Text to speech
Search

Topic 5: Privacy, Consent and Record Keeping

NDIS Providers are obligated to ensure their daily operations maintain their NDIS Participants' privacy by upholding confidentiality, ensuring consent to collect and use private information is obtained and keeping accurate and up-to-date records.

Topic Overview

The NDIS Code of Conduct requires all NDIS Providers to “respect the privacy of people with disability”. It is up to NDIS Providers to determine and manage appropriate processes for ensuring privacy, keeping in mind that these will shape a large proportion of their everyday practice.

Obtaining consent from NDIS Participants is of paramount importance for NDIS Providers across all aspects of service delivery. Without obtaining consent, NDIS Providers cannot collect or use a person’s private information in order to provide supports and services.

To support practices that uphold NDIS Participants’ privacy and confidentiality, NDIS Providers have requirements they must adhere to regarding how they store their information. These requirements are informed by Federal and State legislation as well as the NDIS Practice Standards.

Privacy

Privacy refers to obtaining and storing personal information about an individual and not sharing that information with others, unless it is discussed with the individual first or legally required by law.

Registered NDIS Providers have obligations under the NDIS Practice Standards to ensure their everyday practice upholds NDIS Participants’ privacy and dignity. All NDIS Providers are required to uphold and enforce practices relating to privacy, in alignment with the Commonwealth Privacy Act 1988 and specific state and territory legislation.

Consent

Consent is a voluntary agreement to another person’s suggestion or proposal. It is permission for something to happen or an agreement to do something.

Obtaining consent is one of the most important aspects of service delivery for all NDIS Providers. Without obtaining consent from NDIS Participants, NDIS Providers are unable to deliver the required supports and services. Business must ensure they have appropriate systems in place for discussing, obtaining and documenting NDIS Participants’ consent. It is also important to note that consent can be withdrawn at any point, meaning previously agreed upon activities must be re-evaluated.

Record Storage

Record storage refers to the processes used to collect and store information in various mediums, including confidential information.

NDIS Providers must ensure they have processes in place to securely store information in accordance with the Commonwealth Privacy Act 1988 and specific state and territory legislation. Registered NDIS Providers are also required to ensure their daily operations include information storage and management practices that align with the NDIS Practice Standards.

What this means for...

  • Participants
  • Providers

Participants

It is important for NDIS Participants to understand what information NDIS Providers are required to collect and store in order for them to provide high quality and safe supports and services. It is equally important that NDIS Participants are aware of how this information is stored by their NDIS Provider and who their personal information may be shared with.

NDIS Providers are required to obtain consent from their NDIS Participants to collect and use their private information and provide supports and services. However, NDIS Participants have choice and control over what information they share with their NDIS Provider, who can access that information and how that information is shared with others. NDIS Participants can withdraw their consent at any time.

Participant FAQs

Do I have to consent to provide my personal information to my NDIS Provider?

No. You have the choice of what information you provide to your NDIS Provider. However, certain information will be required by your NDIS Provider so they can deliver the services or supports you require to a safe and high-quality standard. Your NDIS Provider must explain what information they require from you, why they need it and how they’ll use it.

Do I have to consent to sharing my NDIS Plan with my NDIS Provider?

No. While information contained in your NDIS Plan can help NDIS Providers understand your needs better, it is your choice whether you share your NDIS Plan with them. The National Disability Insurance Agency provides further information about sharing your NDIS plan on the NDIS website.

How do I ensure that NDIS Providers, the NDIS Quality and Safeguards Commission and the National Disability Insurance Agency keep my personal information confidential?

As a starting point, all organisations that collect personal information should have a Privacy Policy. Don’t be afraid to ask your NDIS Providers for theirs. The National Disability Insurance Agency’s Privacy Policy is published on its website, as is the Privacy Policy for the NDIS Quality and Safeguarding Commission. Privacy Policies should explain the type of personal information an organisation collects, how and why it is collected and how it is used.

Participant Resources

  • Brochure: What is consent?

    This brochure has been developed to support NDIS Providers, NDIS Participants and their supporters to understand what consent is and the importance of obtaining consent when providing NDIS supports and services.

    Download File:

    Please select the following fact sheet:

    Download
  • Factsheet: The Importance of Consent

    This resource has been developed through a co-design process with NDIS Participants. It is designed to be an easy reference for NDIS Participants to understand what consent is and what their role and their NDIS Provider’s role is in providing and asking for consent. It provides NDIS Participants with key questions to ask when being asked to provide consent. NDIS Providers can give this resource to NDIS Participants along with other materials they use to explain privacy, confidentiality and consent, including their Privacy Policy.

    Download File:

    Please select the following fact sheet:

    Download
  • Factsheet: What My Right to Privacy Looks Like in Practice

    This resource has been developed through a co-design process with NDIS Participants. It is designed to help NDIS Participants understand what Privacy Policies are, what to look for when being asked to provide their personal information and what they can do if their privacy is breached. NDIS Providers can give this resource to NDIS Participants along with other materials they use to explain privacy, confidentiality and consent, including their Privacy Policy.

    Download File:

    Please select the following fact sheet:

    Download
  • Brochure: What is Consent?

    This brochure has been developed to support NDIS Providers, NDIS Participants and their supporters to understand what consent is and the importance of obtaining consent when providing NDIS supports and services.

  • Spotlight: Privacy and Confidentiality

    This video discusses Nigel’s lived experience surrounding supporting privacy and confidentiality as an NDIS Participant.

  • Watch video: Spotlight: Privacy and Confidentiality
  • Spotlight: My Confidentiality was Breached

    This video reviews Cody’s lived experience as an NDIS Participant who had his confidentiality breached.

  • Watch video: Spotlight: My Confidentiality was Breached

Providers

The NDIS Code of Conduct requires NDIS Providers to respect and uphold the privacy of their NDIS Participants throughout their daily operations. All Registered NDIS Providers are also required to adhere to and present evidence that they comply with the privacy requirements outlined in the Core Module of the NDIS Practice Standards.

To support this, NDIS Providers must have information management and storage processes in place that support secure record storage and promote the privacy and confidentiality of NDIS Participants. Furthermore, NDIS Providers must also have processes that ensure NDIS Participants’ consent is obtained, documented and most importantly, respected.

Provider FAQs

Can I share NDIS Participants' personal information with other businesses or advisors (such as consultants, accountants, lawyers, etc.)?

Only with the NDIS Participant’s consent. Even if you are comfortable sharing your business’ confidential information with third parties, this does not mean that NDIS Participants’ personal information is an automatic extension of this.

But doesn't consent provided in an NDIS Participant's Service Agreement or at their initial intake interview cover this?

It depends on what that consent was for. When consenting to providing personal information, NDIS Participants should be told what information is required, what it is for, how it will be used, who it will be shared with and how it will be stored. If they consent, they are consenting to the specific terms that have been advised to them. If any of these parameters change, new consent must be obtained.

Note that it is also best practice to revisit consent every 12 months, or at regular reviews, to ensure that NDIS Participants’ consent remains valid.

Can I share de-identified data?

When personal information has been appropriately de-identified, it is no longer considered personal information and therefore isn’t subject to Privacy legislation in the same way. However, it is still best practice to advise NDIS Participants in consent discussions and on consent forms if you intend to share their de-identified information. More information about de-identification (and how to do this appropriately) is provided on the Office of the Australian Information Commissioner’s website.

Provider Resources

  • Brochure: What is consent?

    This resource has been developed to support NDIS Providers, NDIS Participants and their supporters to understand what consent is and the importance of obtaining consent when providing NDIS supports and services.

    Download File:

    Please select the following fact sheet:

    Download
  • Infographic: The Dos and Don'ts of Information Storage

    This resource has been designed to be a quick reference guide for NDIS Providers regarding information storage. It covers best practice methods of storing, transporting and disposing of information as well as methods which business should avoid. It can be displayed in service delivery environments as an easy reference for staff.

    Download Files:

    Please select from the following 2 posters:

    Download A3 Download A4
  • Factsheet: How to Write a Case Note

    This resource has been developed to support NDIS Providers to record case notes in alignment with best practice documentation processes and includes a practical example of how to write a case note. It can be used as a training and reflection resource for staff.

    Download File:

    Please select the following fact sheet:

    Download
  • Guide: What is Confidential Information?

    This guide provides an easy reference point for NDIS Providers, to help them identify what information is considered confidential. It can be provided to staff for their reference and also used as a training resource.

    Download File:

    Please select the following fact sheet:

    Download
  • Online Activity: Privacy, Consent and Record Keeping

    Test Your Knowledge regarding your responsibilities around privacy, consent and record keeping as an NDIS Provider supporting NDIS Participants. This resource can be used as a training and reflection tool for staff.

    Download File:

    Please select the following quiz:

    Take Quiz
  • Breaking Confidentiality

    This video examines NDIS Providers’ responsibilities when they are required to break confidentiality or when they find out someone has breached an NDIS Participant’s privacy.

  • Watch video: Breaking Confidentiality
  • Records Storage and Management

    This video looks at NDIS Providers’ responsibilities regarding storing and managing records.

  • Watch video: Records Storage and Management
  • The Wrong Way to Discuss Confidential Information

    This animation highlights the wrong way to discuss NDIS Participants’ confidential information.

  • Watch video: The Wrong Way to Discuss Confidential Information
  • The Right Way to Discuss Confidential Information

    This animation showcases the right way to discuss NDIS Participants’ confidential information.

  • Watch video: The Right Way to Discuss Confidential Information