A word on our Provider Spotlight...
The Provider Spotlight is not intended to be an endorsement of a provider's overall activities, but instead focuses on a particular incident or activity which the Commission believes may be beneficial to share, in the spirit of a community of practice.
On this page, we highlight instances of good practice, which come to the Commission's attention. It demonstrates a provider's approach to meet their obligations and deliver quality and safe supports and services. But, we also acknowledge that there are many and varied approaches a provider may wish to take, depending on the preferences of their participants and the market in which they operate.
Share with us! We invite providers to share approaches and innovations they've taken to amplify the voice of participants and uplift quality and safety. Let us know what you're doing by emailing Communications.
Central Australian NDIS provider Veritable is using an innovative approach with videos, photographs and drawings to help participants better understand and engage with the services provided to them.
Veritable supports communities in and around Alice Springs (NT), Anangu Pitjantjatjara Yunkunyatjara Lands (SA) and Ngaanyatjarra Lands (WA), and many of their participants use English as a second language and have cognitive impairments.
Using software called ‘Loom’, they have produced videos in Pitjantjatjara and Western Arrernte to explain their service agreement in a conversational style, with the provider’s Director speaking in English and the interpreter in language.
These videos allow workers to introduce themselves to very remote participants who are considering a service agreement. This gives participants a sense of who will be coming to see them and whether they are the right ‘fit’ for them as a person.
Veritable also creates individualised behaviour plans and stories for some participants that include drawings of them in their community, which are created by an in-house artist.
The use of pictures helps break the ice with participants, who have responded positively to both the general and individualised resources. Importantly, Veritable recognises that what works for one person may not work for another, and they strive to be responsive to each person's needs.
NDIS workers have also provided positive feedback that the visual support plans are more accessible and they bring the person's needs to life, making the strategies simple and direct.
This creative approach has been welcomed by participants and workers alike. These outcomes demonstrate the importance of recognising each participant’s individual communication needs when creating plans and agreements, and upholding the participant’s right to choice and control in how their services are provided.
In May 2022, an unauthorised third party gained access to a cloud-based client management system from software and analytics supplier CTARS Pty Ltd (CTARS), used by some NDIS providers. The security breach exposed information, including personal details of NDIS participants.
Following the incident, the NDIS Commission initiated a compliance review to assess impacted providers' response against their obligations for managing information and participant privacy. We also published a Provider Alert with information for providers about preventing and managing data breaches.
Response from Griffith Post School Options
This provider sought legal advice to manage the data breach and clarify their obligations. They reviewed their privacy policy, participant consent form and data breach response plan, to comply with Australian privacy laws and ensure they're prepared should anther data breach occur.
Additionally, the provider: established a team responsible for assessing, reviewing and handling future data breaches; reviewed and updated their IT security measures, including introducing a more robust file backup system and two-factor authentication for some systems; and, arranged cyber-security training for their staff.
Griffith Post School Options also individually notified impacted NDIS participants of their breach, using their preferred communication method. This notification included the public statement issued by CTARS on the breach, the types of information and details which may have been exposed, actions they were taking in response, and contact details for further enquiries. When asked, Griffith Post School Options helped participants understand what information is stored in their CTARS profile and provided a printout of the information.
Griffith Post School Options also posted a news article on their website, as an additional communication.
Finally, Griffith Post School Options maintained regular communication with CTARS, to stay up to date on the breach, and arranged a face-to-face visit to review the functions and security of the CTARS system.
Reflections
The provider delivered a well-considered approach including:
- ensuring strong communications, to keep themselves and participants informed
- taking the opportunity to learn from the experience and strengthen their information management approach.
Our compliance activity in relation to NDIS providers’ response to the CTARS data breach is ongoing. Providers are encouraged to refer to our Provider Alert for information about your obligations and other available resources to support this important area of service provision.