Privacy

1. About this policy

The NDIS Quality and Safeguards Commission (NDIS Commission) must comply with the Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act). The APPs set out standards, rights and obligations around personal information. The NDIS Commission also has privacy obligations under the Privacy (Australian Government Agencies - Governance) APP Code 2017 (Privacy Code). 

The NDIS Commission will update this Privacy policy when its personal information handling practices change. Updates made to this policy are made accessible on the NDIS Commission website.  

Purpose

The NDIS Commission recognises the importance of protecting personal information entrusted to us by NDIS participants, their nominees/representatives, sector workers and other members of the public. Information provided to the NDIS Commission, including personal information assists the NDIS Commission to exercise its powers and functions as a regulator, and maintain robust sector oversight. 

This Privacy policy provides information about how the NDIS Commission collects, uses, discloses and holds personal information and how individuals may access and correct the personal information we hold about them. 

The Privacy policy applies to:

• personal information collected, used, disclosed and stored by the NDIS Commission, and
• all NDIS Commission staff, including contractors and consultants engaged by the NDIS Commission.

This policy does not cover non-personal information management related to:

• a body corporate/politic or business record
• data retention or integration practices, or
• cybersecurity measures.

Other legislation

In addition to our obligations under the Privacy Act, the NDIS Commission must also handle 'protected Commission information' in accordance with the secrecy provisions in the National Disability Insurance Scheme Act 2013 (Cth) (NDIS Act). Generally, all personal information held by the NDIS Commission falls within the definition of 'protected Commission information.' 

Unauthorised use and disclosure of protected Commission information by any person is a criminal offence under the NDIS Act. The NDIS Commission also requires its contracted service providers to also comply with these legal requirements.

2. What information we collect

The NDIS Commission only collects personal information to exercise and perform its functions under the NDIS Act. As the regulator of the NDIS, some of the NDIS Commission’s core functions include: 

• provider registration
• complaints
• reportable incidents
• engagement, education and communications
• compliance and enforcement
• worker screening
• market and regulatory oversight and risk

The personal information we collect is reasonably necessary for, or directly related to our functions or activities, or when required to do so by law. We collect personal information:

• when you apply for registration as an NDIS provider
• during compliance and enforcement activities or investigations
• receiving and assessing complaints
• requesting access to resources, training and education sessions, or be placed on a mailing list
• consulting with stakeholders, carrying out data analytics and sector research
• applying to be a behaviour support practitioner
• performing recruitment and employment processes, contractors and service providers
• providing subscription services or information access made under the Freedom of Information Act 1982 (Cth) (FOI Act)

Personal information

Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable. The types of personal information we collect varies depending on what we need to perform our functions and activities and may include: 

• contact details (such as your name, address, email and telephone numbers)
• biographical data (such as your date of birth (DOB) and gender)
• employment status and history (such as previous employment, work history, referee comments, remuneration)
• education status
• financial information (such as bank details, payment details, and information about business and financial interests)
• government identifiers (such as Centrelink and Medicare Reference Numbers, Tax File Number)
• information about your family and other related persons (such as any partners, children, dependants, carers or nominees or authorised representatives)
• information about your personal circumstances (e.g. marital status, age, gender, occupation)
• feedback, complaints or application related information
• information about the supports and services you have provided to NDIS participants and how you provided those supports and services

Sensitive information

We may collect sensitive information about you if you consent and the collection is reasonably necessary for, or directly related to, one or more of our functions or activities, or the collection is required or authorised by law. The sensitive information we may collect includes:

• cultural and linguistic background (including languages you speak)
• health and disability information
• information about supports and services you receive under the National Disability Insurance Scheme (NDIS)
• criminal history
• biometrics (including photographs and video recordings)
• your identity (e.g. date of birth, country of birth, passport details, visa details, drivers’ licence, birth certificates, ATM cards)

3. How we collect information

The NDIS Commission collects personal information through various means including paper and electronic forms, online portals, written correspondence, face to face and over the phone discussions. If it is reasonable and practical to do so, we will collect personal information directly from your or your authorised representatives. 

We may also obtain your personal information collected by other Commonwealth agencies, State or Territory government bodies, other organisations, members of the public or publicly available sources for the purposes of fulfilling our regulatory functions such as:

• considering and determining the outcome of an application to be a registered NDIS provider
• responding to reportable incidents, behaviour support services or handling complaints made to us
• monitoring or investigating an NDIS provider’s or worker’s compliance with the NDIS Act, Rules and Code of Conduct
• taking compliance and enforcement action
• assessing applications for employment with the NDIS Commission and associated employment matters (including security and pre-employment integrity checks)
• assessing applications to participate in any NDIS Commission funded programs and initiatives
• managing contracts and funding agreements, or
• undertaking other regulatory action under the NDIS Act and the NDIS Rules.

We only collect personal information from third parties where:

• you have consented
• we are required or authorised by law to do so, or
• it would be unreasonable or impracticable to collect the personal information from you – for example, where notification could jeopardise an ongoing investigation.

When your personal information is collected, we will take reasonable steps to inform you about why the information is collected and how it will be handled. We include a privacy collection notice for specific activities either on our paper-based forms or online portals that describes the reason why the information is being collected and to whom the information may be disclosed to. 

We may also collect information through our website and online media services, such as Facebook (Meta), Google, YouTube and survey systems to improve our website and receive feedback from the community.

4. Anonymity and pseudonymity

Generally, individuals can choose to remain anonymous or adopt a pseudonym (a name, term or descriptor that is different to your actual name) when dealing with the NDIS Commission. However, in certain circumstances this might not be feasible – for example, where we need an individual’s name and address to register them as an NDIS provider. 

We will inform you if you are not able to remain anonymous or use a pseudonym when dealing with us or if your anonymity may impact our engagement with you. 

5. How we store and secure personal information

The NDIS Commission stores personal information in a variety of formats including, but not limited to:

• hard copy files
• databases
• NDIS Commission issued devices (i.e. laptops, mobile phones, computers)
• third party storage providers such as cloud storage facilities

We take reasonable steps to protect your personal information against misuse, interference, and loss, as well as from unauthorised access, modification or disclosure. These steps include:

• storing records securely as per Australian government security guidelines
• only accessing personal information on a need-to-know basis and by authorised personnel
• monitoring system access which can only be accessed by using authenticated credentials
• regularly updating and auditing our storage and data security systems
• ensuring access to our buildings are secure at all times
• undertaking due diligence with respect to third party service providers who may have access to personal information to ensure (as far as practicable) compliance with the APPs
• ensure destruction, deletion or de-identification of personal information we hold that is no longer required to be retained by the Archive Act 1983 (Cth) or any other applicable laws.

Shared services 

The NDIS Commission works closely with the Department of Social Services (DSS) who provide shared information technology services. This means that some of the personal information we hold is also stored on DSS systems. DSS is also subject to the Privacy Act and must manage information in accordance with their statutory obligations. 

6. Responding to data breaches

The NDIS Commission will take appropriate, prompt action including reporting to the Office of the Australian Information Commissioner (OAIC) if an eligible data breach occurs and personal information we hold is subject to unauthorised modification, loss, use or disclosure.

If we suspect unlawfully disclosure, access or loss has occurred, the NDIS Commission will undertake an assessment and take necessary steps to contain the breach to minimise the potential risk of harm. The NDIS Commission will determine if it is an ‘eligible data breach’ has occurred, within 30 days of being informed of the potential breach and notify the OAIC and affected persons in accordance with our Data Breach Response Plan. 

7. Use and disclosure of personal information

Use of personal information

The NDIS Commission uses personal information to exercise its powers or perform its functions and duties, undertake research, analytics, improvements and reporting related to its functions, as well as to progress employment opportunities. 

The NDIS Commission will generally only use or disclose personal information for the purpose for which it is collected (primary purpose). Personal information may be used or disclosed for another purpose (secondary purpose), if one of the following applies:

• you have consented to the use or disclosure
• you would reasonably expect us to use or disclose the personal information for the secondary purpose because the secondary purpose is related to the primary purpose for which it was collected (or if it is sensitive information, it is directly related to the primary purpose)
• we are required or authorised by law to use or disclose the personal information
• a permitted general situation exists in relation to the use or disclosure—including where we reasonably believe that using or disclosing the information is necessary to:
  • lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety
  • take appropriate action in relation to suspected unlawful activity or serious misconduct
  • establish, exercise, or defend a legal or equitable claim
• we reasonably believe the use or disclosure is necessary for our compliance or enforcement activities.

The NDIS Commission is required or authorised to collect, use or disclose personal information by a variety of laws including, though not limited to:

• NDIS Act
• Regulatory Powers Act 2014
• Public Governance, Performance and Accountability Act 2013
• Administrative Decisions (Judicial Review) Act 1977
• Public Interest Disclosure Act 2013
• Corporations Act 2001

If we collect personal information in the course of carrying out one of our functions and the information is relevant to another of our regulatory functions, generally we use the personal information for the related function. 

Disclosure of personal information

The NDIS Commission may disclose personal information to other agencies/bodies directly related to, or reasonably necessary for its functions, including:

• lawyers and other service providers who we engage to assist us with our functions
• other Commonwealth Government agencies (such as the NDIA, and other agencies who are involved in the Fraud Fusion Taskforce).
• law enforcement bodies (including State and Territory Police and Australian Federal Police)
• State and Territory Government agencies, Coroners and regulators with a role that has a connection with NDIS supports and services
• responsible Ministers and Parliamentary committees exercising their oversight functions
• the Australian Government Security Vetting Agency or any other vetting providers that we engage to conduct security or vetting assessments on our behalf
• the public, if the personal information is required to be published on a public register, in the Government gazette or on our website (such as information published on the NDIS Provider Register)
• referees and former employers to verify qualifications and experience when assessing certain applications
• any Royal Commission whose terms of reference concern supports or services to NDIS participants.
• applicants under the FOI Act, or Accredited Users and Accredited Data Service Providers who apply for access to NDIS Commission data under the Data Availability and Transparency Act 2022.

The NDIS Commission may also use and disclose your personal information to better inform our provider suitability process. For more information, see Fraud | NDIS Quality and Safeguards Commission.

8. Disclosure of personal information to overseas recipients

The NDIS Commission may disclose personal information about an individual to an overseas recipient in the course of performing our functions and activities. For example - in relation to a law enforcement matter (such as a criminal investigation), or third-party service providers (located overseas) who assist to conduct surveys, research or use cloud services with servers outside Australia. 
Other countries we may disclose information to include the United States, Hong Kong, New Zealand, the United Kingdom and Singapore. We will not disclose personal information to an overseas recipient without express or implied consent, unless otherwise permitted by APP 8 Cross-border disclosure of personal information. 
 

9. Quality, access, and correction

The NDIS Commission takes reasonable steps to ensure that the personal information we hold is accurate, up to date, relevant and complete, including at the time of using or disclosing the information. 

Under the Privacy Act an individual is able to seek access to their personal information and request correction if the information is inaccurate, outdated, incomplete, irrelevant or misleading. Generally, an application under the Privacy Act for access will be acknowledged within 30 days from the date that we receive it. 

In processing access requests, we may refuse access or correction of personal information where there are valid reasons to do so under the Privacy Act, the FOI Act or other applicable law – for example, where access is unlawful under a secrecy provision in portfolio legislation, or where the personal information held is an opinion and not an objective fact. We will provide reasons for our decision and set out how to request a review if you do not agree with our assessment. 

To access or seek correction of personal information we hold about you, please contact us using the contact details set out at section 12 of this Privacy Policy. 

It is also possible to access, and correct documents held by the NDIS Commission under the FOI Act. For information on this, please visit our FOI page.

10. Online interactions 

Our website

When you visit the NDIS Commission website, a record of your visit is made which may include information about: 

• your browser, domain name and operating system
• date and time of access and downloaded documents, and
• if you have accessed our website via a linked/referring webpage.

We use this information for statistical analysis and systems administration. We do not use the information to identify individuals or their browsing activities. However, some circumstances the NDIS Commission may need do so if required or authorised by law to disclose this information.

The NDIS Commission also uses Google Analytics which are web analysis services provided by Google Inc. (‘Google’). All the information we collect using Google Analytics is for internal purposes and does not allow an individual to be identified.

Cookies

The NDIS Commission may use cookies to maintain contact with a user during a website session and to remember settings, preferences, or activity across multiple sessions. A cookie is a small file that is placed on your computer by your web browser.

Cookies allow the NDIS Commission’s website to offer consistent experiences across multiple sessions, to recognise a returning browser, and to track usage patterns as users navigate the site. This enables the NDIS Commission to collect aggregated information about how the website is used, such as the pages visited, the average time spent on each page, and the number of visitors.

Third party websites

Our website contains links to third party websites and social media platforms – for example, Facebook, LinkedIn and third-party survey providers. These websites may use web measurement tools, customisation technologies and persistent cookies to inform services.

The NDIS Commission do not use or share personal information made available through social media platforms including Facebook, LinkedIn and YouTube. 

We are not responsible for the privacy practices or the content of websites maintained by third parties. Website functionality of third parties may capture and store your personal information outside Australia. Some third parties are not subject to the Privacy Act, and we encourage you to consult the privacy policies of other sites for information about their policies and practices.

Email addresses

The NDIS Commission records your email address if you send us an email or provide this on a form. It will only be used or disclosed in accordance with our obligations under the Privacy Act. We do not add email addresses to our automatic mailing list unless you request us to do so. 

Electronic newsletters or subscriptions

To subscribe to our newsletter or other training services you must provide a valid email address. When we send you an electronic newsletter or you attend one of our education sessions, we have access to data about whether you opened that newsletter and attended an online event. These details will only be used or disclosed in accordance with our obligations under the Privacy Act and will not be added to any other mailing lists unless you specifically ask us to. 

11. Feedback and complaints

How to contact the NDIS Commission

If you have feedback about our privacy practices or believe that the NDIS Commission has used your personal or sensitive information in a way that is not consistent with this policy, the Privacy Act, the APPs or the Privacy Code, you can contact us by using the details set out at section 10.2 of this Privacy Policy.

We deal with complaints in accordance with our Feedback and Complaints Policy and we may seek further information in order to provide a full and complete response. We are committed to a fair and impartial resolution of any complaints without reprisal. 

If you are not satisfied with our response, you may refer the complaint to the OAIC.

How to complain to the OAIC

You can contact the OAIC if you wish to make a privacy complaint against the NDIS Commission, or if you are not satisfied with how we have handled a complaint made to us in the first instance. 

The OAIC website contains information on how to make a privacy complaint. If you make a complaint directly to the OAIC rather than to the NDIS Commission, the OAIC may recommend you try to resolve the complaint directly with the NDIS Commission in the first instance.

12. How to contact us 

Request a copy of the Privacy policy, submit a query or make a complaint 

If you would like to request a copy of the Privacy policy, have a query or privacy complaint, contact the NDIS Commission using the below contact details. 

For information about how you can access or seek correction of your personal information, please contact the NDIS Commission via:

• Email: privacy@ndiscommission.gov.au
• Telephone: 1800 035 544 (request to be transferred to a Privacy Officer)
• Post: NDIS Commission Privacy, PO Box 210, Penrith NSW 2750

Contact details for freedom of information requests

Access to some information that we hold may require a formal request under the FOI Act. FOI applications and queries should be made to:

• Email: foi@ndiscommission.gov.au
• Post: NDIS Commission Feedback, PO Box 210, Penrith NSW 2750.

14. Key appointments and roles

Privacy Champion

The Director of the Privacy team is the Privacy Champion for the NDIS Commission, and is responsible for:

• promoting a culture of privacy within the NDIS Commission that values and protects personal information
• providing leadership within the NDIS Commission on broader strategic privacy issues
• reviewing and/or approving our privacy management plan and documented reviews of our progress against the plan, and
• providing regular reports to the executive, including about any privacy issues arising from our handling of personal information.

Privacy Officers

The Assistant Directors and Senior Review Officers of the team are the Privacy Officers for the NDIS Commission.  This role is responsible for:

• handling of internal and external privacy enquiries, privacy complaints, and requests for access to and correction of personal information made under the Act
• maintaining a record of our personal information holdings
• assisting with the preparation of privacy impact assessments conducted under section 12 of the Privacy Code
• maintaining a register of privacy impact assessments as required by section 15 of the Privacy Code, and
• measuring and documenting our performance against the privacy management plan at least annually as required by section 9 of the Privacy Code.

Privacy impact assessments

The NDIS Commission completes a privacy impact assessment (PIA) for all projects that might have a significant change to how we handle personal information, or a significant impact on the privacy of individuals. Our PIA Register can be accessed here.  

Further information

For more information about our privacy practices, contact our Privacy Champion or Privacy Officers of the Internal Integrity Unit at internalintegrity@ndiscommission.gov.au