NDIS providers hold some of the most sensitive personal information that exists. The obligation to protect this information is a legal requirement under the Privacy Act 1988, the Australian Privacy Principles, and specific obligations under the NDIS Practice Standards.
The Privacy Act 1988 (Cth) and its 13 Australian Privacy Principles (APPs) apply to any organisation with an annual turnover above $3 million, as well as smaller organisations that handle health information. The NDIS Practice Standards require documented policies for collecting, storing, using and disclosing participant information. The Notifiable Data Breaches (NDB) scheme also applies: if a data breach is likely to cause serious harm, you must notify both the OAIC and affected individuals promptly.
Health information is a subset of "sensitive information" and attracts the highest level of protection. For NDIS providers, this covers clinical notes, medication records, incident reports, behaviour support plans, diagnoses, assessments, and any other information about a participant's health or disability. You must obtain explicit consent before collecting this type of information unless a specific exception applies.
Providers must have: a documented privacy policy explaining what information is collected and why; documented staff training on privacy obligations; access controls limiting access to participant records on a need-to-know basis; secure storage with encryption and regular backups using Australian-hosted cloud services; and data retention and destruction policies (health records must generally be retained for seven years).
Under the NDB scheme, the clock starts ticking the moment you become aware of a potential breach. Your response plan should include immediate containment, an assessment of whether serious harm is likely, and prompt notification to the OAIC and affected participants if it is. Delay is one of the most common aggravating factors in OAIC investigations.
Ready to streamline your NDIS operations? Start your free CareIQ trial — built for Australian care providers.