Privacy & Confidentiality

This policy ensures we protect and handle personal information in accordance with the NDIS and relevant privacy legislation. We acknowledge an individual’s right to privacy while recognising that personal information is required to be collected, maintained and administered in order to provide a safe working environment and a high standard of quality.

The information we collect is used to provide services to participants in a safe and healthy environment with individual requirements, to meet duty of care obligations, to initiate appropriate referrals, and to conduct business activities to support those services.


We are committed to complying with the privacy requirements of the Privacy Act, the Australian Privacy Principles and for Privacy Amendment (Notifiable Data Breaches) as required by organisations providing disability services.

We are fully committed to complying with the consent requirements of the NDIS Quality and Safeguarding Framework and relevant state or territory requirements.

We provide all individuals with access to information about the privacy of their personal information.

Each individual has the right to opt out of consenting to and providing their personal details if they wish.

Individuals have the right to request access to their personal records by requesting this with their contact person.

Where we are required to report to government funding bodies, information provided is non-identifiable and related to services and support hours provided, age, disability, language, and nationality

Personal information will only be used by us and will not be shared outside the organisation without your permission unless required by law (e.g. reporting assault, abuse, neglect, or where a court order is issued).

Images or video footage of participants will not be used without their consent.

Participants have the option of being involved in external NDIS audits if they wish.

Security of information

We take reasonable steps to protect the personal information we hold against misuse, interference, loss, unauthorised access, modification and disclosure.

Personal information is accessible to the participant and is able for use by relevant workers

Security for personal information includes password protection for IT systems, locked filing cabinets and physical access restrictions with only authorised personnel permitted access

Personal information no longer required is securely destroyed or de-identified.

Data breaches

We will take reasonable steps to reduce the likelihood of a data breach occurring including storing personal information securely and accessible only by relevant workers

If we know or suspect your personal information has been accessed by unauthorised parties, and we think this could cause you harm, we will take reasonable steps to reduce the chance of harm and advise you of the breach, and if necessary the Office of the Australian Information Commissioner.

Breach of privacy and confidentiality

A breach of privacy and confidentiality is an incident—follow the Manage incident process to resolve

A breach of privacy and confidentiality may require an investigation

An intentional breach of privacy and confidentiality will result in disciplinary action up to and including termination of employment.

Data Storage

ISM store data securely, protecting it from unauthorised access. This includes the following provisions:

  • Storing hard-copy data in a locked cabinet
  • Storing soft-copy data in a password protected file management system
  • Emailing personal profiles only to staff
  • Where data is accessed and stored in countries other than Australia the following provisions are required:
  • Any soft copies of data are to be destroyed on a weekly basis
  • Soft data cannot be removed from local storage devices via USB, printers, bare metal servers, cloud servers, or similar
  • Customer’s personal data is not stored in hard copy format.

Disclosure of personal information overseas

ISM may disclose personal information to recipients who are overseas. The situations in which ISM may transfer personal information overseas include:

  • the provision of service delivery of NDIS recipients by overseas contractors (where consent has been given for this ISM or is otherwise legally able to provide this information); and
  • the provision of personal information to recipients using a web-based email account or customer relation management software where data is stored on an overseas server

Data is accessed in accordance with this policy in the following countries:

Australia; India; and Kenya



  • applies to all personal information and sensitive personal information including the personal information of employees and participants applies to all company confidential information – that is any information not publicly available.


  • applies to all representatives including key management personnel, directors, full time workers, part time workers, casual workers, contractors and volunteers.

What makes us successful

“I struggle a lot with trusting and connecting to people, however Zac and the team at ISM have helped me every step of the way to maximise the benefits that I gain from mine and my children’s NDIS plans. Now I wouldn’t let anyone else provide this service to us.”

- A proud mother and customer since 2016.