is used with the aim of providing workplace-based rehabilitation assistance. This information includes all referral documents, reports, case notes, correspondence, and verbal discussions. All information collected is documented in line with the principle of good records management. Where reasonable and practicable to do so, Santegis will collect your Personal Information only from you. However, in some circumstances we may be provided with information by third parties such as treating practitioners or insurers. In such a case we will take reasonable steps to ensure that you are made aware of the information provided to us by the third party. 

In limited circumstances Santegis may receive personal information about third parties from individuals who supply such information through documents they provide. In these circumstances Santegis will ensure that the consent of those third parties is obtained if it is thought there is a need to use or disclose that information. 

All data is securely stored on-site in Sydney, NSW, Australia. No offshore access or storage is permitted. We utilise Microsoft Office Suite, SharePoint, and OneDrive cloud storage systems, ensuring secure and reliable data access and management. 

We manage personal and health information in accordance with: 

  • Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) – which require that personal information is retained only for as long as it is needed for its intended purpose or as required by law. 

  • State and Territory health records legislation (e.g., NSW Health Records and Information Privacy Act 2002) where applicable. 

  • Workers’ Compensation record-keeping obligations under relevant schemes (e.g., SIRA NSW, RTWSA, Workcover WA). 

For workplace rehabilitation and allied health services, records relating to an individual’s health are considered sensitive information. We adopt the following retention practices: 

  • Adult health records: retained for a minimum of 7 years from the date of the last service provision. 

  • Records of children/young people: retained until the individual reaches 25 years of age or 7 years after the last entry, whichever is longer. 

  • Workers’ compensation case records: retained in accordance with jurisdictional legislation (e.g., NSW workers’ compensation records must be kept for 7 years after closure). 

After the retention period expires, data is securely deleted, anonymised, or destroyed in compliance with relevant standards and documented destruction protocols. 

Use and disclosure 

Santegis will only disclose personal information with worker consent, and where it is relevant for the purposes for which it was given, or for purposes which are directly related to one of our functions or activities adhering to the principle of least privilege. At the commencement of Santegis’ involvement with the individual’s recovery at, or return to work, the Consultant will inform them how and if their personal information may be used. An interpreter can be provided if required to ensure the worker understands why they are signing the written consent to release information. 

Information is not provided to other government agencies, organisations, or anyone else unless one of the following applies: 

the individual has provided written consent 

the individual would reasonably expect, or has been told, that information of that kind is 

usually passed to those individuals, bodies or agencies 

it is required or authorised by law 

it will prevent or lessen a serious and imminent threat to somebody's life or health 

it is reasonably necessary for the enforcement of the criminal law or of a law imposing a 

pecuniary penalty, or for the protection of public revenue. 

Anonymity and Pseudonymity 

Where it is lawful and practicable, individuals have the option of not identifying themselves or using a pseudonym when dealing with Santegis. DOC-0013 V1.2 

Data quality 

Santegis will take steps to ensure that the personal information collected is accurate, up to date and complete. These steps include maintaining and updating personal information when advised by individuals that their personal information has changed, and at other times as necessary. 

Further, when information is supplied in the form of reports or other forms of correspondence, data will be updated. 

Data security 

Santegis regularly takes proactive steps to protect the personal information held to prevent loss, unauthorised access, use, modification or disclosure and against other misuse. These steps include password protection for electronic files, securing paper files in locked cabinets and physical access restrictions to Santegis’ offices. When no longer required, personal information is destroyed in a safe and secure manner or deleted using authorised local third-parties to safely remove and destroy any sensitive information. 

We implement a multi-layered security framework incorporating AVG and CrowdStrike cyber security solutions. Multi-Factor Authentication (MFA) is mandatory for all devices accessing company data. Data is protected using industry-standard encryption protocols: 

  • In transit: Data transmitted across networks is encrypted using TLS (Transport Layer Security) to prevent interception or unauthorised access. 

  • At rest: Data stored within our systems is encrypted using AES 256-bit encryption. Per-file encryption with unique keys ensures additional security controls. 

Our CRM system is ISO/IEC 27001 accredited, and annual penetration testing is conducted to assess and improve system resilience. 

Santegis utilises the services of an external contractor for secure bin paper disposal. 

Access and correction 

Access to data is strictly controlled, monitored, and limited to authorised personnel based on business need and role-based access controls. All access activity is monitored and audited through Microsoft Exchange compliance monitoring. If an individual requests access to the personal information provided by them to, and held by Santegis, or requests that a change in their personal information be made, Santegis will allow access or make the changes. Any requests should be in writing. Likewise, where a third-party requests information about a worker, information about the particular worker must not be provided to a third party without receiving written consent from the worker first. The client can withdraw consent at any time. 

Privacy complaints Privacy complaints should be directed to the Privacy Officer. Complaints will be acknowledged within five (5) business days and resolved within thirty (30) days where practicable. If dissatisfied, individuals may escalate their complaint to the Office of the Australian Information Commissioner (OAIC). DOC-0013 V1.2 

Data Breaches Santegis complies with the Notifiable Data Breaches (NDB) scheme. In the event of an eligible data breach, Santegis will promptly notify affected individuals and the OAIC in accordance with legislative requirements and take immediate steps to mitigate risk and prevent recurrence. 

Questions in regard to this policy should be directed to Santegis via email admin@santegis.com.au