Part A – About the NDIA
What is the NDIA?
The National Disability Insurance Agency (NDIA, we, our) is responsible for delivering the National Disability Insurance Scheme (NDIS). The NDIS is a once in a generation social and economic reform. It is a new way of providing support for people with a disability, their families and carers.
Information concerning the rollout of the NDIS across Australia’s states and territories can be found here:
- New South Wales
- South Australia
- Australian Capital Territory.
- Western Australia
- Northern Territory
You can learn more about the NDIS by:
- visiting the NDIA website: www.ndis.gov.au
- calling the NDIS Helpline on 1800 800 110
- emailing any questions to us using the Contact form.
What are the NDIA’s privacy obligations?
Personal information is information or an opinion about an individual whose identity is reasonably identifiable. Examples of personal information include a person’s name, address, date of birth and details about their health or disabilities.
Privacy laws do not apply to the information of corporate entities, such as providers or community partners. However, the personal information of individuals connected with those entities (such as employees) will be protected by privacy laws.
In dealing with personal information, we abide by the obligations imposed on us under federal law, including the Privacy Act 1988 (Cth) (Privacy Act) and the National Disability Insurance Scheme Act 2013 (Cth) (NDIS Act).
The Privacy Act authorises our collection of personal information where this is required to facilitate access to the NDIS and perform our other functions.
We are also bound by confidentiality and secrecy provisions in the National Disability Insurance Scheme Act 2013 (Cth) (NDIS Act). These provisions limit how we collect and use personal information and when and to whom information can be disclosed.
Part B – Our personal information handling practices
What kinds of personal information does the NDIA collect and hold?
The kinds of information we collect and hold includes (but is not limited to) personal information about participants and other users of our services, and about our employees, contractors and providers.
Examples of personal information that we may collect includes:
- name, contact details date of birth and age
- gender, details about participants’ physical or mental health, including disabilities
- information about participants’ support requirements
- details of guardians and nominees, including names, addresses and contact details
- Centrelink Customer Reference Number (CRN)
- details of feedback or complaints about services provided by us
- bank account details
- employee records.
You can choose to deal with us anonymously, in which case your personal information is not subject to privacy laws. However, if a person becomes, or applies to become, a participant in the NDIS or a registered provider of supports, it is impractical to deal with that person on an anonymous basis.
How will the NDIA collect and hold personal information?
We often collect personal information from people directly or from people who are authorised to represent them. While you do not have to provide us with all information requested, not providing this information to us may mean that:
- we may not be able to decide whether you can become a participant;
- decisions may be delayed while we seek further information; and
- we may not be able to approve your plan and the supports funded through the NDIS.
We sometimes collect personal information from a third party if you have consented, been told of this practice, or would reasonably expect us to collect the information in this way. An example of this is collecting information from a healthcare service, such as a residential care facility, which is managing a participant’s care.
We, or third parties acting on our behalf, may also collect personal information from third party disability support providers, state and territory governments and other Commonwealth government entities (for example, the Department of Human Services) where this collection is authorised under law.
Federal law allows us to require the provision of information in certain circumstances. We do this in order to perform our functions, including facilitating the NDIS. The information collected is usually about participants, prospective participants, registered providers or persons with a disability who may wish to access the NDIS and is collected from other government bodies, registered providers of NDIS supports or anyone else who may hold relevant information.
Third parties that may collect personal information on our behalf include:
- our community partners; and
- other parties contracted to collect information, including the Department of Human Services.
We, or third parties acting on our behalf, may contact you by phone, for example, to facilitate your access to the NDIS. In the event we do contact you, we will ask for certain personal information over the phone, but will only request this information once explaining the purpose for asking for this information and seeking your consent to proceed.
If you are ever unsure about whether a person calling you is from the NDIA, or one of our community partners, before you give them any information, you should ask the person to verify your NDIS reference number. Alternatively, you should take their name and number and call the NDIA back. If you think you may have been contacted by someone wrongly claiming to be from the NDIA, please contact us by emailing feedback [at] ndis.gov.au or calling 1800 800 110.
Calls to the NDIA are recorded in most cases and are retained in accordance with the Archives Act 1983 (Archives Act).
We collect personal information about employees and prospective employees in order to conduct employment and employment-related activities such as payroll services, recruitment and selection, performance management, reporting and work health and safety. Our collection, use and disclosure of personal information about employees and prospective employees is in accordance with the Public Service Act 1999.
How do we use and disclose personal information?
We collect, hold, use and disclose personal information for the purpose of providing services, including implementing the NDIS, conducting our operations, communicating with participants and health service providers, conducting research and evaluation on the NDIS, and complying with our legal obligations.
We make a record of some phone calls to help us in ensuring that the service we provide meets the highest standards.
We may use your information to seek feedback from you regarding your level of satisfaction with our services.
If we need to disclose personal information outside the NDIA, we will de-identify the information prior to disclosure, wherever it is practicable to do so. We will not normally disclose a person’s personal information to anyone outside the NDIA except where we refer participants to external providers of in-kind supports under an approved NDIS plan; where that person consents; or where the disclosure is authorised or required under law.
Some examples of when we may disclose personal information include:
- in delivering the NDIS and our other functions (for example, quality assurance purposes, training and the purpose of improving our services);
- referrals to external providers of in-kind supports for NDIS participants, or sharing information with community partners where this is required for services included in an approved NDIS plan;
- this is required or authorised by law, including under the NDIS Act;
- it will prevent or lessen a serious and imminent threat to someone's life or health or a threat to public health or safety;
- it is a necessary part of an internal investigation following a complaint; or
- we use a contractor to provide some NDIS services and the contractor needs personal information of certain participants, providers, carers or other persons in order to perform that service.
Users of the NDIA computer system may at times be able to see a person’s name (if the person is a participant, provider of supports, nominee or other person known to the NDIA) when performing duties either as an NDIA employee or on behalf of the NDIA, but are only permitted to record, use or disclose that information if it is directly related to performing those duties.
A state or territory government official may also have access to personal information as part of the intergovernmental arrangements.
We will not sell or rent your information to anyone and will not transfer your information overseas unless you agree to this.
When we use third parties, such as community partners and other contractors, to perform certain functions, the third parties are contractually required to work in accordance with the Privacy Act and the NDIS Act. The contractor is also required to treat personal information they may see or handle with care and confidentiality.
In the case of child participants, or participants who do not have the capacity to make decisions for themselves, we liaise with the people (such as a parent, guardian or nominee) who are responsible for their welfare, rather than them directly.
We may also request personal information of participants, providers and community partners to ensure the integrity of the NDIS, which includes identifying and responding to any fraudulent activities or misuse of NDIS funds.
How does the NDIA deal with Tax File Numbers?
If a person gives us their Tax File Number (TFN), we keep that information secure.
Due to legal restraints on the disclosure of TFNs, if a person asks us for their TFN, we will not be able to provide it to them. If a person wants to obtain their TFN, or the TFN of a family member, they will need to obtain this from the Australian Taxation Office directly.
In limited circumstances, the Australian Taxation Commissioner can be required by law to provide a person’s TFN to us.
How does the NDIA protect personal information?
We take steps to ensure that no-one outside the NDIA can access information we hold about someone without that person’s consent, unless that access is authorised or required under law.
We have systems and procedures in place to protect personal information from misuse and loss, as well as from unauthorised access, modification or disclosure. These steps include:
- paper records are held securely in accordance with Australian government security guidelines;
- access to personal information is on a need-to-know basis, by authorised personnel;
- our premises have secure access; and
- storage and data systems and protections are regularly updated and audited.
When no longer required, personal information is destroyed in a secure manner, or archives or deleted in accordance with our obligations under federal law.
Part C – Our website
What are the NDIA’s web-based services?
Our web-based services are included on our website, which also contains links to our participant and provider portals.
We provide secure web-based services. However, users are advised that there are inherent risks in transmitting information across the internet, including the risk that information sent to or from a website may be intercepted, corrupted or modified by third parties. You can communicate with us, or provide documents to us, by a range of means, including in person or by post, as well as electronically (via email or through our website or myplace portal).
What personal information does the NDIA collect and hold from website users?
We do not collect personal information from browsers of our website.
We collect personal information supplied in the process of submitting queries, feedback or complaints through our website or where a person registers for our email newsletter or notification services.
Anyone can unsubscribe from our services at any time. Links to unsubscribe to our services are found on the bottom of our emails, or people can unsubscribe by contacting us at any time.
How do we use and disclose information collected from our website?
We will only use personal information submitted through our website for the purposes for which the information was provided.
Email addresses provided through website queries will only be used for the purpose of responding to those queries and will not be added to any mailing lists (unless that person has elected to subscribe to our mailing list). We will not use or disclose an email address for any other purpose without the relevant person’s consent, unless it is otherwise in accordance with the Privacy Act or the NDIS Act.
A "cookie" is a small file supplied by the NDIA and stored by the web browser software on a person’s computer when they access our website. (An explanation of cookies can be found at the website of the Australian Information Commissioner(external).)
We use a session cookie for maintaining contact with a user throughout a web browsing session. At the end of the session, the user may choose to manually logoff and the cookie is immediately deleted. If a person does not logoff at the end of the session, we will automatically log that person off after about 20 minutes. This will ensure that no other person has access to this information.
In order to use certain features which personalise our website, users must use a browser which is enabled to accept cookies.
We analyse non-identifiable website traffic data (including through the use of third party service providers) to improve our services and for statistical purposes. No attempt will be made to identify anonymous users or their browsing activities.
External links to third party websites
Our website contains external links and widgets operated by certain third parties, such as Facebook, YouTube, Instagram, Twitter, Linkedin and Google. These external third parties may not be subject to the Privacy Act. We are not responsible for the privacy practices of these third parties, or the accuracy, content or security of their websites. You should examine each website's privacy policies and use your own discretion regarding use of their site.
Part D – Queries, concerns and further information
How can a person access or update the information the NDIA holds about them?
We aim to ensure that the information we hold about a person is accurate, up to date, complete and relevant before acting on it. If a person learns that personal information we hold about them is inaccurate, outdated, incomplete, irrelevant or misleading, that person should contact us so that their information can be updated.
Where a person requests us to correct personal information we hold about them, we will action this request promptly. A person can also request that we notify that change to any other agencies or organisations that we have previously disclosed the personal information to.
If we do not agree to correct our records as requested, we will give written notice of the decision, setting out our reasons for refusing the request and how that person can lodge a complaint about our decision.
If a participant or registered provider would like to see what information we hold about them, we recommend checking the myplace Participant’s Portal (external) or myplace Provider’s Portal (external) (accessed through the myGov platform) as a first step. This will contain almost all the information we hold about them. In addition, the person can ask to access the information (see our Access to Information page). Sometimes it may not be possible to give the person a copy of all information we hold about them, especially if it contains details about other people, or if it providing the information may lead to harm being done to another person. Where a person’s own information can be provided to them, we will provide this information as soon as possible (and by no later than 30 days of the request).
If we do not agree to a request for access to personal information, we will take reasonable steps to give the person access to the information in an alternative form. We will also provide the person with a written notice setting out the reasons for refusal, and how they can lodge a complaint about the decision.
What if I have a complaint?
If you would like to leave feedback or complain about the service you have received from us, or if you think we have breached your privacy obligations, please contact us through the Feedback and complaints page on our website, or call us on 1800 800 110.
We will promptly investigate and resolve your complaint and respond to you as soon as possible. Sometimes this may mean we have to speak to other NDIA staff members who are handling your matter. In all cases, we will inform you of the progress of your complaint.
If after receiving our response, you are unsatisfied with the resolution of the matter, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC). See the OAIC website (external) for information regarding how to make a complaint.
The OAIC is independent of the NDIA and has the power to investigate complaints about possible interferences with a person’s privacy. It is usually best to contact us first about any privacy concerns. This is because the OAIC will generally ask us to investigate the matter first and provide it with our findings concerning the matter.
How can you contact us regarding privacy matters?
You can contact us by visiting the contact us page on our website, send an email to privacy [at] ndis.gov.au or call us on 1800 800 110.