FULL SPECTRUM PRIVACY POLICY
1. Our Commitment to Your Privacy
[Company Name] provides registered NDIS disability support services. We are bound by the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the NDIS Quality and Safeguards Commission standards. We manage all personal and sensitive information under the objective "fair and reasonable" test to ensure your data is processed ethically, securely, and transparently.
2. Collection of Personal and Sensitive Health Information
To provide safe, effective, and tailored disability support services, we must collect:
Personal Information: Names, dates of birth, contact details, emergency contacts, and NDIS plan details.
Sensitive Health Information: Detailed medical histories, diagnoses, support requirements, medication schedules, and behavioural support plans.
Behavioural & Risk Indicators: Information regarding mental health conditions, triggers, or historical behaviours that may present a risk of harm to the client, our staff, or members of the public.
3. Lawful Basis and Purpose of Collection (WHS Integration)
We collect this data for two primary reasons:
Core Service Delivery: Fulfilling our service agreements and ensuring support workers understand your clinical and daily care needs.
Workplace Health & Safety (WHS): Meeting our statutory duty of care under Australian Work Health and Safety laws to protect our mobile support workers when entering private residences.
Important Disclosure Notice: Knowing if a client has an active mental health condition or behavioural trigger that could result in escalating behaviours or violence is reasonably necessary to perform risk assessments, implement positive behaviour support strategies, and ensure worker safety.
4. Strict "Need-to-Know" Internal Disclosure & Centralization
Centralized Point of Truth: All client communications, shift notes, medical logs, and incident reports are stored in a singular, secure, centralized corporate database.
Role-Based Restrictions: Sensitive health and behavioural data are restricted on a strict "need-to-know" basis. Only the specific support workers rostered to a client's home visit are granted temporary, secure mobile access to that individual's behavioural support and risk assessment plans. Staff not assigned to your care cannot view this information.
Staff Communication: All operational communication between support workers and management must occur through our secure, encrypted corporate platform—never through unencrypted personal SMS, WhatsApp, or personal email accounts.
5. Data Retention, Minimisation, and Secure Destruction
We only retain information required to fulfill NDIS auditing standards and clinical compliance obligations.
In accordance with NDIS and state-based health record laws, client files are securely archived for a minimum of 7 years after service cessation (or longer if the participant was a child at the time of care).
Once records exceed their statutory retention period, they are permanently destroyed using enterprise-grade electronic wiping or certified physical shredding.
6. Notifiable Data Breaches (NDB) Scheme
We maintain an active Data Breach Response Plan. Because we hold sensitive health and behavioural data, any unauthorized access or data leak is treated with the highest severity. If a breach occurs that is likely to cause serious harm to a participant, we will immediately notify the affected individuals and the Office of the Australian Information Commissioner (OAIC).
7. Complaints and Feedback
If you believe your privacy has been compromised, you can lodge a formal complaint with our Privacy Officer at - info@fullspectrumsolutions.com.au - If you are unsatisfied with our internal 30-day resolution process, you may escalate the matter directly to the NDIS Quality and Safeguards Commission or the OAIC.
Part 2: Software Infrastructure Recommendations
To legally enforce the centralized storage and strict "need-to-know" access rules outlined in your policy, you must not rely on generic tools like Google Drive, personal WhatsApp groups, or paper notes. You need a dedicated, compliant software stack.
1. Core NDIS Care Management Platform (The Central Point)
You require an industry-specific Client Management System (CMS) tailored to Australian NDIS provider compliance.
Compliant Options: ShiftCare, Splose, CareVision, or Lumary.
Why you need it: These platforms serve as your single centralized point. They feature Role-Based Access Control (RBAC). When a manager assigns a staff member to a shift, the software automatically unlocks that specific client's files (including behavioural risk notes) on the worker's mobile app. Once the shift ends or if the worker is unregistered, their access to those records is automatically revoked.
2. Secure Staff Communication
Support workers often need to message management or swap notes about a client's mood or health changes.
Compliant Options: The built-in secure messaging features within your chosen NDIS CMS (e.g., ShiftCare's shift notes) are best. If external chat is required, use enterprise-governed tools like Microsoft Teams or Slack Enterprise tied to corporate email addresses.
Why you need it: If staff use standard SMS or WhatsApp, sensitive health logs sit on their personal mobile devices indefinitely. If their phone is lost or stolen, it constitutes an instant, mandatory-reportable data breach under the NDB scheme. Enterprise tools allow you to remotely wipe data and control message retention.
3. Identity and Endpoint Device Security
Because staff are accessing a centralized platform from their mobiles out in the field, you must lock down those entry points.
Mandatory Controls: Turn on Multi-Factor Authentication (MFA) across all software accounts.
Mobile Device Management (MDM): Use a tool like Microsoft Intune or Miradore on worker phones to ensure that if a support worker loses their phone, management can instantly wipe the corporate data and log them out of the centralized system remotely.
4. Incident & Risk Assessment Logging
Your platform must support separate, restricted fields for tracking risk. While daily shift notes can be transparently read, specific WHS Risk Assessment logs regarding potential client violence should be siloed so that only trained, rostered staff and management can view them, preventing data leaks and maintaining participant dignity.
5. Digital Privacy, Website Use, and Cookies
1. Cookies & Tracking Pixels (Crucial for Health Services)
The OAIC strictly regulates how websites track users. If your website uses standard analytics (like Google Analytics) or advertising pixels (like a Meta Pixel), you are tracking user behaviour. Because you are a disability support service, someone browsing your site might be looking up specific intellectual, mental, or physical disabilities.
The Law: The OAIC states that tracking pixels can inadvertently collect sensitive health inferences. You must declare what you track and give users instructions on how to turn it off.
2. Website Enquiry & Intake Forms
If you have a "Contact Us" or "Check NDIS Eligibility" form on your website, you are collecting data digitally. Your policy must state that information sent through website forms is moved into your secure centralized database and is treated with the same strict confidentiality as physical intake forms.
3. Automated Decision-Making (ADM) — New Regulatory Requirement
Under recent Australian privacy overhauls, if your website or internal software uses automated tools to filter clients, screen worker applications, or automatically match a worker to a participant based on automated risk profiling, you must legally state this in your privacy policy.
4. Third-Party Portal Links
Your website likely links out to external platforms—such as the official NDIS Myplace portal, your software provider’s login screen (e.g., ShiftCare/Splose), or social media. You must include a "Third-Party Links" disclaimer so you aren't legally liable for the privacy practices of websites outside your control.
5. Cookies and Analytics
Our website uses "cookies" and similar tracking technologies (such as anonymous identifiers and tracking pixels) to improve your browsing experience and analyze web traffic.
What we track: When you visit our website, our servers automatically record basic technical data, including your IP address, browser type, the pages you visit, the date and time of your visit, and the website that referred you to us.
No Sensitive Tracking: We do not use cookies to collect personal health information or identify individual users unless you voluntarily submit your details through an online form.
How to Opt-Out: You can configure your internet browser to refuse cookies or alert you when cookies are being sent. However, please note that some parts of our website or booking portals may not function correctly if cookies are disabled.
6. Information Submitted Through Web Forms
If you complete an online enquiry form, request a callback, or submit a preliminary intake assessment on our website, we collect the personal details you provide (such as your name, email, phone number, and NDIS goals).
This information is transmitted securely and integrated directly into our centralized, role-based database. It is only shared internally with the intake managers and support staff necessary to respond to your request.
7. Substantially Automated Decision-Making
We do not use fully automated systems or AI algorithms to make definitive decisions that significantly impact your NDIS care or rights.
If you use software to match staff: "We utilize centralized scheduling software to recommend the best support worker for a participant's home visit based on availability, language, and specific safety risk profiles. However, all final scheduling and risk mitigation decisions involve direct human review by our management team."
8. Third-Party Links and Portals
Our website may contain links to external web platforms, including government portals (like the NDIS Quality and Safeguards Commission) and third-party software logins. We are not responsible for the privacy practices or security of external sites. We encourage you to read the privacy policies of any third-party platform you interact with.
9. Accessing and Correcting Your Information
Your Rights: Individuals have a legal right to request access to the personal information we hold about them and to request corrections if that data is inaccurate or out of date.
Process: Direct requests in writing to the Privacy Officer - info@fullspectrumsolutions.com.au
Timeline & Fees: Access is provided free of charge, though a reasonable administrative fee may apply for complex historical retrievals. We respond to all requests within a reasonable legislative timeframe (maximum 30 days).
Refusal Grounds: If access is legally refused (e.g., due to the privacy rights of another individual), a clear written explanation of the refusal and the available paths for appeal will be provided.
