Privacy and Information Management Policy.

Victorian Disability And Aged Care Services.

Last updated: 22/01/202.

1. Purpose

This Privacy and Information Management Policy outlines how Victorian Disability And Aged Care Services (“we”, “us”, “our”) collects, uses, stores, and discloses personal and sensitive information.

We are committed to complying with:

• NDIS Act 2013

• NDIS Quality and Safeguards Commission requirements

• NDIS Code of Conduct

• Privacy Act 1988 (Cth)

• Australian Privacy Principles (APPs)

• Relevant record-keeping and safeguarding obligations

• Recognised global data protection principles (including GDPR-style standards such as lawfulness, fairness, transparency, and data minimisation)

This policy applies to all participants, families, carers, nominees, employees, contractors, volunteers, and any third parties engaged by Victorian Disability And Aged Care Services.

2. Our Commitment

We are committed to:

• Protecting your privacy, dignity, and confidentiality

• Handling information lawfully, fairly, and transparently

• Only collecting information that is necessary and relevant

• Using information solely for appropriate and agreed purposes

• Keeping information secure against loss, misuse, or unauthorised access

• Supporting your right to access and correct your information

• Embedding privacy and safeguarding into our everyday practice

All staff and contractors receive training on privacy, confidentiality, and information security.

3. Information We Collect

We only collect information needed to provide safe, high-quality, person-centred supports and to meet our legal obligations.

This may include:

Personal information

• Name, date of birth, gender, contact details

• Address, emergency contacts, next of kin

• Cultural background, language preferences, communication needs

Sensitive and health information

• Disability-related information

• Medical history, diagnoses, functional assessments

• Medication details, risk assessments, behaviour support information

• NDIS plan details, goals, funding categories and supports

Service and operational information

• Service agreements, case notes, progress reports

• Incident reports, feedback, and complaints

• Employee and contractor records (e.g. qualifications, screening, payroll details)

We do not collect more information than required for service delivery, safety, or compliance.

4. How We Collect Information

We may collect information:

• Directly from you (in person, by phone, email, online forms)

• From your authorised representative, guardian, nominee, or carer

• From NDIS planners, support coordinators, plan managers (with consent)

• From health professionals and other service providers involved in your care (with consent)

• From government authorities or regulators where required or authorised by law

Wherever practical, we will collect information directly from you or with your knowledge and informed consent.

5. Why We Collect Information

We collect and use personal information to:

• Provide safe, high-quality, person-centred supports and services

• Understand your needs, goals, preferences, and risks

• Develop and review support plans and service agreements

• Communicate with you, your representatives, and your support network

• Manage NDIS claiming, billing, financial reporting, and audits

• Meet legal, regulatory, and contractual obligations

• Monitor quality, handle incidents, and improve our services

• Recruit, manage, and support our staff and contractors

We do not sell personal information or use it for unrelated marketing.

6. Use and Disclosure of Information

We only use or disclose your information for:

• Purposes directly related to your supports or our operations

• Purposes you would reasonably expect, or where you have given consent

• Requirements under NDIS, legal or regulatory frameworks

• Managing or reducing a serious risk to your life, health, or safety, or that of others

• Responding to lawful requests from government agencies or regulators

We may share information (where appropriate and lawful) with:

• Health professionals and therapists involved in your support

• NDIS, NDIA, NDIS Quality and Safeguards Commission

• Plan managers, support coordinators, and other service providers

• Approved third-party IT, payroll, or administration providers under strict confidentiality terms

Where possible, we seek your consent before sharing your information, unless disclosure is required or permitted by law.

7. Data Security and Storage

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.

Our safeguards include:

• Secure offices and locked storage for paper records

• Password-protected and access-controlled electronic systems

• Role-based access so only authorised staff can view relevant information

• Encryption and secure backup of key systems where appropriate

• Policies for secure transfer and destruction of data

• Ongoing staff training in privacy, cybersecurity, and confidentiality

We primarily store data in Australia and ensure third-party systems meet appropriate security standards.

8. Accessing and Correcting Your Information

You have the right to:

• Request access to the personal information we hold about you

• Request corrections if your information is inaccurate, incomplete, or outdated

To make a request, contact us using the details at the end of this policy.
We may ask for proof of identity and will respond within a reasonable timeframe.
If we cannot provide access (e.g. legal restrictions), we will explain why and discuss options.

9. Consent

We aim to obtain informed consent before:

• Collecting personal or sensitive information

• Sharing information with other providers or third parties

• Using information for purposes beyond direct service delivery

Consent may be written, verbal, or implied through actions where appropriate.
You may withdraw consent at any time by contacting us, noting that this may affect how we provide services.

10. Retention and Disposal of Information

We retain records for the minimum periods required under:

• NDIS and disability service regulations

• Privacy, health, tax, and employment legislation

After the required retention period, records are securely destroyed or permanently de-identified in line with legal and best-practice standards.

11. Website, Cookies and Analytics

When you visit our website:

• Basic information may be collected (e.g. pages visited, browser type, time on site)

• Cookies or analytics tools may be used to improve user experience and site performance

This information is generally aggregated and does not personally identify you.
You can manage or block cookies through your browser settings.

12. Alignment with Global Standards

While we operate under Australian law, our approach aligns with recognised global data protection principles, including:

• Transparency and fairness

• Data minimisation

• Purpose limitation

• Security and confidentiality

• Respect for individual rights to access and correction

These principles are consistent with standards such as the EU’s GDPR, providing a high level of assurance for all stakeholders.

13. Data Breach Response

If a suspected or actual data breach occurs, we will:

• Act promptly to contain and assess the breach

• Reduce any risk of harm

• Determine whether the breach is likely to result in serious harm

• Notify affected individuals and the Office of the Australian Information Commissioner (OAIC), where required, under the Notifiable Data Breaches Scheme

• Review and improve our systems to prevent future incidents

We treat all breaches seriously and transparently.

14. Privacy Complaints and Concerns

If you have a concern about how your information has been handled, we encourage you to contact us first.

We will:

• Acknowledge your concern

• Investigate promptly and fairly

• Provide a response and, where appropriate, corrective action

If you are not satisfied with our response, you may contact:

• Office of the Australian Information Commissioner (OAIC)
  Website: www.oaic.gov.au | Phone: 1300 363 992

• NDIS Quality and Safeguards Commission
  Website: www.ndiscommission.gov.au | Phone: 1800 035 544

We will cooperate fully with external investigations.

15. Policy Review

This Privacy and Information Management Policy is reviewed:

• At least annually, and

• Whenever there are changes to legislation, NDIS requirements, or best-practice standards.

The most current version will be available on our website or on request.

Contact Details

For privacy enquiries, requests, or complaints, please contact:

Privacy Officer – Victorian Disability And Aged Care Services
Address: 30 Wallace Avenue, Point Cook, VIC. 3030. Australia.
Phone: +(61) 0383797320
Email: [email protected]