Patchwork is a tool to share practitioner information, not to share client information.
We know that the privacy and consent of your clients is crucial in your ongoing work with them.
Since we started using Patchwork in March 2014, we have worked closely with both frontline practitioners and senior management in Education, Health, Police and various NGO’s to ensure these factors are considered in everything Patchwork does.
We only use a client name, address or date of birth to make sure that we have identified the ‘right’ client. No other personal information about a client can be recorded.
Access to Patchwork is restricted to frontline practitioners of agencies that have signed up and been approved to participate in Patchwork (agencies refer other agencies; individuals require a work email address and a reference check with their supervisor).
The tool is accessed via any web browser across a secure, encrypted connection. Data is stored in Australia, and it meets strict guidelines for online security.
Additionally, we have helped some services produce their own guidelines and policies on how Patchwork can be used in their specific organisation.
For more detailed information about privacy specifics, please read below.
Frequently Asked Questions About Patchwork Privacy
What client information is recorded?
Patchwork is a tool to share staff information, not client information. Patchwork records the client’s name, address and/or date of birth to ensure that the ‘right’ client can be uniquely identified in the system.
There is no case information, or free-text field for a practitioner to complete regarding their clients. Nor is there any capacity to upload or attach documents, such as case notes to Patchwork.
Who can see the client information?
Patchwork users can only access details about a client's team by adding themselves to the team or being invited into the team.
Client information will not be shared with another organisation or individual without permission, except when required by law. Some de-identified information may be used for statistical reporting, but this will never include the client’s name.
How is client privacy maintained?
All organisations using Patchwork must follow their own privacy and consent guidelines when searching or adding a client to Patchwork.
Access to Patchwork is restricted to authorised staff of agencies that have signed up and been approved to participate in Patchwork.
Do users need to get consent from their clients before adding them to Patchwork?
All Patchwork users need to ensure they follow the privacy, consent and best practice guidelines of their organisation before adding a client to Patchwork.
What happens if a client wants to be removed?
Clients can request to be removed from Patchwork at any time by telling the staff member they are working with or emailing email@example.com.
What if my role is sensitive?
If your role is sensitive and you do not want to openly disclose it to other users on Patchwork (e.g. domestic violence health worker) you can set your profile to a more generic role (e.g. health worker).
Purpose for the sharing of personal information
The purpose of Patchwork is to facilitate the sharing of information between agencies and their partners using the Patchwork application to improve collaboration for the benefit of our clients.
Sharing is justified because the information contained within Patchwork is the absolute minimum necessary to promote cooperation between services which is vital in keeping children, young people and adults safe and promoting their welfare.
Government agencies involved in providing services to the public have a legal responsibility under the NSW Privacy and Personal Information Protection Act 1998 (the Privacy Act) to ensure their dealings with a person’s personal information is lawful, and that an individual’s right to privacy is respected.
Patchwork is a proportionate response to the problem of multi agency information sharing, and uses the principle that the responsibility to share is as important as the responsibility to maintain privacy.
This principle in relation to children and young persons is set out in Chapter 16A of the Children and Young Persons (Care and Protection) Act 1998. For more information on Chapter 16A see below.
By joining Patchwork, organisations are confirming their intention to deal with information in a lawful and controlled way.
Privacy & Chapter 16A
‘Chapter 16A’ refers to Chapter 16A of the Children and Young Persons (Care and Protection) Act 1998.
Under Chapter 16A, prescribed bodies, including many human services and justice agencies and NGOs, are able to share information relating to the safety, welfare and well-being of children and young people without consent, where necessary, and whether or not the child or young person is known to FACS.
The information can be provided if the provider reasonably believes that the provision of the information would assist the recipient to make any decision, assessment or plan or to initiate or to provide any service relating to the safety, welfare and wellbeing of the child or young person or class of children or young person.
Prescribed bodies are defined in Chapter 248 (6) of the Care Act and clause 8 of the Children and Young Persons (Care and Protection) Regulation 2012.
Organisations not specifically mentioned there may be covered by the following general description: ‘any other organisation the duties of which include direct responsibility for, or direct supervision of, the provision of health care, welfare, education, children’s services, residential services, or law enforcement, wholly or partly to children.’
Who else may this information be shared with?
Patchwork has been developed by FutureGov, a digital and design company for public services. FutureGov will not have access to the live data unless this is agreed by all parties and would be solely for the purposes of technical management. Any software updates will be tested on a development server using dummy data, before being securely deployed to the live environment.
Information will not be shared with any other organisations or individuals that have not been invited and approved to join Patchwork, except where required by law.
What security protects Patchwork data?
Patchwork is accessed via the Internet, and it meets the strictest guidelines for online security outlined by the NSW Government Digital Information Security Policy version 1.0 (Nov 2012) and is ISO 27001 Accredited.
The program and data are stored in Australia by an accredited IL2 standard company and is accessed via a secure 256 AES encrypted connection.
Users are required to create strong passwords to secure their accounts (minimum is 7 characters and must contain upper and lower case letters, and numbers).
How are changes tracked and audited?
The Patchwork database will log modifications to the data, and the application server will log access to the site. This will provide an auditable trail of activity.
Management of security breaches
In the unlikely event of a security breach, the party discovering the breach will follow their local process and inform firstname.lastname@example.org.
The breach will be investigated under that organisation’s security breach procedure. A security breach includes, but is not limited to:
- Attempts at unauthorised access to the application.
- Compromise of passwords.
- Unauthorised introduction of software to the Patchwork hosting environment.
- Unauthorised modification or tampering with system components.
- Loss of magnetic, optical or other media including printed output, containing Patchwork data, e.g. screen prints, back-up tapes, data extractions, etc.
- Unattended end-user-devices left logged in to Patchwork.
- Flooding of the system with access attempts or data.
If you have any other privacy questions, you can contact us on this website here.