In Short
As an NDIS provider, you have strict obligations to protect participant privacy. The Privacy Act 1988 and the NDIS Code of Conduct set out rules on how you collect, use, store, and disclose sensitive information. Breaching privacy can lead to severe financial, legal, and reputational consequences.
Tips for Businesses
Implement strict data protocols to manage participant information, including clear retention policies and a data breach response plan. Ensure only relevant staff have access to sensitive data and train them regularly on privacy best practices. Regularly review your privacy practices to stay compliant with the law.
Summary
This article explains privacy obligations for NDIS providers, covering compliance with the Privacy Act and NDIS Code of Conduct. It outlines how to manage sensitive information, when to share it, and the consequences of privacy breaches. The content is attributed to LegalVision’s business lawyers, a commercial law firm that specialises in advising clients on NDIS compliance and privacy matters.
If you are an NDIS provider, you protect participants’ privacy. You build trust with your customers, and meet your legal obligations. NDIS participants share sensitive information with you, including their medical history, disability details and daily living needs. If your business breaches that information, you risk financial, legal and reputational consequences. This article explains your privacy obligations as an NDIS provider, when you can share participant information, and what can happen if your business experiences a privacy breach.
Where Your Privacy Responsibilities Come From
NDIS providers have two main sources of privacy obligations:
- the Privacy Act 1988 (Cth); and
- the NDIS Code of Conduct.
When Does the Privacy Act Apply to You?
The Privacy Act, applies to entities with an annual turnover of $3 million or more. The Act applies to you even if you have an annual turnover less than $3 million if you:
- provide health services and hold health information;
- buy or sell personal information;
- are a service provider under a Commonwealth contract; or
- are a credit reporting body.
As most NDIS providers offer health services, you may still have privacy obligations regardless of your turnover.
You must follow specific rules on how you collect, use, store and disclose personal information. You must notify people how you handle information and when you plan to share it. You must have a privacy policy that is currently easy to understand and accessible.
When you provide NDIS services, you handle health information. The law treats this as sensitive information and gives it greater protection. . which limits the ways you can collect, use and disclose the information.
NDIS Code of Conduct
You must respect the privacy of people with disability, whether you operate as a registered or unregistered NDIS provider. You must have policies, procedures, and training in place to ensure staff protect personal information. You must be aware of participants’ privacy needs and preferences, and deliver services in a way that protects their dignity. This involves considering everyday privacy needs, such as ensuring participants can shower and dress in a private and comfortable place.
When You Share Client Information
Under both the Australian Privacy Principles and the NDIS Code of Conduct, there are strict limitations on when and how you can share participant information.
When You Handle Personal Information
When you are providing services, you may need to share personal information with other providers involved in the participant’s care. You may also need to share information with family members. Before you share information, you must consider whether sharing matches the reason you collected it. For example, if a participant asks you to provide transport services. You can collect their address and share it with the driver so they know where to pick up and drop off the participant. This directly supports the service you are providing.
Within your business, you should only allow staff who genuinely need participant information to access it. This will help you manage the risk of unauthorised disclosures of participant information and data breaches.
When You Handle Sensitive Information
When you handle sensitive information, such as the participant’s health or disability information, you must take extra care and need to consider the two things:
- does this disclosure directly relate to the original reason it was collected; and
- would the participant expect us to share it this way?
If the answer is no, you will need the participants’ informed consent before sharing. If the participant can not make decisions about information sharing, you should ask their authorised representative. However, you can share this information if another exception applies, such as a legally required disclosure or an emergency situation that is threatening the participant’s health or safety.
Continue reading this article below the formCall 1300 544 755 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.
What Happens if You Breach Privacy
You commit a privacy breach when you allow unauthorised access or sharing and losing of personal information. For example, an employee could leave their laptop unlocked on the train allowing unauthorised access to participants’ personal information. It can also be more severe, such as when a person hacks into your system and leaks participant information.
You can face significant consequences of a privacy breach, both legally and commercially. If a breach is severe, you must notify the Australian Information Commissioner (OAIC) and the affected individual
You can also face substantial financial penalties up to $660,000. For serious privacy breaches, the maximum penalty is the greater of:
- $50 million;
- three times the value you obtained from the privacy breach; or
- 30% of your turnover during the privacy breach period.
The regulators can require you to take specific actions, such as complying with investigations, attending conferences, taking corrective steps, publishing statements about the conduct and paying compensation to affected individuals.
How Can You Strengthen Your Data Practices
You can reduce the risk of a privacy breach by implementing proper data protocols where you have policies in place for managing data.
You should have a document with that explains:
- data retention policy; and
- data breach response plan.
You should give participant information to only the staff members who are providing services to them. You can manage this by implementing role-based access restrictions and providing staff training.
Your data retention policy must explain your retention periods for personal information. The law requires you to delete or de-identify personal information once it is no longer required. However other laws may require you to retain certain medical records, so you must check the requirements carefully.
Your data breach response plan should explain how you will:
- contain the breach;
- assess its severity; and
- determine when you need to notify authority bodies, such as the OAIC and NDIS Commission.
When you have this plan in place, it can help you respond to data breaches quickly and reduce the potential consequences of the breach.
This fact sheet will help you to identify the key terms you must include in your NDIS service agreement.
Key Takeaways
You must treat privacy as a core business responsibility. However, as NDIS providers, you need to manage personal information properly due to the sensitive nature of participant information. By understanding your obligations and the consequences of privacy breaches, you can take action to protect the privacy of participants and other individuals.
For assistance with NDIS privacy compliance, our experienced lawyers can help. LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced NDIS lawyers help businesses manage contracts, employment law, disputes, intellectual property and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 1300 544 755 or visit our membership.
Frequently Asked Questions
If you experience a data breach, you should act quickly to contain the incident and assess the extent of the breach. You need to determine the information involved, the number of people are affected and the potential harm. If the incident is likely to cause serious harm to individuals, you must notify the OAIC and the affected individuals.
You can share a participant’s personal information if sharing directly relates to the reason you collected it or to a closely related purpose the participant would expectFor example, as a support coordinator, you may share participant information with service providers to schedule support and services. If you are sharing sensitive information for a different reason , you will need the participant’s informed consent . However, there are exceptions where disclosure is required by law or necessary to prevent a serious threat to the participant’s health or safety. You should have clear information sharing arrangements with other providers outlining how participant information will be handled and protected.
We appreciate your feedback – your submission has been successfully received.
