Privacy

Privacy policy

1. Purpose and scope

The NDIS Quality and Safeguards Commission (NDIS Commission) is an independent agency established to improve the quality and safety of NDIS supports and services. The NDIS Commission must comply with the Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act).

The NDIS Commission’s Privacy Policy provides information about how we collect, use, disclose and hold personal information, including sensitive information (defined in the Privacy Act) and how individuals may access and correct the personal information we hold about them. 

Under APP 1, the NDIS Commission is required to manage personal information in an open and transparent way. Our Privacy Policy outlines:

• the type of personal information we collect and hold
• how we collect and hold personal information
• the purpose for which we collect, hold, use and/or disclose personal information
• how an individual can access personal information about the person that is held by the NDIS Commission and seek correction of the information
• how an individual can make a complaint about our handling of personal information and how the NDIS Commission will deal with such a complaint;
• whether the NDIS Commission is likely to disclose personal information to overseas recipients, and if so, the countries in which those recipients are located.
•  

1.1 Other legislation

The NDIS Commission and its officers must also comply with other legislation related to privacy, including the secrecy provisions contained in the National Disability Insurance Scheme Act 2013 (NDIS Act). These provisions limit how we record, disclose and use information about a person (including a deceased person) that is or was held in the records of the NDIS Commission. 

The NDIS Commission requires its contracted service providers to also comply with these legal requirements.

1.2 Who should read this Privacy Policy?

You should read this policy if you are:

• an individual whose personal information may be given to or held by the NDIS Quality and Safeguards Commission (the NDIS Commission);
• a contractor, consultant, supplier or vendor of goods or services to the NDIS Commission;
• a person seeking employment with the NDIS Commission; and a person who is or was employed by the NDIS Commission.

2. What information we collect

The NDIS Commission only collects personal information about you when it is reasonably necessary for, or directly related to our functions or activities, or when required to do so by law.

We may collect sensitive information about you:

• where you consent
• when the collection is authorised or required by law
• when the collection is otherwise allowed under the Privacy Act

Examples of circumstances in which the NDIS Commission collects your information include:

• when you apply for registration as an NDIS provider
• when you make a complaint to us
• during compliance and enforcement activities or investigations
• requesting to be placed on a mailing list
• applying for a job at the NDIS Commission
• when lodging a request for documents under the Freedom of Information Act 1982 (Cth) (FOI Act).

Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable.

The personal information we may collect includes:

• contact details (such as your name, address, email and telephone numbers)
• biographical data (such as your date and place of birth, and gender)
• employment status and history (such as previous employment)
• education status
• financial information (such as bank details)
• government identifiers (such as Centrelink and Medicare Reference Numbers)
• information about your family and other related persons (such as any partners, children, dependants, carers or nominees or authorised representatives)
• feedback, complaints or application related information

Sensitive information is a subset of personal information that requires greater protection under the Privacy Act. Sensitive information includes information about:

• racial or ethnic origin
• political opinions or membership of a political association
• religious beliefs of affiliations
• philosophical beliefs
• membership of a professional or trade associate or trade union
• sexual orientation
• criminal record
• health information
• genetic information
• biometric information or templates

The sensitive information we may collect includes:

• cultural and linguistic background (including languages you speak)
• health and disability information
• information about supports and services you receive under the National Disability Insurance Scheme (NDIS)
• criminal history

The NDIS Commission may also obtain photographs and video recordings of you.

3. How we collect information

We collect personal information through various means including paper and electronic forms, online portals, written correspondence, face to face and over the phone discussions. If it is reasonable and practical to do so, we will collect personal information directly from the individual or their authorised representatives. 

We may also collect personal information from third parties (e.g. NDIS providers, other government agencies and law enforcement agencies) in a variety of circumstances including, but not limited to:

• in the lodgement of a complaint
• in the context of compliance and enforcement activities
• in carrying out registration and other statutory functions
• recruiting our employees and contractors

When your personal information is collected, we will take reasonable steps to inform you about why the information is collected and how it will be handled. We may not inform you where:

• you have consented to the collection of your personal information from a third party
• we are required or authorised by law to collect the personal information from third parties, or
• it would not be reasonable or practicable to notify you that we have collected your personal information (for example, were notification could jeopardise an ongoing investigation)

4. Anonymity and pseudonymity

The Privacy Act requires us to provide individuals the option of not identifying themselves or using a pseudonym (made-up name) in their dealings with the NDIS Commission when it is lawful and practicable to do so – for example, where an individual wants to make an anonymous complaint. 

When contacting the NDIS Commission, you should consider whether you want to remain anonymous or share your personal details. Generally, individuals can choose to remain anonymous or adopt a pseudonym when dealing with the NDIS Commission. However, in certain circumstances this might not be feasible – for example, where we need an individual’s name and address to register them as an NDIS provider.  The NDIS Commission will inform you when this is the case. 

5. How we store and secure personal information

The NDIS Commission stores personal information in a variety of formats including, but not limited to:

• hard copy files
• databases
• NDIS Commission issued devices (i.e. laptops, mobile phones, computers)
• third party storage providers such as cloud storage facilities

We take reasonable steps to protect your personal information against misuse, interference, and loss, as well as from unauthorised access, modification or disclosure. These steps include:

• storing records securely as per Australian government security guidelines
• only accessing personal information on a need-to-know basis and by authorised personnel
• monitoring system access which can only be accessed by using authenticated credentials
• regularly updating and auditing our storage and data security systems
• ensuring access to our buildings are secure at all times
• undertaking due diligence with respect to third party service providers who may have access to personal information to ensure (as far as practicable) compliance with the APPs
• ensure destruction, deletion or de-identification of personal information we hold that is no longer required to be retained by the Archive Act 1983 (Cth) (Archives Act) or any other applicable laws

5.1 Responding to data breaches

The NDIS Commission will take appropriate, prompt action including reporting to the Office of the Australian Information Commissioner (OAIC) if an eligible data breach occurs and personal information we hold is subject to unauthorised modification, loss, use or disclosure.

If we suspect unlawfully disclosure, access or loss has occurred, the NDIS Commission will undertake an assessment and take necessary steps to contain the breach to minimise the potential risk of harm. The NDIS Commission will determine if it is an ‘eligible data breach’ has occurred, within 30 days of being informed of the potential breach, and notify the OAIC and affected persons in accordance with our Data Breach Response Plan.

6. Use and disclosure of personal information

The NDIS Commission will only use or disclose personal information as set out in this policy and for the primary purpose for which it is collected.  We may use or disclose personal information for another (secondary) purpose, if one of the following applies:

• the individual has consented to the use or disclosure
• the individual would reasonably expect us to use or disclose the personal information because it relates to the primary purpose for which it was collected (or if it is sensitive information, that it is directly related)
• we are required or authorised by law to use or disclose the information
• a permitted general situation exists—including where we reasonably believe that using or disclosing the information is necessary to:
  • lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety
  • take appropriate action in relation to suspected unlawful activity or serious misconduct
  • establish, exercise, or defend a legal or equitable claim
• we reasonably believe the use or disclosure is necessary for our compliance or enforcement activities, or for the compliance or enforcement activities of other Commonwealth, state or territory agencies

We may disclose your personal information to the following types of bodies or individuals:

• contracted service providers, lawyers and any other service providers who we engage to assist us with our functions
• other government agencies (such as the National Disability Insurance Agency (NDIA))
• courts and tribunals
• other law enforcement bodies (such as the Australian Federal Police)
• the public, if the personal information is required to be published on a public register, in the Government gazette or on our website (such as information published on the NDIS Provider Register)
• responsible Ministers and parliamentary committees exercising their oversight functions
• applicants under the FOI Act or Accredited Data Service Providers applicants under the Data Availability and Transparency Act 2022, DATA Scheme
• referees and former employers to verify qualifications and experience when assessing certain applications
• the Australian Government Security Vetting Agency or any other vetting providers that we engage to conduct security or vetting assessments on our behalf

6.1 Disclosure of personal information to overseas recipients

The NDIS Commission may disclose personal information about an individual to an overseas organisation in the course of providing our functions. For example, to third party suppliers and service providers (located overseas) who assist to conduct surveys, research or use cloud service providers, which stores data outside Australia. 
We will take reasonable steps not to disclose personal information to an overseas recipient unless:

• you provide us with express or implied consent
• we are satisfied that the overseas recipient is compliant with the APPs, or equivalent regime
• the disclosure is authorised or required by or under an Australian law or court/tribunal order, or
• is otherwise permitted under the Privacy Act

7. Access and correcting your personal information

The NDIS Commission takes reasonable steps to ensure that personal information we hold, use and disclose is accurate, complete and up to date, including at the time of using or disclosing the information. 

You have a right under the Privacy Act to access and request corrections to personal information if you think the information is inaccurate, out-of-date, incomplete, irrelevant, or misleading. However, in some circumstances, the NDIS Commission may decline access to or correction of personal information – for example, where access is unlawful under a secrecy provision in portfolio legislation, or where the personal information held is an opinion and not an objective fact.

To access or seek correction of personal information we hold about you, please contact us using the contact details set out at section 10 of this Policy. 

It is also possible to access, and correct documents held by the NDIS Commission under the FOI Act. For information on this, please visit our FOI page.

8. Visiting our website and social media pages

The NDIS Commission website and social media pages may (at times) contain links to other third-party websites outside the NDIS Commission. The NDIS Commission is not responsible for information stored, accessed, used or disclosed on such websites. 

8.1 Our website

If you visit the NDIS Commission website to read or download information, we may record a range of technical information, which does not reveal your identity. This information includes your IP or server address, your general locality and the date and time you visit the website. Information is used for statistical and development purposes. No attempts are made to identify you through your browsing other than in exceptional circumstances, such as an investigation into the improper use of the website.

The NDIS Commission website may include hyperlinks to other third-party websites. Website functionality of third parties may capture and store your personal information outside Australia. These third parties include, but not to:

• social media site (i.e. Facebook, X (formerly Twitter), LinkedIn)
• video access (i.e. YouTube, MS Teams)
• external surveys (i.e. SurveyMonkey)
• campaign monitoring 

Some third parties are not subject to the Privacy Act. The NDIS Commission is not responsible for third party privacy practices and encourages users to examine third party privacy policies and decide if you agree to the terms.

8.2 Cookies

The NDIS Commission may use cookies to maintain contact with a user during a website session and to remember settings, preferences, or activity across multiple sessions. A cookie is a small file that is placed on your computer by your web browser at the request of the NDIS Commission's website.

Cookies allow the NDIS Commission’s website to offer consistent experiences across multiple sessions, to recognise a returning browser, and to track usage patterns as users navigate the site. This enables the NDIS Commission to collect aggregated information about how the website is used, such as the pages visited, the average time spent on each page, and the number of visitors. No attempt is made to personally identify users through their browsing activity.
 

8.3 Electronic communication

There is an inherent risk associated with the transmission of information over the Internet, including via email. You should be aware of this when sending personal information to us by email or by using the NDIS Commission website. 

If you are concerned about electronic communication, you may prefer to use other methods of communication with the NDIS Commission, such as post, fax or via phone. 

9. Complaints

9.1 How to complain to the NDIS Commission

If you believe that the NDIS Commission has used your personal or sensitive information in a way that is not consistent with this policy or privacy laws, you can make a complaint by contacting us using the contact details set out at section 10 of this Policy.

We will respond to your complaint or request promptly in line with our Feedback and Complaints Policy and we may seek further information in order to provide a full and complete response. We are committed to a fair and impartial resolution of any complaints without reprisal.  

If you are not satisfied with our response, you may refer the complaint to OAIC.
 

9.2 How to complain to the OAIC

You can contact the OAIC if you wish to make a privacy complaint against the NDIS Commission, or if you are not satisfied with how we have handled a complaint made to us in the first instance. 

The OAIC website contains information on how to make a privacy complaint. If you make a complaint directly to the OAIC rather than to the NDIS Commission, the OAIC may recommend you try to resolve the complaint directly with the NDIS Commission in the first instance.

10. How to contact us

10.1 General enquiries and requests to access or correct personal information

If you wish to:

• query how your personal information is collected, held, used or disclosed
• ask questions about this Privacy Policy
• obtain access to or seek correction of your personal information, please contact the NDIS Commission using the following contact details:
  • email: contactcentre@ndiscommission.gov.au
  • telephone: 1800 035 544
  • post: NDIS Commission Feedback, PO Box 210, Penrith NSW 2750

10.2 Contact details for privacy complaints

If you wish to make a complaint about a breach of your privacy, please contact the NDIS Commission using the following contact details:

• Email: internalintegrity@ndiscommission.gov.au
• Post: NDIS Commission Internal Integrity, PO Box 210, Penrith NSW 2750.

10.3 Contact details for freedom of information requests

Access to some information that we hold may require a formal request under the FOI Act. FOI applications and queries should be made to:

• Email: foi@ndiscommission.gov.au
• Post: NDIS Commission Feedback, PO Box 210, Penrith NSW 2750.

11. NDIS Commission Staff

This policy applies to all NDIS Commission staff undertaking activities at the NDIS Commission. ‘Staff’ means all persons employed or otherwise engaged by the NDIS Commission, including any volunteers or contractors. 

The NDIS Commission collects and handles personal information for the purposes if recruiting and engaging staff. The types of personal and sensitive information we collect and hold about staff include:

• job applications, resumes and qualification documents
• contract details, referee and emergency contact details
• employment contracts, contractor engagement and associated records
• salary, leave, superannuation, taxation and banking details
• clearances, medical certificates and health related information
• information relating to conduct and performance

The NDIS Commission will generally collect personal information directly from staff. We may also collect information from other persons, such as supervisors, recruitment agents, and previous employers. 

The NDIS Commission may collect and use your sensitive (i.e. health information) and personal information to maintain your health and safety and that of work colleagues. Sensitive and personal information is disclosed to officers within People Services and other NDIS Commission areas on a need-to-know basis. The NDIS Commission may also need, or be legally required, to disclose your health and other personal information to other government entities, or third-party service providers including, but not limited to; health authorities for health and safety purposes.

11.1 Key Appointments and Roles

Privacy Champion

The Director of the Internal Integrity Unit is the Privacy Champion for the NDIS Commission, and is responsible for:

• promoting a culture of privacy within the NDIS Commission that values and protects personal information;
• providing leadership within the NDIS Commission on broader strategic privacy issues;
• reviewing and/or approving our privacy management plan and documented reviews of our progress against the plan; and
• providing regular reports to the executive, including about any privacy issues arising from our handling of personal information.

Privacy Officer

The Assistant Director and Senior Review Officer of the Internal Integrity Unit are the Privacy Officers for the NDIS Commission.  This role is responsible for:

• handling of internal and external privacy enquiries, privacy complaints, and requests for access to and correction of personal information made under the Act;
• maintaining a record of our personal information holdings;
• assisting with the preparation of privacy impact assessments conducted under section 12 of the Privacy Code;
• maintaining a register of privacy impact assessments as required by section 15 of the Privacy Code; and
• measuring and documenting our performance against the privacy management plan at least annually as required by section 9 of the Privacy Code.

11.2 Staff Responsibilities

All staff, in order to fulfil our responsibilities under the Privacy Code and the Privacy Act, must:

• undertake privacy education or training when provided by the NDIS Commission;
• familiarise themselves with this Policy, and the Australian Privacy Principles at Appendix 4;
• for staff in leadership positions, take positive steps to ensure that staff they supervise comply with their privacy-related responsibilities;
• ensure personal information is lawfully collected and recorded, and only used or disclosed appropriately, in accordance with all legal obligations;
• ensure personal information we hold is relevant, accurate and up-to-date;
• ensure personal information is stored and archived in accordance with records management obligations and, if it is no longer relevant or necessary to be held, ensure that it is appropriately disposed of or de-identified; and
• ensure contracted service providers are contractually bound to comply with relevant law and policies, including the Privacy Act, the NDIS Act, and this Policy, through appropriate contractual provisions.

12. NDIS Commission Information handled by the Department of Social Services

The Department of Social Services (DSS) provides shared services to the NDIS Commission, including human resources and information technology services. This means that some of our personal information is stored on DSS systems. DSS is also subject to the Privacy Act and manage information in accordance with their statutory obligations. 

14. Further Information

For further information, contact either the Privacy Champion or Privacy Officers of the Internal Integrity Unit at internalintegrity@ndiscommission.gov.au.

The Privacy Act is accessible at Privacy Act 1988.

Extensive guidance from the Office of the Australian Information Commissioner is available at Privacy.   

The NDIS Act is accessible at National Disability Insurance Scheme Act 2013.

Privacy collection statement

The NDIS Quality and Safeguards Commission (NDIS Commission) is bound by the Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act) which regulate how certain types of organisations and agencies may collect, use, disclose and store personal information. The NDIS Commission is also bound by the provisions of the National Disability Insurance Scheme Act 2013 (Cth) (the NDIS Act) concerning management of information that the NDIS Commission holds about a person. This is “protected Commission information” under the NDIS Act. An example of protected Commission information is information about a worker on the NDIS Worker Screening Database. Unauthorised use and disclosure of protected Commission information by any person is a criminal offence under the NDIS Act.

Collection of personal information

The NDIS Commission may collect your personal information (including sensitive information) directly from you, your representative or a third party, or from publicly available sources to facilitate and support the exercise of the NDIS Commissioner’s functions under the NDIS Act and Rules. This includes collecting personal information when we are:

• Considering and determining an application to be a registered NDIS provider
• Handling a complaint related to the provision of supports and services under the NDIS
• Managing the response to a reportable incident notified to the Commission
• Monitoring or investigating an NDIS provider’s or worker’s compliance with the NDIS Act and Rules
• Reviewing the use of restrictive practices and the provision of behaviour support services
• Taking compliance and enforcement action
• Assessing applications for employment with the NDIS Commission and associated employment matters (including security and pre-employment integrity checks)
• Assessing applications to participate in any NDIS Commission funded programs and initiatives
• Managing of contracts and funding agreements, or
• Undertaking other regulatory action under the NDIS Act and the NDIS Rules.

We may also obtain your personal information collected by other Commonwealth agencies, State or Territory government bodies, or other organisations for the purposes of fulfilling our regulatory functions. Examples include the NDIA, State or Territory disability related regulators, non-disability related regulators (such as work health and safety regulators), law enforcement agencies, courts and tribunals, and workers screening units. From time to time, we may also receive personal information from members of the public without it being requested.

We generally use forms, online portals and other electronic or paper correspondence to collect this information. We may also collect information through our website and social media services such as Facebook (Meta), Twitter, MailChimp, SurveyMonkey, Google and YouTube to improve our website and receive feedback from the community.

We will not ask for information that is not reasonably necessary for, or directly related to, a function or activity of the NDIS Commission. We include a privacy notification on our paper based forms and online portals that describes the reason why the information is being collected and to whom the information may be disclosed to.

Kinds of personal and sensitive information collected and held

The kinds of personal information we may collect and hold is determined by the reason for collection. It may include:

• name, address and contact details (e.g. phone, email and fax)
• photographs, video recordings and audio recordings of you
• information about the supports and services you have provided to NDIS participants and how you provided those supports and services
• information about your personal circumstances (e.g. marital status, age, gender, occupation, accommodation and relevant information about your partner or children)
• information about your financial affairs (e.g. payment details, bank account details and information about business and financial interests)
• information about your employment (e.g. work history, referee comments, remuneration)
• government identifiers (e.g. Centrelink Reference Number or Tax File Number) and/or
• information about assistance provided to you under the NDIS.

Sensitive information may include information about:

• your health
• your identity (e.g. date of birth, country of birth, passport details, visa details, drivers licence, birth certificates, ATM cards)
• your background (e.g. educational qualifications, the languages you speak and your English proficiency), and/or
• your criminal history.

 The NDIS Act authorises the collection, use and disclosure of protected Commission information in certain circumstances, including where this is for the purposes of the NDIS Act. Where the collection of personal information is authorised or required under the NDIS Act and Rules, not providing the information may constitute a contravention of the NDIS Act, which may lead to a criminal or civil penalty. Where the NDIS Commission asks you to provide personal information voluntarily, you should consider your own privacy obligations and seek advice if necessary.

Use and disclosure of personal and sensitive information

The NDIS Commission may use or disclose some or all of the personal information collected from you for the purpose of performing the functions of the NDIS Commissioner under the NDIS Act such as in relation to the NDIS Worker Screening Database. This may include sharing information with the Worker Screening Units in States and Territories. 

If authorised by the NDIS Act, the NDIS Commission may also disclose personal information to other relevant parties, including other Commonwealth, State or Territory agencies, regulatory bodies or professional associations. The NDIS Commission often makes disclosures of personal information to:

• the NDIA, including the NDIS Fraud Taskforce
• the Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability
• Coroners
• State and Territory Worker Screening Units
• Public Advocates
• Other regulators with a role that has a connection with NDIS supports and services

The NDIS Commission is not likely to disclose personal information to overseas recipients.

Personal and sensitive information obtained by us will only be used and disclosed for the purposes, and in the circumstances, outlined above and will not be used or disclosed without your consent for any other purpose or in other circumstances, except as authorised under the Privacy Act or where authorised or required by law, including by the NDIS Act.

Accessing and correcting your personal and sensitive information

We store and hold your personal and sensitive information in accordance with the NDIS Commission’s obligations under the Privacy Act and the Archives Act 1983 (Cth). The NDIS Commission’s Privacy Policy contains more information about how you may access and seek correction of your personal information.

How to make an enquiry, request or complaint

Enquiries, requests and complaints relating to the Privacy Act and the collection of your personal information can be made by:

• email: internalintegrity@ndiscommission.gov.au
• telephone: 1800 035 544
• mail: NDIS Commission Feedback, PO Box 210, Penrith NSW 2750

If you make a complaint regarding the collection, use or handling of your personal information we will deal with your complaint in accordance with the NDIS Commission’s Feedback and Complaints Policy.

Privacy impact assessment

The NDIS Quality and Safeguards Commission (NDIS Commission) promotes a culture that values privacy and is committing to protecting personal information shared with us. The NDIS Commission completes privacy impact assessments (PIA) for high-risk privacy projects to ensure privacy considerations are taken into account from the outset of a project and through its lifecycle. PIAs provide a systematic assessment of compliance with the Australian Privacy Principles contained in the Privacy Act 1988 to identify potential privacy risks and provide mitigation strategies for managing, minimising or eliminating risks.

The NDIS Commission is required by section 15.1 of the Privacy (Australian Government Agencies – Governance) APP Code 2017 to maintain a register of the privacy impact assessments (PIAs) it conducts, and to publish that register on its website.

PIAs that have been completed by the NDIS Commission are listed below:

Further information

For further information, contact either the Privacy Champion or Privacy Officers of the Internal Integrity Unit at internalintegrity@ndiscommission.gov.au .

The Privacy Act is accessible at Privacy Act 1988.

Extensive guidance from the Office of the Australian Information Commissioner is available at Privacy.