1. Purpose
i’ara Specialist Support Coordination (i’ara, we, our) recognises the importance of maintaining the confidentiality, privacy and security of client and participant information. We are committed to implementing robust information management practices in compliance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the
NDIS Act 2013 and associated regulatory requirements for NDIS providers, including the NDIS Code of Conduct, NDIS Practice Standards, and any applicable state/territory legislation.
2. Scope
This policy applies to all personal and sensitive information collected, held, used or disclosed by i’ara in relation to participants, clients, their authorised representatives, families, support workers, third-party service providers, and any other individuals whose data we handle in the course of providing support coordination and related services.
3. Definitions
Personal information means information or an opinion about an identified or reasonably identifiable individual.
Sensitive information includes information or an opinion about an individual’s health, disability, racial or ethnic origin, and is subject to higher protection.
Participant/client means a person receiving NDIS-funded supports or services from i’ara.
Authorised representative means a person legally or formally authorised to act on behalf of a participant or client (e.g., guardian, parent, power of attorney).
Disclosure means making personal information available to another individual or organisation. Retention period means the period we keep personal information before secure disposal or de-identification.
4. What Personal Information We Collect
Prior to collection, we obtain consent from clients or their authorised representatives. We ensure that individuals are informed of:
- the fact of collection;
- the purposes for which the information is collected;
- the organisations or individuals to whom the information may be disclosed;
- how the individual may access or correct their information or make a complaint;
- any consequences of not providing the information.
We collect only the personal and sensitive information reasonably necessary for the provision of support coordination and related services under the NDIS, including but not limited to: name, contact details, date of birth, disability/health information, support needs, service provider details, NDIS plan information. We minimise the collection of unnecessary or irrelevant data.
5. Use and Disclosure of Personal Information
We use personal information only for the primary purpose for which it was collected (e.g., planning and coordinating supports, liaison with service providers, funding management) or for a related secondary purpose where the individual would reasonably expect the use or where consent is obtained. We do not disclose personal information to third parties without consent unless authorised or required by law (for example, mandatory reporting of abuse, neglect or exploitation under NDIS obligations).
If we transfer personal information overseas, or use overseas-based service providers/storage, we will ensure that the overseas recipient handles the information in accordance with the APPs (APP 8). We require our staff, contractors and third-party service providers to respect the privacy and dignity of participants, in keeping with the NDIS Code of Conduct.
6. Storage, Security and Retention
We take reasonable technical and organisational measures to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure (APP 11). Measures include secure servers, access controls, encryption, staff training and audits.
We review personal information regularly. When it is no longer needed for any purpose for which it may be used or disclosed, we will securely destroy or de-identify it unless required to retain by law or relevant regulation. We retain records for the retention period specified in our Record-Keeping Policy (or as required by the NDIS, legislation or contractual/service obligations).
7. Access and Correction
Individuals have the right to request access to the personal information we hold about them, and to request correction of information that is inaccurate, out-of-date, incomplete, irrelevant or misleading (APP 12 & 13). Requests should be made in writing to our Privacy Officer (contact details below). We will respond to these requests within [e.g., 30 days] or as soon as practicable. If we refuse access or correction, we will give written reasons and advise on how to complain internally and externally.
8. Complaints and Breach Notification
If you believe we have breached this policy, the APPs or relevant obligations under the NDIS, you may make a complaint to our Privacy Officer at [contact details]. We will investigate and respond within [timeframe]. If you remain dissatisfied you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC). We have an established incident management and data-breach response process. We will notify affected individuals and the OAIC as required under the Notifiable Data Breaches scheme.
9. Participant/Provider-Specific Obligations (NDIS context)
As an NDIS support coordination provider, we comply with the NDIS Code of Conduct, which includes respecting the privacy of people with disability. We implement policies and procedures consistent with the NDIS Practice Standards — Core Module (Rights & Responsibilities) including privacy and dignity.
We ensure that our staff, support coordinators, contractors and any associated service providers are aware of their obligations to protect participant privacy, that participants (and/or their representatives) are informed of confidentiality arrangements in language they understand, and have provided consent. We also ensure mandatory reporting obligations (abuse, neglect, exploitation, violence) are not overridden by confidentiality.
10. Changes to this Policy
We may review and update this policy from time to time. The latest version will be published on our website. We encourage you to review the policy periodically. Your continued engagement with our services constitutes acceptance of any updated policy.
11. Contact Details
Privacy Officer: CEO
Phone: 0483 101 410
Email: hello@iarasupport.com.au