Purpose

This Privacy and Confidentiality Policy establishes the framework through which Our PACC protects personal, sensitive and health information. It reflects Our PACC's commitment to privacy, dignity, human rights, participant choice and control, and responsible governance across all services, systems and digital platforms.

Scope

This policy applies to directors, officers, employees, contractors, volunteers, students, consultants, participants, nominees, guardians, advocates, suppliers and all third parties that collect, access or process information on behalf of Our PACC, including the COMPASS platform.

Policy Objectives

Protect the privacy and confidentiality of all information.

Comply with applicable Commonwealth, State and Territory legislation.

Support NDIS Practice Standards and the NDIS Code of Conduct.

Embed privacy-by-design across systems and services.

Promote participant trust and transparency.

Support secure AI-enabled technologies.

Legislative Framework

Privacy Act 1988 (Cth)

Australian Privacy Principles (APPs)

NDIS Act 2013

NDIS Practice Standards

NDIS Code of Conduct

Notifiable Data Breaches Scheme

Office of the Australian Information Commissioner guidance

Applicable State and Territory privacy, health records and surveillance legislation

Electronic Transactions legislation

Relevant records management obligations

Privacy Principles

Lawfulness

Information will only be collected where lawful and reasonably necessary.

Transparency

Individuals will be informed how their information is managed.

Data Minimisation

Only the minimum information required will be collected.

Accuracy

Reasonable steps will be taken to ensure information is current and accurate.

Security

Information will be protected against unauthorised access, disclosure, alteration and loss.

Accountability

All workforce members are accountable for protecting confidential information.

Definitions

Personal Information: Information about an identified or reasonably identifiable individual.

Sensitive Information: Information such as health, disability, biometric, racial or other information afforded additional legal protection.

Health Information: Information relating to physical, mental or psychological health, disability or treatment.

Confidential Information: Any non-public information obtained through Our PACC's operations.

Consent: A voluntary, informed, current and specific agreement by an individual or authorised representative.

Participant: A person receiving supports or services from Our PACC.

Governance

The Board and Chief Executive Officer are responsible for ensuring appropriate privacy governance. Management must implement operational controls, staff training, monitoring, internal audits and continuous improvement activities.

1. Collection of Personal Information

Our PACC collects only information that is reasonably necessary to deliver safe, high-quality disability supports, meet contractual and legislative obligations, protect participants and workers, and operate the organisation effectively.

Information may be collected directly from participants or authorised representatives, and where permitted by law from the NDIA, health practitioners, hospitals, allied health providers, government agencies, referrers, advocates and other authorised entities.

2. Categories of Information Collected

Identity and contact information

NDIS participant details

Health and medical information

Behaviour support and risk assessments

Service agreements and funding information

Financial and billing records

Incident and complaint records

Photographs and media (where authorised)

Website enquiries and analytics

Employee, volunteer and contractor information

3. Consent

Our PACC seeks informed, voluntary, current and specific consent before collecting, using or disclosing personal information unless another lawful basis applies. Consent may be withdrawn at any time where legally permissible.

Where an individual lacks legal capacity to provide consent, Our PACC will work with the participant, nominee, guardian or other authorised decision-maker in accordance with applicable legislation and NDIS principles.

4. Children's Privacy

Where services are provided to children or young people, information will be managed in accordance with applicable law while recognising the evolving capacity of the child and the important role of parents, guardians and authorised representatives.

5. Supported Decision-Making

Our PACC supports participant choice and control. Workers must maximise opportunities for participants to make their own decisions and provide communication supports where required before relying on substitute decision-makers.

6. Use of Personal Information

Deliver disability supports and services

Develop and review support plans

Meet safeguarding obligations

Manage incidents and complaints

Coordinate with treating professionals

Invoice and administer funding

Meet legal and regulatory obligations

Improve service quality

Operate secure digital systems including COMPASS

7. Disclosure of Personal Information

Information will only be disclosed where authorised by the participant, required by law, necessary to provide services, or reasonably required to protect health, safety or wellbeing.

NDIA

NDIS Quality and Safeguards Commission

Health practitioners

Hospitals

Emergency services

Public Trustee or authorised guardians

Professional advisers

Insurers

Government agencies exercising lawful powers

8. Website Privacy

Our PACC's website may collect limited technical information including IP addresses, browser type, pages visited and cookies to improve website functionality and user experience. Individuals may adjust browser settings to manage cookies.

9. Marketing and Communications

Personal information will not be used for marketing purposes without appropriate authority or consent unless otherwise permitted by law. Images, testimonials and stories will only be published where valid consent has been obtained.

10. Confidentiality Obligations

Every director, employee, contractor, volunteer, student, consultant and temporary worker engaged by Our PACC has a continuing duty to preserve the confidentiality of all personal, sensitive, health and commercial information obtained through their engagement. This obligation continues after employment or engagement ends.

Access information strictly on a need-to-know basis.

Do not discuss participant information in public places.

Do not disclose information to family or friends unless authorised.

Protect passwords and authentication credentials.

Immediately report suspected privacy breaches.

Use only approved devices and systems when handling confidential information.

11. Information Security Framework

Our PACC adopts a defence-in-depth approach to information security through administrative, technical and physical safeguards. Controls are proportionate to the sensitivity of the information being protected and are reviewed regularly.

Role-Based Access Control (RBAC)

Multi-Factor Authentication (MFA)

Strong password standards

Encryption of data where appropriate

Endpoint protection

Audit logging and monitoring

Secure backups

Business continuity and disaster recovery planning

Security awareness training

Periodic internal security reviews

12. COMPASS and Artificial Intelligence Governance

COMPASS is Our PACC's operational platform. AI-enabled functionality may be used to assist with administration, quality improvement, document analysis and workflow automation.

AI will not replace professional judgement or authorised clinical, safeguarding or operational decision-making. Human oversight is mandatory for decisions affecting participants.

AI outputs must be reviewed before reliance.

Access to AI tools is role-based.

Audit logs must be retained.

Only authorised information may be processed.

Privacy-by-Design principles apply to new AI functionality.

13. Cloud Services and Third-Party Providers

Where third-party service providers process information on behalf of Our PACC, appropriate contractual obligations relating to privacy, confidentiality, security and lawful processing must be in place. Providers should be subject to appropriate due diligence and periodic review.

14. Information Classification

Information should be classified according to sensitivity to ensure appropriate handling.

Classification

    Examples

Public

    Published website content

Internal

    Operational procedures

Confidential

    Participant and employee information

Highly Confidential

    Health records, safeguarding matters, legal advice, investigations

15. Records Management and Retention

Records must be retained in accordance with legislative requirements, funding agreements and organisational retention schedules. Records must be securely archived and destroyed when retention periods expire unless subject to a legal hold or investigation.

16. Data Breach Management

All suspected or actual privacy incidents must be reported immediately. Our PACC will assess, contain, investigate and remediate incidents and, where required by law, notify affected individuals and relevant regulators under the Notifiable Data Breaches Scheme.

Identify and contain the incident.

Assess the risk of serious harm.

Notify executive management.

Notify affected individuals where required.

Notify regulators where required.

Implement corrective actions.

Document lessons learned.

17. Privacy Impact Assessments

Privacy Impact Assessments should be undertaken for significant projects involving new technologies, AI capabilities, major system changes or new information sharing arrangements.

18. Participant Privacy Rights

Our PACC recognises every participant's right to privacy, dignity, choice and control. Individuals may request access to their information, seek correction of inaccurate records, withdraw consent where lawful, ask questions about how information is managed, and lodge privacy complaints without fear of reprisal.

Access personal information

Request correction

Receive privacy notices

Choose authorised representatives

Withdraw consent where lawful

Lodge a complaint

19. Privacy Complaints

Privacy complaints will be handled fairly, confidentially and promptly. Complaints should be acknowledged as soon as practicable, investigated objectively and resolved wherever possible.

Receive complaint

Acknowledge receipt

Investigate facts

Implement corrective actions

Provide written outcome

Advise external review options

20. Roles and Responsibilities

Role

    Responsibility

Board

    Oversight of privacy governance and strategic compliance.

Chief Executive Officer

    Ensure implementation and adequate resources.

Privacy Officer

    Manage privacy program, complaints and reporting.

Managers

    Implement policy and supervise compliance.

Workers

    Protect confidentiality and report incidents.

IT/Systems

    Maintain technical security controls.

21. Training and Competency

All workforce members must complete privacy and confidentiality training at commencement and thereafter at regular intervals. Additional training will be provided following legislative changes, significant incidents or introduction of new technologies.

22. Monitoring and Audit

Compliance with this policy will be monitored through internal audits, access log reviews, incident trend analysis, workforce training records, risk assessments and management review. Findings will support continual improvement.

23. Related Governance Documents

Consent Policy

Information Security Policy

Cyber Security Framework

Records Management Policy

Incident Management Policy

AI Governance Framework

Code of Conduct

Risk Management Framework

24. Policy Review

This policy will be reviewed at least annually, following significant legislative amendments, major organisational change, material privacy incidents, or implementation of new technologies affecting personal information.

25. Document Control

Document Owner

    Chief Executive Officer / Privacy Officer

Approved By

    Director

Review Frequency

    Annual

Classification

    Public

Version

    1.0 Draft

Next Review

    July 2027 or earlier

26. Approval

This policy becomes effective upon formal approval by the Board of Our PACC and supersedes previous public privacy and confidentiality policies from the effective date.