Privacy Breaches In NDIS Services: What You Need To Know

Summary

• NDIS providers in Australia are subject to strict privacy obligations under both the Privacy Act 1988 (Cth) and the NDIS Practice Standards, requiring robust handling of participants’ sensitive personal information.
• A notifiable data breach must be reported to the Office of the Australian Information Commissioner (OAIC) and affected individuals promptly, with failure to do so risking significant penalties.
• Providers should have clear internal breach response procedures in place to identify, contain, and report privacy incidents efficiently.
• This article is a plain-English guide to privacy breach obligations for NDIS service providers operating in Australia, prepared by LegalVision, a commercial law firm.
• LegalVision specialises in advising clients on privacy compliance and NDIS regulatory obligations.

Tips for Businesses

Review your privacy policy and incident response plan regularly. Train staff to recognise and escalate potential breaches immediately. Maintain clear records of any incidents, actions taken, and notifications made. Appoint a designated privacy officer to oversee compliance and coordinate responses when a breach occurs.

As an NDIS provider, you handle some of the most sensitive personal information imaginable. How you protect that information defines your legal standing and the trust participants place in you. NDIS participants share sensitive information with you, including their medical history, disability details and daily living needs. If your business breaches that information, you risk financial, legal and reputational consequences. This article explains your privacy obligations as an NDIS provider, when you can share participant information, and what can happen if your business experiences a privacy breach.

Where Your Privacy Responsibilities Come From

NDIS providers have two main sources of privacy obligations: 

• the Privacy Act 1988 (Cth); and 
• the NDIS Code of Conduct. 

When Does the Privacy Act Apply to You?

The Privacy Act,  applies to entities with an  annual turnover of $3 million or more. The Act applies to you even if you have an annual turnover less than $3 million if you: 

• provide health services and hold health information; 
• buy or sell personal information; 
• are a service provider under a Commonwealth contract; or
• are a credit reporting body. 

As most NDIS providers offer health services, you may still have privacy obligations regardless of your turnover.

When you provide NDIS services, you handle health information. The law treats this as sensitive information and gives it greater protection. .  which limits the ways you can collect, use and disclose the information. 

NDIS Code of Conduct

You must respect the privacy of people with disability, whether you operate as a registered or unregistered NDIS provider. You must have policies, procedures, and training in place to ensure staff protect personal information. You must be aware of participants’ privacy needs and preferences, and deliver services in a way that protects their dignity. This involves considering everyday privacy needs, such as ensuring participants can shower and dress in a private and comfortable place. 

When You Share Client Information

Under both the Australian Privacy Principles and the NDIS Code of Conduct, there are strict limitations on when and how you can share participant information. 

When You Handle Personal Information

When you are providing services, you may need to share personal information with other providers involved in the participant’s care. You may also need to share information with family members. Before you share information, you must consider whether sharing matches the reason you collected it. For example, if a participant asks you to provide transport services. You can collect their address and share it with the driver so they know where to pick up and drop off the participant. This directly supports the service you are providing. 

Within your business, you should only allow staff who genuinely need participant information to access it. This will help you manage the risk of unauthorised disclosures of participant information and data breaches. 

When You Handle Sensitive Information 

When you handle sensitive information, such as the participant’s health or disability information, you must take extra care and need to consider the two things:

• does this disclosure directly relate to the original reason it was collected; and
• would the participant expect us to share it this way?

If the answer is no, you will need the participants’ informed consent before sharing. If the participant can not make decisions about information sharing, you should ask their authorised representative. However, you can share this information if another exception applies, such as a legally required disclosure or an emergency situation that is threatening the participant’s health or safety. 

You commit a privacy breach when you allow unauthorised access or sharing and losing of personal information. For example, an employee could leave their laptop unlocked on the train allowing unauthorised access to participants’ personal information. It can also be more severe, such as when a person hacks into your system and leaks participant information. 

You can face significant consequences of a privacy breach, both legally and commercially. If a breach is severe, you must notify the Australian Information Commissioner (OAIC) and the affected individual

You can also face substantial financial penalties up to $660,000. For serious privacy breaches, the maximum penalty is the greater of: 

• $50 million; 
• three times the value you obtained from the privacy breach; or 
• 30% of your turnover during the privacy breach period. 

The regulators can require you to take specific actions, such as complying with investigations, attending conferences, taking corrective steps, publishing statements about the conduct and paying compensation to affected individuals. 

How Can You Strengthen Your Data Practices 

You can reduce the risk of a privacy breach by implementing proper data protocols where you have  policies in place for managing data.

You should have a document with that explains:

• data retention policy; and 
• data breach response plan.

You should give participant information to only the staff members who are providing services to them. You can manage this by implementing role-based access restrictions and providing staff training. 

Your data retention policy must explain your retention periods for personal information. The law requires you to delete or de-identify personal information once it is no longer required. However other laws may require you to retain certain medical records, so you must check the requirements carefully. 

Your data breach response plan should explain how you will:

• contain the breach;
• assess its severity; and 
• determine when you need to notify authority bodies, such as the OAIC and NDIS Commission. 

When you have this plan in place, it can help you respond to data breaches quickly and reduce the potential consequences of the breach. 

Key Takeaways

You must treat privacy as a core business responsibility. However, as NDIS providers, you need to manage personal information properly due to the sensitive nature of participant information. By understanding your obligations and the consequences of privacy breaches, you can take action to protect the privacy of participants and other individuals. 

LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced NDIS lawyers help businesses manage contracts, employment law, disputes, intellectual property and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 1300 544 755 or visit our membership.

Frequently Asked Questions

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.