If you’re delivering NDIS-funded services or supports to people living with disability, you already know about the NDIS provider privacy requirements – and no doubt take them seriously. But while it’s unlikely your staff would intentionally share private details about participants they’re supporting, it can sometimes be harder than you think to protect and respect people’s data and privacy. For example, someone could overhear personal details if support workers do a handover in a busy café.

We’ve gathered some tips to help you make sure everyone on your team stays compliant with your NDIS provider privacy policy. But first, it’s helpful to recap some important details about the NDIS privacy requirements, and why NDIS participants’ privacy should be at the forefront of any disability service business.

NDIS provider privacy requirements – the essentials

Under the NDIS Code of Conduct, the second principle notes that providers and workers who are delivering NDIS supports and services must ‘Respect the privacy of people with disability’.

The Code points out that privacy is a human right. This right applies to privacy around the gathering, use and disclosure of information about people receiving NDIS services, as well as the services they receive.

NDIS providers must comply with rights related to privacy as set out in the Commonwealth Privacy Act 1988 and relevant State or Territory privacy laws. This includes:

• Ensuring no personal information about individuals receiving your services is disclosed to others without the individual’s informed consent. Personal information is ‘information or an opinion about a person whose identity can be determined from that information or opinion’, such as an individual’s name, address, or details about their disability.

• Respecting and protecting the privacy of everyone who receives supports and services from your organisation.

• Ensuring you manage your clients’ health information in accordance with relevant privacy laws.

• Implementing policies and procedures to ensure you manage people’s information in accordance with privacy laws and making sure your workers understand those policies and procedures.

• Clearly explaining to the people you’re supporting (and your workers) important details about the information you’re collecting, such as what type of personal information will be gathered, why, how it will be used and secured, and how to make a complaint should they feel you have breached privacy obligations, among others.

It’s important to note that there are some circumstances under which NDIS providers should disclose personal information without consent from the individual involved, such as mandatory reporting requirements relating to child protection and incidences of violence, exploitation, neglect and abuse, and sexual misconduct.

Why privacy matters for NDIS providers and participants

All Australian businesses need a privacy policy, including NDIS providers. But NDIS providers are also obliged to follow the NDIS Code of Conduct – whether they are registered or unregistered. The Code also applies to everyone employed or otherwise engaged by an NDIS provider.

People seeking support and healthcare services through the NDIS are entering a vulnerable situation. For example, they typically need to disclose highly personal details about their health, disability and family circumstances. They are allowing people they don’t know personally to enter their homes and may have a support worker undressing, showering, or toileting them. Situations like these require a high level of trust.

NDIS participants and their families should have peace of mind that the workers supporting them have their dignity and privacy front of mind. Any actual or perceived breach of this privacy will understandably upset the participant and could lead to a complaint about your service (or the worker involved), and even legal action.

Tips to help make sure everyone stays compliant

As we mentioned earlier, staying compliant might seem simple. But it’s not uncommon to hear of situations where an NDIS participant’s privacy has been breached, albeit unintentionally. For example, a laptop containing confidential information could be stolen from your vehicle, a visiting tradesperson might oversee health details in a chart at the client’s home, or a staff member might accidentally send a group email with all addresses visible in the ‘To’ field rather than hidden in the ‘Bcc’ field.

Here are some tips to help ensure everyone on your team complies with NDIS provider privacy requirements.

Have discreet discussions

Discussing a client’s needs and relaying important information about changes in health status or an incident that occurred during a shift are key aspects of quality care management. However, it’s vital that sensitive information only reaches the ears of those meant to hear it. To limit the risk of breaching client privacy, aim to:

• Conduct handovers and other meetings where private information is being discussed in a  private place, such as the client’s home or your office.

• Be mindful of who else might be able to hear your conversation. For example, a contractor conducting a job in your workplace could potentially overhear personal details being discussed in a meeting or phone call.

• For on-the-road conversations, avoid crowded cafes and similar places. It can be lovely for support workers to share a coffee while talking about client care, but a takeaway at a quiet park could be a better option than a busy food court.

• Mobile phones are the go-to for communicating these days. Be careful about the details you share when using your phone in public.

Private eyes – document discretion

Documentation is an essential part of running an NDIS business, and it’s vital nobody lays eyes on documents containing private details apart from the people who have permission to access them. To help you maintain document security, ensure that:

• Any paper files are securely stored, such as in locked cabinets in your office.

• For online document storage (in applications such as Dropbox, Google Drive, and Microsoft OneDrive, for example), consider using electronic encryption as well as strong password protection.

• You use a secure system to share any documents containing personal information with people outside your organisation (such as sending reports to NDIS care coordinators or plan managers).

Take extra care with documents that go on the road with you or your support workers. If a vehicle gets broken into or stolen, for example, you could lose laptops or paper files containing private information about your NDIS participants.

See Business.gov.au for further information about protecting your customers’ privacy.

Data safeguards

Cybercrime is an important consideration for any business, and especially so where private information could get into the wrong hands. See Business.gov.au for more information about protecting your business from data breaches and other cybersecurity threats.

How NDIS software can help you stay compliant

One easy way to help ensure your business remains compliant with NDIS provider privacy requirements is using quality NDIS software. ShiftCare, for example, is a cloud-based solution, so all private details are securely stored on an AWS (Amazon Web Services) server located in Australia. AWS is powering the most secured tech platforms such as Facebook, minimising the risk of data breaches.

Your staff can communicate using the mobile app, which securely connects your team, coordinators, clients and their families. This minimises the risk of private information being overheard in public places, such as could happen with a typical phone call.

ShiftCare also allows support workers to quickly and easily write progress notes and share them with relevant team members, ensuring important information is conveyed while maintaining participant privacy.

Try ShiftCare today – you can even create your own template for progress notes!