Privacy Policy

Privacy policy

1. Introduction

The Commissioner of the NDIS Quality and Safeguards Commission (the NDIS Commissioner) has responsibility for a number of functions that are set out in sections 181D to 181H of the National Disability Insurance Scheme Act 2013 (the NDIS Act).
The NDIS Commissioner’s functions are to:

• Uphold the rights of, and promote the health, safety and wellbeing of, people with disability receiving supports or services, including those received under the National Disability Insurance Scheme (NDIS);
• Develop a nationally consistent approach to managing quality and safeguards for people with disability receiving supports or services, including those received under the NDIS;
• Promote the provision of advice, information, education and training to NDIS providers and people with disability;
• Secure compliance with the NDIS Act through effective compliance and enforcement arrangements;
• Promote continuous improvement amongst NDIS providers and delivery of progressively higher standards of supports and services to people with disability;
• Develop and oversee the broad policy design for a nationally consistent framework relating to the screening of workers involved in the provision of services and supports to people with disability;
• Provide advice or recommendations to the National Disability Insurance Scheme Launch Transition Agency (the Agency) and the Board of the Agency (the Board) in relation to the performance of the Agency’s functions;
• Engage in, promote and coordinate the sharing of information to achieve the objective of the NDIS Act; and
• Provide NDIS market oversight, including
  1. by monitoring changes in the NDIS market that may indicate emerging risk; and
  2. by monitoring and mitigating the risks of unplanned service withdrawal.

1.1 Who should read this Privacy Policy?

You should read this policy if you are:

• an individual whose personal information may be given to or held by the NDIS Quality and Safeguards Commission (the NDIS Commission);
• a contractor, consultant, supplier or vendor of goods or services to the NDIS Commission;
• a person seeking employment with the NDIS Commission; and
• a person who is or was employed by the NDIS Commission.

1.2 The Privacy Act 1988

The Privacy Act 1988 (the Privacy Act) regulates how federal public sector agencies and certain private sector organisations can collect, hold, use and disclose personal information, and how you can access and correct that information. Personal information is information in any form that can identify a living person.

The Privacy Act applies only to information about individuals, not to information about corporate entities such as businesses, firms or trusts.

Detailed information on the Privacy Act is found on the Office of the Australian Information Commissioner (‘OAIC’) website.

1.3 The NDIS Commission and privacy

This Privacy Policy sets out how the NDIS Commission complies with the Privacy Act. In performing its functions, the NDIS Commission may collect, hold, use or disclose your personal information. The NDIS Commission takes privacy seriously and will only collect, hold, use and disclose your personal information in accordance with the Privacy Act. If the NDIS Commission does not receive personal information about you, the Privacy Act will not apply.

1.4 Remaining anonymous or using a pseudonym

The NDIS Commission understands that anonymity is an important element of privacy and some members of the public may wish to be anonymous when interacting with the NDIS Commission. The NDIS Commission also understands some members of the public may wish to use a pseudonym. Generally, members of the public will have the right to remain anonymous or adopt a pseudonym when dealing with the NDIS Commission. However, it is not always possible to remain anonymous or adopt a pseudonym and the NDIS Commission will inform you when this is the case.

1.5 Information covered under this Privacy Policy

This Privacy Policy covers how the NDIS Commission collects, holds, uses and discloses your personal information, including any financial information you provide to the NDIS Commission. This Policy applies to all personal information collected by the NDIS Commission, including personal information collected through our social media websites and from service providers funded to provide services for the NDIS Commission.

1.6 Information held by contractors

Under the Privacy Act, the NDIS Commission is required to take contractual measures to ensure contracted service providers (including sub-contractors) comply with the same privacy requirements applicable to the NDIS Commission.

2. The NDIS Commission’s personal information handling practices

2.1 Collection of personal information

The NDIS Commission may collect personal information about you from you, your representative or a third party. We generally use forms, online portals and other electronic or paper correspondence to collect this information. The NDIS Commission or people acting on its behalf (e.g. contracted service providers) may collect information directly. The NDIS Commission may also obtain personal information collected by other Commonwealth agencies, State or Territory government bodies, or other organisations. From time to time, the NDIS Commission may receive personal information from members of the public without it being requested.

The NDIS Commission collects and holds a broad range of personal information in records relating to:

• employment and personnel matters for NDIS Commission staff and contractors (including security assessments)
• the performance of the NDIS Commission’s legislative and administrative functions
• individuals participating in the National Disability Insurance Scheme (NDIS)
• registered NDIS providers
• staff of NDIS providers
• individuals participating in any NDIS Commission funded programs and initiatives
• the management of contracts and funding agreements
• the management of fraud and compliance investigations
• the management of audits (both internal and external)
• correspondence from members of the public to the NDIS Commission and the Minister of the Department of Social Services
• complaints (including privacy complaints) made and feedback provided to the NDIS Commission
• requests made to the NDIS Commission under the Freedom of Information Act 1982 (Cth)
• the provision of legal advice by internal and external lawyers.

The NDIS Commission will not ask you for any personal information which we do not need. The Privacy Act requires that we collect information for a purpose that is reasonably necessary for, or directly related to, a function or activity of the NDIS Commission.

When the NDIS Commission collects personal information, we are required by the Privacy Act to notify you of a number of matters. These include the purposes for which we collect the information, whether the collection is required or authorised by law and any person or body to whom we usually disclose the information. The NDIS Commission generally provides this notification by having Privacy Notices on our paper-based forms and online portals.

2.2 The NDIS Act also protects personal information

The secrecy provisions in the NDIS Act also protects personal information collected by the NDIS Commission. These provisions set out rules for the collection, use and disclosure of this information. These rules operate together with the rules in the Privacy Act.

2.3 Kinds of personal information collected and held

In performing its functions, the NDIS Commission collects and holds the following kinds of personal information (which will vary depending on the context of the collection):

• name, address and contact details (e.g. phone, email and fax)
• photographs, video recordings and audio recordings of you
• information about your personal circumstances (e.g. marital status, age, gender, occupation, accommodation and relevant information about your partner or children)
• information about your financial affairs (e.g. payment details, bank account details and information about business and financial interests)
• information about your identity (e.g. date of birth, country of birth, passport details, visa details, drivers licence, birth certificates, ATM cards)
• information about your employment (e.g. work history, referee comments, remuneration)
• information about your background (e.g. educational qualifications, the languages you speak and your English proficiency)
• government identifiers (e.g. Centrelink Reference Number or Tax File Number) and
• information about assistance provided to you under the NDIS.

On occasions, the NDIS Commission may collect or hold some sensitive information about you, including information about:

• your racial or ethnic origin;
• your health (including information about your medical history and any disability or injury you may have);
• Information about the supports or services you receive, including supports or services you receive or have received under the NDIS and information about the people who provide those supports or services to you; and
• any criminal record you may have.

2.4 How the NDIS Commission collects and holds personal information

The NDIS Commission collects personal information through a variety of different methods including:

• paper-based forms
• electronic forms (including online forms)
• face to face meetings
• telephone communications
• email communications
• communications by fax
• the NDIS Commission’s website; and
• the NDIS Commission’s social media websites and accounts.

The NDIS Commission holds personal information in a range of paper-based and electronic records. Storage of personal information (and the disposal of information when no longer required) is managed in accordance with the Australian Government records management regime, including the Archives Act 1983, Records Authorities and General Disposal Authorities. This ensures that we hold your personal information securely.

2.5 Purposes for which personal information is collected, held, used and disclosed

The NDIS Commission collects and holds personal information for a variety of different purposes relating to its functions and activities including:

• performing its employment and personnel functions in relation to its staff and contractors
• performing its legislative and administrative functions
• policy development, research and evaluation
• complaints handling
• contract management and
• management of correspondence with the public.

The NDIS Commission uses and discloses personal information for the primary purposes for which it is collected. We will give you information about the primary purpose of collection at the time the information is collected. The NDIS Commission will only use your personal information for secondary purposes where it is able to do so in accordance with the Privacy Act, for example, where disclosure is required or authorised by the National Disability Insurance Scheme Act 2013. The NDIS Commission may disclose personal information collected and held by it to other relevant parties, including other Commonwealth, state or territory agencies, regulatory bodies or professional associations, where we have your consent or where the NDIS Commission is otherwise legally able or required to do so. 

2.6 How to seek access to and correction of personal information

You have a right under the Privacy Act to access personal information held about you. You also have a right under the Privacy Act to request corrections to any personal information that the NDIS Commission holds about you if you think the information is inaccurate, out-of-date, incomplete, irrelevant, or misleading. However, the Privacy Act sets out circumstances in which the NDIS Commission may decline access to or correction of personal information (e.g. where access is unlawful under a secrecy provision in portfolio legislation, or where the personal information held is an opinion and not an objective fact).

To access or seek correction of personal information we hold about you, please contact us using the contact details set out at section 5.1 of this Policy. It is also possible to access and correct documents held by the NDIS Commission under the Freedom of Information Act 1982 (the FOI Act). For information on this, please visit our FOI page.

2.7 Accidental or unauthorised disclosure of personal information

The NDIS Commission will take seriously and deal promptly with any accidental or unauthorised disclosure of personal information. The NDIS Commission follows the OAIC’s Data breach notification — A guide to handling personal information security breaches when handling accidental or unauthorised disclosures of personal information. Legislative or administrative sanctions, including criminal sanctions, may apply to unauthorised disclosures of personal information.

2.8 Data security

Access to personal information held within the NDIS Commission is restricted to authorised persons who are NDIS Commission staff or contractors. Electronic and paper records containing personal information are protected in accordance with Australian Government security policies.
The NDIS Commission regularly conducts audits to ensure we adhere to our protective and computer security policies.

2.9 Our website

This website is managed internally by the Department of Social Services. Generally DSS only collects personal information from its website where a person chooses to provide that information. If you visit our website to read or download information, DSS records a range of technical information which does not reveal your identity. This information includes your IP or server address, your general locality and the date and time of your visit to the website. This information is used for statistical and development purposes. No attempt is made to identify you through your browsing other than in exceptional circumstances, such as an investigation into the improper use of the website.

Some functionality of the DSS website is not run by DSS and third parties may capture and store your personal information outside Australia. These third parties include (but are not limited to) Facebook, YouTube, MailChimp, SurveyMonkey, Twitter and Google and may not be subject to the Privacy Act. DSS is not responsible for the privacy practices of these third parties and encourages you to examine each website's privacy policies and make your own decisions regarding their reliability.

The DSS website contains links to other websites. DSS is not responsible for the content and privacy practices of other websites and encourages you to examine each website's privacy policies and make your own decisions regarding the reliability of material and information found.

2.10 Cookies

Cookies are used to maintain contact with a user through a website session. A cookie is a small file supplied by the NDIS Commission and stored by your web browser software on your computer when you access the NDIS Commission website. Cookies allow the NDIS Commission to recognise an individual web user, as they browse the NDIS Commission website.

2.11 Electronic communication

There are inherent risks associated with the transmission of information over the Internet, including via email. You should be aware of this when sending personal information to us by email or by using the NDIS Commission website. If this concerns you, you may prefer to use other methods of communication with the NDIS Commission, such as post, fax, or phone (although these methods have associated risks). The NDIS Commission only records email addresses when a person sends a message or subscribes to a mailing list. Any personal information provided, including email addresses, will only be used or disclosed for the purpose for which it was provided.

2.12 Disclosure of personal information overseas

On occasions, the NDIS Commission may disclose personal information to recipients who are overseas. The situations in which the NDIS Commission may transfer personal information overseas include:

• the provision of personal information to overseas researchers or consultants (where consent has been given for this or the NDIS Commission is otherwise legally able to provide this information);
• the provision of personal information to recipients using a web-based email account where data is stored on an overseas server; and
• the provision of personal information to foreign governments and law enforcement agencies (in limited circumstances and where authorised by law).

It is not practicable to list every country to which the NDIS Commission may provide personal information as this will vary depending on the circumstances. However, you may contact the NDIS Commission (using the contact details set out at section 5.1 of this Policy) to find out which countries, if any, your information has been given to.

3. Complaints

3.1 How to make a complaint

If you think the NDIS Commission may have breached your privacy rights, you may contact us using the contact details set out at section 5.2 of this Policy.

3.2 The NDIS Commission’s process for handling complaints

We will respond to your complaint or request promptly if you provide your contact details. We are committed to the quick and fair resolution of any complaints and will ensure your complaint is taken seriously. You will not suffer negative treatment if you make a complaint.

3.3 How to complain to the Office of the Australian Information Commissioner (OAIC)

You also have the option of contacting the OAIC if you wish to make a privacy complaint against the NDIS Commission, or if you are not satisfied with how we have handled a complaint made to us in the first instance. The OAIC website contains information on how to make a privacy complaint. If you make a complaint directly to the OAIC rather than to the NDIS Commission, the OAIC may recommend you try to resolve the complaint directly with the NDIS Commission in the first instance.

4. Privacy Policy updates

We will review this Privacy Policy regularly and update it as required.

5.1 General enquiries and requests to access or correct personal information

If you wish to:

• query how your personal information is collected, held, used or disclosed
• ask questions about this Privacy Policy
• obtain access to or seek correction of your personal information

please contact the NDIS Commission Feedback and Complaints Team using the following contact details:

• email: contactcentre@ndiscommission.gov.au
• telephone: 1800 035 544
• post: NDIS Commission Feedback, PO Box 210, Penrith NSW 2750.

5.2 Contact details for privacy complaints

If you wish to make a complaint about a breach of your privacy, please contact the NDIS Commission Feedback and Complaints team using the following contact details:

• email: contactcentre@ndiscommission.gov.au
• telephone: 1800 035 544
• post: NDIS Commission Feedback, PO Box 210, Penrith NSW 2750.

5.3 Availability of this Policy

If you wish to access this Policy in an alternative format (e.g. hard copy), please contact the NDIS Commission using the contact details set out at section 5.1 of this Policy. This Policy is available free of charge.