Privacy & Confidentiality

This policy ensures we protect and handle personal information in accordance with the Privacy Act 1988, Australian Privacy Principles (APPs), NDIS Act 2013, and NDIS Practice Standards. We acknowledge an individual’s right to privacy while recognising that personal information is required to be collected, maintained and administered to provide safe, high-quality NDIS supports and services.

The information we collect is used to deliver quality NDIS supports, maintain participant safety and wellbeing, meet our legal and regulatory obligations, and support effective business operations.

Guidelines

We are committed to complying with the privacy requirements of the Privacy Act, the Australian Privacy Principles, the NDIS Act 2013, NDIS Practice Standards, and the Privacy Amendment (Notifiable Data Breaches).

We collect and manage the following types of information:

• Personal details (name, contact information, date of birth)
• Health and disability information
• Support needs and goals
• NDIS plan details
• Service delivery records
• Images and recordings (with consent)
• Financial information for payment processing

Our information collection methods include:

• Direct collection from you or your authorised representatives
• From the NDIA with your consent
• From other service providers with your permission
• Through our service delivery activities

Each individual has the following privacy rights:

• Access their personal information
• Request corrections to their information
• Withdraw consent for information sharing
• Opt out of providing personal details (where legally possible)
• Lodge privacy complaints
• Choose whether to participate in NDIS audits

Where we are required to report to government funding bodies, information provided is non-identifiable and related to services and support hours provided, age, disability, language, and nationality.

Personal information will only be shared:

• With your explicit consent
• When legally required
• For mandatory reporting of incidents
• To protect someone’s safety
• As required by court order

Security of information

We take reasonable steps to protect the personal information we hold through:

• Password-protected digital systems with encryption
• Secure physical storage in locked facilities
• Access restricted to authorised personnel
• Regular security audits and updates
• Staff privacy training and confidentiality agreements

Data breaches

In the event of a data breach:

• Immediate steps will be taken to contain the breach
• Affected individuals will be notified within 24 hours
• The incident will be reported to relevant authorities
• Remedial actions will be implemented
• A full investigation will be conducted

Breach of privacy and confidentiality

A breach of privacy and confidentiality is an incident—follow the Manage incident process to resolve

A breach of privacy and confidentiality may require an investigation

An intentional breach of privacy and confidentiality will result in disciplinary action up to and including termination of employment.

Data Storage

We store data securely, protecting it from unauthorised access. This includes the following provisions:

• Storing hard-copy data in a locked cabinet
• Storing soft-copy data in a password protected file management system
• Emailing personal profiles only to authorised staff
• Where data is accessed and stored in countries other than Australia the following provisions are required:
• Any soft copies of data are to be destroyed on a weekly basis
• Soft data cannot be removed from local storage devices via USB, printers, bare metal servers, cloud servers, or similar
• Customer’s personal data is not stored in hard copy format outside Australia

Disclosure of personal information overseas

We may disclose personal information to recipients who are overseas. The situations in which we may transfer personal information overseas include:

• The provision of service delivery of NDIS recipients by overseas contractors (where consent has been given or is otherwise legally permitted)
• The provision of personal information to recipients using a web-based email account or customer relation management software where data is stored on an overseas server

Data is accessed in accordance with this policy in the following countries:

Australia; India; and Kenya

Complaints and Enquiries

Privacy complaints can be made to:

• Your service coordinator
• Our Privacy Officer
• The NDIS Commission
• The Office of the Australian Information Commissioner

All complaints will be addressed within 30 days.

Applicability

When

• Applies to all personal information and sensitive personal information including the personal information of employees and participants
• Applies to all company confidential information – that is any information not publicly available

Who

• Applies to all representatives including key management personnel, directors, full time workers, part time workers, casual workers, contractors and volunteers.