A word on our Provider Spotlight...
The Provider Spotlight is not intended to be an endorsement of a provider's overall activities, but instead focuses on a particular incident or activity which the Commission believes may be beneficial to share, in the spirit of a community of practice.
On this page, we highlight instances of good practice, which come to the Commission's attention. It demonstrates a provider's approach to meet their obligations and deliver quality and safe supports and services. But, we also acknowledge that there are many and varied approaches a provider may wish to take, depending on the preferences of their participants and the market in which they operate.
Share with us! We invite providers to share approaches and innovations they've taken to amplify the voice of participants and uplift quality and safety. Let us know what you're doing by emailing Communications.
In May 2022, an unauthorised third party gained access to a cloud-based client management system from software and analytics supplier CTARS Pty Ltd (CTARS), used by some NDIS providers. The security breach exposed information, including personal details of NDIS participants.
Following the incident, the NDIS Commission initiated a compliance review to assess impacted providers' response against their obligations for managing information and participant privacy. We also published a Provider Alert with information for providers about preventing and managing data breaches.
Response from Griffith Post School Options
This provider sought legal advice to manage the data breach and clarify their obligations. They reviewed their privacy policy, participant consent form and data breach response plan, to comply with Australian privacy laws and ensure they're prepared should anther data breach occur.
Additionally, the provider: established a team responsible for assessing, reviewing and handling future data breaches; reviewed and updated their IT security measures, including introducing a more robust file backup system and two-factor authentication for some systems; and, arranged cyber-security training for their staff.
Griffith Post School Options also individually notified impacted NDIS participants of their breach, using their preferred communication method. This notification included the public statement issued by CTARS on the breach, the types of information and details which may have been exposed, actions they were taking in response, and contact details for further enquiries. When asked, Griffith Post School Options helped participants understand what information is stored in their CTARS profile and provided a printout of the information.
Griffith Post School Options also posted a news article on their website, as an additional communication.
Finally, Griffith Post School Options maintained regular communication with CTARS, to stay up to date on the breach, and arranged a face-to-face visit to review the functions and security of the CTARS system.
Reflections
The provider delivered a well-considered approach including:
- ensuring strong communications, to keep themselves and participants informed
- taking the opportunity to learn from the experience and strengthen their information management approach.
Our compliance activity in relation to NDIS providers’ response to the CTARS data breach is ongoing. Providers are encouraged to refer to our Provider Alert for information about your obligations and other available resources to support this important area of service provision.