top of page

OUR POLICIES

Privacy, Confidentiality, and Duty of Care Policy Statement

Introduction and Purpose:
Recovery Oriented Services (ROS) is fully committed to protecting participants’ privacy and confidentiality while delivering high-quality, safe support services in line with our duty of care obligations. This policy outlines how ROS collects, uses, stores, and discloses personal information in compliance with Australian laws – including the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles, the NDIS Act 2013, and the NDIS Quality and Safeguards Framework. It applies to all staff, volunteers, and contractors of ROS, and to all participants and their personal information. We acknowledge every individual’s right to privacy and dignity, while recognizing that some personal details must be collected and managed to provide safe, effective services and meet our legal duty of care to participants. All ROS personnel are educated on these obligations and must adhere to this policy as a condition of their role.

Scope: This statement covers all forms of information (written, electronic, photographic, audio/visual) obtained or created through ROS services. It addresses how we handle personal and sensitive information, including specific scenarios such as use of images/videos, participant feedback, and information sharing with third parties. It also details procedures for staff training in confidentiality, emergency disclosures under duty of care, and how participants can access or control their information. The goal is to ensure transparency, legal compliance, and trust, so participants understand how their information is protected and can make informed choices about its use.

Definitions – Personal and Sensitive Information

 

Personal Information: Under Australian law, personal information is defined as “information or an opinion, whether true or not, and whether recorded in material form or not, about an identified or reasonably identifiable individual”. In a service context, this includes any details that can identify you. Examples of personal information include your name, date of birth, address, phone number, email, photographs, and recorded opinions or notes about you. All such information is treated with strict confidentiality by ROS.

Sensitive Information: Sensitive information is a special subset of personal information that is afforded a higher level of protection under the Privacy Act. It includes details about a person’s racial or ethnic origin, health or medical information, disabilities, genetic or biometric data, religious or philosophical beliefs, sexual orientation, political opinions or affiliations, criminal record, or membership of a professional/trade association or trade union. For example, information about your health conditions, therapy reports, cultural background, or religion would be considered sensitive. ROS will only collect and use sensitive information with your consent and when absolutely necessary for your support, or if required by law. We take extra care to secure sensitive data and limit access to it.

Confidential Information: In this policy, “confidential information” refers broadly to any information about participants, staff, or ROS operations that is not publicly available. This includes all personal and sensitive information defined above, as well as ROS business records, service plans, evaluations, reports, and any other information that you reasonably expect to be kept private. ROS treats all such information as confidential. We will not disclose confidential information to anyone outside ROS unless we have your consent or a lawful obligation to do so (as detailed in this policy). All staff are required to sign a Privacy and Confidentiality Agreement and are trained to handle confidential documents and data safely.

Use of Images and Video

ROS recognizes the need to use participant images or video recordings in certain service contexts, but we place strict limits on their use to protect your privacy and dignity. Photos or videos of participants will never be used or shared outside ROS without the participant’s informed consent. Below we outline the specific categories of image/video use:

  • Internal Service Delivery (Identification & Record-Keeping): ROS may request a participant’s photograph or make video/audio recordings for internal purposes such as confirming identity, creating a participant profile in our secure case management system, or recording sessions for case notes. These images/videos are used only within ROS by authorized staff for service delivery and verification processes. They are stored securely and are not published or shared externally. (For example, a profile photo might be used by support staff to recognize a participant at appointments). Internal use of images is considered part of normal service records and is covered by our general service consent agreement.

  • External Media and Promotion: ROS will not use any participant’s image or video in external communications (such as on our website, social media, newsletters, or marketing materials) without obtaining explicit, opt-in consent from the participant or their representative for that specific purpose. If you choose to give consent, ROS may include your photo or video in positive stories or promotional media to highlight services (e.g. a success story on our Facebook page or brochure). This is entirely voluntary – declining consent for external media will not affect your services in any way. We respect that many individuals prefer not to have their image public, and by default ROS will not share identifying images in any external forum without your agreement.

  • Staff Training or Education: Occasionally, ROS may wish to use photos or video recordings from support sessions for internal staff training, quality improvement, or educational purposes (for example, to train new support workers or to demonstrate techniques in workshops). In such cases, we will either use anonymous materials (faces blurred or identity details removed) or obtain consent from the participant before using the footage. Any images/videos used for training are shown only to ROS staff or allied professionals in closed sessions – never released publicly. This helps us improve services while safeguarding your confidentiality. If you do not want any recordings of your sessions used even internally for training, you may withhold consent and ROS will fully respect that choice.

ROS ensures that all images and videos are handled in accordance with privacy laws and this policy. Even with consent, we take steps to protect dignity (e.g. using first names or pseudonyms only, and providing context so as not to be misinterpreted). Participants can change their mind about image use at any time – if you revoke consent, we will cease any future use of your images/videos in the specified category.

Use of Personal Information

ROS collects personal information only for purposes that are necessary to deliver supports and operate as an NDIS service provider. We adhere to the principle of minimum necessary use – using your details only for the reasons they were collected, and only sharing them with those directly involved in your support or as legally required. Below are the main contexts in which we use or share participants personal information:

  • Core Service Delivery and Administration: This covers the basic use of your personal information to plan and provide your supports. For example, ROS will use details like your name, contact information, date of birth, NDIS number, goals, and support needs to arrange services and ensure you receive appropriate support. We also use personal information for scheduling staff, managing bookings, developing support plans, reporting progress, and handling billing or NDIS funding claims. All such use is internal to ROS or with relevant service partners as needed to deliver the services you have agreed to. Personal records are stored securely (in locked files or encrypted systems), and access is limited to ROS team members who require the information to perform their role. We will not disclose your personal information outside ROS for any unrelated purpose without consent. For instance, we will not give out your contact or health details to other clients or external parties for marketing or any other reason not related to your care.

  • Healthcare Coordination: If your ROS services include clinical or health-related support (for example, nursing coordination, therapy support, or liaising with medical professionals), we may need to share relevant personal information with your healthcare providers. This could include sharing your support plan, progress notes, or specific health information with your general practitioner (GP), specialist doctors, psychologist, therapist, or other allied health professionals involved in your care. The purpose is to ensure integrated, safe healthcare – for example, informing your doctor about support strategies or any concerning observations, or getting input from a psychologist to better tailor our services. ROS will only share what is necessary for your care, and usually with your knowledge and consent. We ensure any health information is transferred securely (using encrypted email or secure portals where available). In urgent situations (e.g. a medical emergency), we may provide vital information to medical staff to protect your life or health, in line with our duty of care.

  • Referrals to Other Services: With your permission, ROS can share your information with external services or professionals when transitioning or referring you to additional supports. For example, if we help you connect with a community program, another support provider, a Local Area Coordinator (LAC), or a specialist service, we can (with consent) forward relevant information such as your support history, goals, or reports to streamline the referral. This avoids you having to repeat your story and ensures the new service understands your needs. We will discuss with you exactly what information will be shared and why. You have the right to refuse a referral or limit the information shared. By default, ROS will not send your personal details to any other provider or agency unless you agree or request it as part of your support plan.

  • NDIS and Regulatory Bodies: As a registered NDIS provider, ROS may be required to share certain information with the National Disability Insurance Agency (NDIA) or the NDIS Quality and Safeguards Commission (the regulatory body) in specific circumstances. For instance, during an NDIS plan review or audit, we might need to provide service delivery reports or updates to NDIA. Similarly, if there is a reportable incident or compliance audit, the NDIS Commission or other authorized officials may request access to records. In all cases, ROS will only disclose the information mandated by law or regulation. We ensure such disclosures are done securely and to authorized personnel only. Under the NDIS Act, providers must report certain serious incidents and cooperate with audits – we will inform you if any personal information is to be shared with the Commission or NDIA, unless we are legally prevented from notifying you (for example, in some investigations). Beyond these requirements, ROS will not release personal data to any government or regulatory body without a proper legal basis. We also comply with any relevant State laws (such as child protection laws) that require information sharing to protect you or others from harm.

  • Marketing Communications (Optional): ROS occasionally produces newsletters, brochures, or community updates to inform people about our services and successes. We do not include any participant’s identifiable information (such as full name, image, or story) in marketing or publicity materials without explicit consent. We may invite participants to share testimonials or success stories to inspire others, but this is completely voluntary. If you agree to participate, you will have control over how you are identified (you may choose to be anonymous or use a pseudonym) and what aspects of your story are shared. We will seek separate consent specific to the marketing use – for example, a consent form to feature your quote in a newsletter or to be interviewed for a case study. If you do not actively opt in, your information will not be used in any ROS marketing or external communications. ROS will never sell or give your personal details to external marketing agencies.

(Note: Basic operational communications from ROS to you, such as appointment reminders or satisfaction surveys, are considered part of service delivery and not marketing – those use your contact information per normal service consent. “Marketing Communications” here refers to using your info in materials visible to the public or other clients.)

Use of Quotes and Feedback

ROS values participants’ feedback and stories as a way to improve services and celebrate achievements. However, we handle any testimonials, quotes, or feedback from participants with great care for privacy. The following outlines how we may use your written or spoken feedback, and what choices you have:

  • Testimonials and Participant Feedback: If you provide ROS with a testimonial, survey response, compliment, or other feedback about our services, we may wish to share your positive comments to highlight the impact of our work. This could include quoting your words in brochures, on our website, in ROS training materials, or annual reports. We will always seek your consent before publishing your testimonial or feedback beyond internal use. Typically, we will ask you to review and approve the quote or story and to specify how you would like to be identified (if at all). You have a right to decline having your feedback shared publicly. Internally within ROS, your feedback may be circulated among staff (with identifying details removed if you prefer) to acknowledge good practice or areas for improvement.

  • Anonymous vs. Identified Quotes: When giving consent to use a quote or story, you can choose the level of identification. By default, we can publish feedback anonymously or with minimal identifying information – for example, using only your first name, age, and general location (“John, 45, Perth”) or a generic descriptor (“a participant from Perth”). This protects your identity while still allowing your voice to be heard. If you are comfortable being identified, you may allow ROS to use your full name and/or image alongside the quote, but this is completely up to you. We will record your preference in writing. Even if you initially consent to be identified, you can request an anonymous attribution instead, or withdraw consent entirely, before publication. ROS will never reveal sensitive personal details (e.g. specific health conditions or personal background) in a testimonial without explicit agreement on each detail.

  • Platforms of Publication: We will clarify where and how your quotes or feedback might appear. Possible platforms include the ROS website, social media pages, printed newsletters or brochures, funding reports, or training and education manuals for staff. You will be informed which platform(s) your feedback will be used on, and we will not expand to other platforms without your permission. For example, if you consent to your quote being on our website, we would seek additional consent to also include it in a printed brochure. This ensures you are not caught off guard by seeing your words in a context you didn’t expect. ROS will also avoid using the same quote repeatedly over long periods – consent for testimonial use is typically treated as a one-time publication or campaign use, after which we would renew consent if we want to continue using it.

In summary, sharing your feedback is entirely voluntary and meant to amplify your voice. We appreciate any testimonials but will fully respect your choices on anonymity and platform. There is no impact on your services whether or not you agree to share a quote.

Third-Party Information Sharing

 

ROS will not release your personal information to third parties without your consent, except where required by law or necessary under the NDIS framework. With your consent, there are instances where sharing information with trusted third parties can benefit your care or is administratively needed. We outline key third-party groups below and how we handle information sharing in each case:

  • NDIA and NDIS Commission: These are government bodies related to the NDIS. ROS may share information with the National Disability Insurance Agency (NDIA) for purposes such as managing your NDIS plan, funding approvals, or plan reviews. For example, NDIA planners might request service reports or goal progress updates to inform your plan review – we will provide those with the understanding that NDIA keeps them confidential as part of your official NDIS record. Similarly, ROS must report certain incidents or quality issues to the NDIS Quality and Safeguards Commission. This might involve disclosing incident reports or investigation outcomes to the Commission to ensure compliance with NDIS standards. Such disclosures will only include the necessary details and will typically be done under mandatory requirements (e.g. submitting a reportable incident within 24 hours as required by law). We will inform you (and your representative, if applicable) when such information is shared, unless prohibited by law. Consent for these regulatory disclosures is usually implied by your participation in NDIS (the NDIS Act allows the Commission/Agency to access information), but ROS will nonetheless handle these disclosures with care and transparency. We do not release any more information than is required, and we comply with Section 62 of the NDIS Act which makes unauthorized disclosure of NDIS participant information an offense.

  • Healthcare Professionals: With your agreement, ROS will liaise with your doctors, therapists, or other healthcare professionals to coordinate your support. For instance, if you have a physiotherapist or mental health clinician, ROS support coordinators might share your support goals or relevant reports with them, and vice versa, to ensure everyone is working towards the same outcomes. We typically obtain your consent at service initiation (for example, in our intake form you might list approved contacts such as your GP or psychologist). Even with prior consent, ROS will limit information sharing to what is pertinent: e.g. discussing your progress, any incidents, or sharing our support plan document. In emergencies or situations where you cannot provide consent (e.g. you are unconscious and paramedics or hospital staff need info on medications or conditions), ROS may share vital health information to protect your life or health – this is permitted under privacy laws as a duty of care exception. Outside of emergencies, you remain in control – if you decide you no longer want us to communicate with a particular health provider, inform us and we will cease doing so.

  • Family, Guardians, and Carers: Many participants choose to involve family members, close friends, or guardians in their support. ROS will only discuss or share your information with family members or unpaid carers that you have nominated and consented to be involved. During intake or planning, we will ask if there are people (e.g. a parent, sibling, adult child, or friend) with whom we can share updates or consult about your services. You can specify what level of information each person can receive – for example, you might allow ROS to talk openly with your mother about all aspects of your support, but only allow limited info to be shared with a friend who helps you occasionally. If you have a legally appointed guardian or nominee, ROS will include them as required by that legal arrangement (while still considering your wishes). Family/carer involvement might include: sharing monthly progress notes, inviting them to support plan review meetings, or notifying them in a critical incident (if appropriate). We respect your right to privacy in family matters – if you prefer that certain details (for example, about your health or personal life) not be shared even with your family, we will honor that. All family or carer communications are documented. You can change your mind about who is involved at any time by updating your consent preferences.

  • Support Coordinators / Local Area Coordinators (LACs) / Case Managers: These are professionals who help coordinate your supports across providers. If you have a Support Coordinator (either ROS’s own or external) or an NDIS LAC, ROS will work with them to ensure services align with your NDIS plan. This can involve sharing service agreements, plans, progress reports, incident reports, and schedules with the coordinator. Typically, when ROS is your Support Coordinator, we already have your information internally. If your Support Coordinator is a different organization, we will share information with them based on your signed service agreement and consent (the NDIS plan usually lists them, and you would usually sign a consent allowing providers and coordinators to exchange info). The same applies for any case manager or advocate you’ve identified. The goal of this information sharing is collaboration – for example, notifying your Support Coordinator if you achieve a goal or if you need additional services so they can adjust your plan. We ensure such communications remain professional and on a need-to-know basis. Coordinators and LACs are also bound by privacy rules to protect your info. If you cease working with a particular coordinator, let us know so we can update our records and stop sharing information with them.

  • Other or Future Service Providers: If you are transitioning to another provider or adding a new service (such as moving from ROS to a different support agency, or starting with a therapy provider), ROS can provide handover information to the new provider with your consent. This might include your support plan, recent progress notes, or behavioral support strategies that will help the new team continue quality care without interruption. We will typically coordinate a handover meeting or documentation transfer only with your request or approval. ROS does not automatically share your information with other providers on the assumption you might use them – we only do so as part of an active referral or transition process that you have agreed to. Similarly, if a future provider contacts us for information about you, we will verify that we have your permission (and that the request is legitimate) before responding. All transfers of records follow secure processes (encrypted email, password-protected files, or secure portals). If you are ending services with ROS, we can, at your request, provide you a summary of supports to share with others, rather than sending out your full file.

  • Auditors and Quality Reviewers: ROS undergoes periodic audits and reviews as part of NDIS registration and quality assurance. Auditors (who may be from the NDIS Commission or accredited auditing bodies) might request to see a sample of participant files, policies, and even contact participants for feedback. As part of our quality system compliance, you will be informed that an audit is scheduled and what it means. We ask for participant cooperation, but it is your choice whether to participate in any direct interviews or surveys with auditors. If you do consent, auditors might review your records or talk to you to ensure ROS is meeting standards. They are bound by confidentiality and will not misuse your information. If you do not consent to be contacted, ROS will ensure auditors do not directly approach you. Auditors can still access de-identified data or general information from our files if required. ROS will release documentation to auditors only to the extent required by the audit scope (for example, showing proof of service delivery or policies). No participant information is given to quality reviewers or evaluators beyond the official audit teams and regulatory inspectors. We document consents regarding audits in our files. (Note: Some NDIS audits or verifications are mandatory for provider registration; ROS must comply, but we support participant rights during these processes.)

  • External Media or Research Organizations: On occasion, ROS might be involved in external initiatives such as community awareness campaigns, research studies, or media stories about disability services. In such cases, no personally identifiable information will be shared with any external media, journalist, or researcher without the participant’s explicit written consent for that specific instance. If, for example, a local news outlet wants to interview a participant about their success with ROS, we would only facilitate this if the participant is willing and has signed a media consent form. Even then, we ensure the participant understands their rights (they can set boundaries on questions and can withdraw at any time). For research collaborations, any data shared would be de-identified unless you consent to identifying information. ROS evaluates each external request carefully with the participant’s privacy as the top priority. Simply put, unless you have agreed to be involved, ROS will not disclose your involvement in our services to outside media or third parties.

In all third-party sharing scenarios, ROS follows the rule: when in doubt, ask for consent. Our default position is not to share unless it clearly benefits the participant’s support or is legally required. We maintain a detailed record of consents given for information sharing, and these can be reviewed and updated by the participant at any time.

Procedures and Safeguards

 

ROS implements robust procedures to uphold privacy and confidentiality in practice. All staff and representatives are trained and monitored for compliance with this policy. Key procedures include:

  • Staff Training and Confidentiality Agreements: All ROS employees, contractors, and volunteers undergo privacy and confidentiality training as part of their induction and on an ongoing annual basis. They are educated on their obligations under the Privacy Act and NDIS rules, including understanding what constitutes personal and sensitive information and how to protect it. Every staff member must sign a Privacy and Confidentiality Agreement (e.g. Form19) acknowledging these responsibilities. They agree not to access or disclose participant information unless it is required for their job and authorized. Regular refresher training is provided (covering topics like data security, respecting participant consent, and handling breaches). Breaches of confidentiality by staff can result in disciplinary action or termination, reflecting the seriousness of our duty to safeguard participant information. ROS also ensures that any partner agencies or subcontractors handling participant data have similar training and agreements in place.

  • Data Security and Storage: We maintain strict controls to protect personal data from loss, misuse, or unauthorized access. Physical records (paper files) are kept in locked cabinets in secure offices accessible only to authorized personnel. Electronic records are stored in secure case management systems with password protection, encryption, and access controls (each staff member has individual login credentials and access is restricted based on role). We use up-to-date antivirus software, firewalls, and secure backup systems to prevent breaches. All access to personal information is logged and auditable. When personal information is no longer required, ROS disposes of it safely – paper records are shredded or incinerated, and electronic data is securely erased or anonymised in accordance with record-keeping laws. We also have a Data Breach Response Plan (consistent with the Notifiable Data Breaches scheme) to ensure prompt action if any data is lost or improperly accessed. Participants will be notified of any significant privacy breach affecting their information, and we would take all necessary steps to mitigate harm.

  • Access to Information and Requests for Updates: Participants have the right to access the personal information ROS holds about them and to request corrections if something is inaccurate or out-of-date, as per APP 12 and 13. You may contact ROS at any time to request a copy of your records (some exceptions might apply for information that includes other individuals or if releasing it could cause serious harm, but we will explain these if relevant). ROS will respond to access requests in a reasonable timeframe and provide the information in a suitable format. Before releasing records, we will verify your identity to ensure we don’t give your data to the wrong person. If you identify any errors in your information, inform us and we will promptly amend our records and inform any third parties who received incorrect information (if necessary). You also have the right to ask for explanations of any entries in your file. Participants have the right to opt out of providing certain information or consent if they do not feel comfortable. For example, you can decline to answer particular questions on an intake form (though be aware this might affect service planning) or refuse consent for optional information sharing. ROS will also accommodate participants who use pseudonyms or wish to remain anonymous in certain contexts, where practical. We document any refusal to provide information. Choosing to withhold some information will be respected, and we will discuss any implications for service quality or safety. In summary: you control your information – you can see it, change it, or withhold it within the limits of law and service requirements.

  • Consent Management and Withdrawal: Upon commencing services, participants (or their guardians) are asked to give consent for various uses of their information as outlined in this policy. This includes signing service agreements or consent forms that cover routine uses (like sharing with health professionals or NDIA as needed). We understand that consent is an ongoing and dynamic process – you may withdraw or change your consent preferences at any time. If you initially consent to something (for example, being in a newsletter) and later change your mind, inform us and we will cease that use going forward. Withdrawing consent will not have negative repercussions on the supports you receive; it simply might limit our ability to perform certain optional actions. ROS will update your records to reflect the withdrawn consent and communicate to relevant staff that certain information can no longer be used or shared in the way previously allowed. We provide easy ways to change your consent: you can fill out a new consent form, send an email to our office, or simply speak to your ROS coordinator, who will document your instruction. We may ask you to confirm important changes in writing for clarity. Your most current consent preferences will always be honored. (There are some legal exceptions – e.g. you cannot opt out of mandatory incident reporting – but for all discretionary uses, you have the final say.)

  • Emergency or Required Disclosures (Duty of Care Exceptions): In rare situations, ROS may need to disclose personal information without your consent due to overriding legal or safety obligations. This may occur if: (a) there is an immediate threat to your life, health or safety, or to the public’s safety, and sharing information is necessary to prevent harm; (b) we are compelled by law to report certain information (for example, suspicions of child abuse, serious crime, or if we receive a court subpoena); or (c) a regulatory authority like the NDIS Commission exercises its legal power to require information. In such cases, ROS may disclose information to emergency services (police, ambulance), relevant government agencies, or other appropriate third parties strictly on a “need-to-know” basis. For example, if a participant is in a life-threatening situation, staff may share known medical information with paramedics. Or if a law enforcement agency lawfully requests information to prevent a serious crime, ROS will cooperate as required by law. Whenever an emergency or mandatory disclosure happens, ROS documents the details of what was shared, to whom, and why. We will also usually inform the participant or their next of kin afterwards (if it was not possible to obtain consent at the time) about the disclosure, unless informing them is prohibited or impractical. These actions are taken in accordance with our duty of care – we have an ethical and legal responsibility to act to protect individuals from serious harm, even if it means breaching confidentiality in that moment. Such disclosures are done in line with privacy principle exceptions allowed under the Privacy Act (e.g. in a ‘permitted general situation’ such as to lessen or prevent a serious threat to life, health or safety). ROS will never use this as a loophole to share information unnecessarily – it is only for genuine emergencies or legal mandates.

  • Ongoing Monitoring and Compliance: ROS’s management regularly reviews our privacy and confidentiality practices to ensure compliance with legislation and to identify any improvements. We perform audits of file access, check that consent forms are up to date, and ensure old records are archived or destroyed properly. Feedback from participants regarding privacy is encouraged – if you have a concern that your privacy has been breached or not respected, you can raise a complaint with ROS management. We have a Complaint Handling Policy and will treat privacy complaints seriously, investigating and responding in a timely manner. If you are not satisfied with the handling of your information, you also have the right to escalate concerns to external bodies (such as the Office of the Australian Information Commissioner for privacy issues, or the NDIS Commission for provider issues). ROS aims to continuously improve its policies, and we will notify participants of any significant changes to this Privacy, Confidentiality, and Duty of Care Statement. Annual policy reviews ensure ongoing alignment with current laws (e.g. new data protection regulations or NDIS rules) and best practices.

By following the above procedures, ROS strives to create a safe environment of trust. We want participants to feel confident that their personal information is in good hands. Protecting your privacy is not just a legal requirement for us – it is central to treating you with respect and care.

bottom of page