Certain businesses in Australia are required to comply with the Australian Privacy Principles (APPs), as established by the Privacy Act. This includes businesses that provide health services or otherwise hold health information. If you are an NDIS provider, you will likely hold health information about your participants. Therefore, you are an “APP entity” and must comply with the APPs. As an NDIS provider, it is essential you understand and comply with your obligations under the Privacy Act.
In addition to the Privacy Act, you may be captured by different state and territory health records laws. This article outlines the key privacy considerations to be aware of when handling the personal information of an NDIS client (including sensitive and health information).
What is Personal Information?
In Australia, any information or opinion about an identified or reasonably identifiable individual is considered personal information. Personal information is afforded protection under Australia’s privacy laws.
What is Sensitive Information?
Sensitive information is a subset of personal information. Due to its sensitive nature, it is afforded extra protection under privacy laws. As an NDIS provider, you will likely collect sensitive information in the course of providing your services.
Sensitive information includes information such as racial or ethnic origin or religious beliefs, which you may collect in your intake forms. For example, some NDIS providers collect this information for the purpose of appointing a support worker from the same or similar background as the participant.
Continue reading this article below the formWhat is Health Information?
As an NDIS provider, you likely collect or hold certain health information about participants, which you either actively collect or receive from:
- the NDIS;
- referring doctors; or
- other allied health professionals.
Health information is a subset of sensitive information. It includes information or opinions about someone’s health, such as:
- consultation notes;
- patient records;
- prescriptions; or
- information about an individual’s NDIS plan.
What Are My Privacy Obligations As An NDIS Provider?
Let us explore your privacy obligations as an NDIS provider.
1. Only Collect Information That is Reasonably Necessary to Provide Services
You should only collect personal information if it is reasonably necessary to provide your services to participants. Accordingly, you should review your intake forms and consider whether the questions you are asking and the documents you are collecting are necessary before requiring your participants to disclose their personal (or sensitive) information to you.
2. Be Transparent About the Reason For Collecting Personal Information
Before, or at the time, you collect personal information, you should notify participants of:
- your business name and contact details;
- the facts and circumstances of the particular collection;
- whether the collection is required or authorised by law;
- why you are collecting the personal information;
- the consequences of not collecting the personal information;
- who you might share the personal information with, such as the NDIS, support workers, or allied health professionals you might be liaising with to support the participant;
- information about where the participant can find your privacy policy; and
- whether you are likely to disclose personal information overseas.
3. Be Mindful of Your Use and Disclosure of Personal Information
A business should only use and disclose personal information for the primary purpose it was collected. If you want to use information you have collected for another purpose, you must receive consent from the participant to do so. For example, suppose a participant shares their information for the purposes of receiving particular support from you. In this case, you should not share that information with another service provider in relation to other supports without first receiving the consent of the participant to do so.
4. Enforce and Maintain Good Security Practices
As the holder of personal information (including sensitive health information), you must take the security of the information in your possession seriously. You are under an obligation to ensure unauthorised people do not have access to the information. This also includes a responsibility to mitigate the risks of a data breach.
You can mitigate these risks by doing the following:
- restricting access to your systems;
- implementing multi-factor authentication;
- using a reputable firewall; and
- ensuring that any records are destroyed or de-identified after you no longer need that information to provide your services.
The obligation to destroy or de-identify is, of course, subject to any record-keeping obligations you have under the law.
This fact sheet will help you to identify the key terms you must include in your NDIS service agreement.
Health Records Acts
The Australian Capital Territory, New South Wales and Victoria all have specific health records laws that stipulate, among other things, fees, retention and access to health records. The health record laws will likely cover you if you provide a disability service that involves the making or keeping of health information.
See the table below for the differences between the health records acts in the different jurisdictions.
| ACT | NSW | VIC | |
| Charging fees for access to health records | You can charge patients an administrative fee for accessing their health records. In Victoria, the fees are set by regulation and updated each year. | ||
| Time to complete requests | 30 days from receiving the request. | You must reply within 45 days from receiving the request. | You must reply within 45 days from receiving the request. |
| Correcting a health record | Must ensure health record is up to date and accurate. Must retain a written statement of consumer-made corrections that are refused. Must keep a record of incorrect information, but make this inaccessible to the treating practitioner or team. | Must ensure health record is up to date and accurate. Must retain a written statement of consumer-made corrections refused if the consumer requests it. | Must ensure health record is up to date and accurate. Must retain a written statement of consumer-made corrections refused if the consumer requests it. Must keep a record of incorrect information, but make this inaccessible to the treating practitioner or team. |
| Retention requirements | For those 18 and over, for 7 years after the day a service was last provided. For those under 18, until the day the consumer turns 25 years old. | ||
Key Takeaways
As an NDIS provider, you have access to much of your participants’ personal and sensitive health information. Failure to comply with privacy laws may come with reputational risks to your business. Beyond reputational risks, you risk being investigated by the privacy commissioner, who is responsible for enforcing privacy laws. If you are found to be in breach, you can face serious penalties.
As an NDIS provider, you must comply with your obligations under privacy laws when collecting, using and disclosing the personal and sensitive information of your participants. If you require assistance in understanding your privacy obligations, our experienced NDIS lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.
