1. What is the purpose of this Operational Guideline?

This Operational Guideline outlines the information handling obligations that apply to all staff, contractors and outsourced providers of the National Disability Insurance Agency (NDIA).

This Operational Guideline will also provide guidance on how persons should collect, record, use and disclose protected information, as well as the information handling considerations in situations where there is a serious threat to life, health or safety.

The information is this guideline should be read in conjunction with the NDIA Privacy Policy.

2. What is the relevant legislation?

3. Principles relating to information handling

There are a number of general principles which guide all actions under the NDIS Act.

The following principle is particularly relevant to information handling:

  • people with disability should have their privacy and dignity respected (section 4(10)).

4. Overview

The NDIS Act governs the collection, recording, disclosure and use of protected information by all people, including contractors, outsourced partners and others who deal with protected information (i.e. not just NDIA staff).

This is because the privacy obligations and criminal sanctions in the NDIS Act apply 'to a person' who deals with protected information. Therefore, references to 'NDIA staff' in this Operational Guideline extend to any person who deals with protected information.

The NDIS Act allows NDIA staff to properly perform their duties. A person does not commit an offence if the person is authorised by the NDIS Act, or required by the NDIS Act, to collect, record, disclose or use protected information.

The NDIA Act contains a number of criminal offences for the unauthorised collection, use, accessing and recording of protected information. There are strict controls in the NDIS Act and the Privacy Act (External website) that relate to how NDIA staff collect, use, disclose and record information that identifies, or is about, a person.

5. General matters relating to information handling

5.1 What is protected information?

Protected information is defined in the NDIS Act to mean:

  • information about a person that is, or was, held in the records of the NDIA; or
  • information to the effect that there is no information about a person held in the records of the NDIA (section 9).

Given that the definition of protected information extends to information that 'is, or was' held in the records of the NDIA, protected information retains its secrecy after it is disclosed to a person outside the NDIA.

5.2 What is personal information?

Personal information is defined in section 6 of the Privacy Act to mean information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and
  • whether the information or opinion is recorded in a material form or not.

In a practical sense, personal information is anything that can reasonably identify a person. Examples may include the person's name, address, date of birth, information about their illnesses and disability.

5.3 What is sensitive information?

The Australian Privacy Principles (APPs (External website)) use the term sensitive information which can include information or an opinion about an individual's political opinions, religious beliefs, criminal record, sexual orientation and health information.

See also Privacy for further information on the APPs.

6. Privacy

6.1 How does the NDIS Act interact with the Privacy Act?

All individuals have the right to expect that their personal information is managed in accordance with the Privacy Act.

All NDIA staff are required to comply with the provisions of the NDIS Act that deal with protected information and the provisions of the Privacy Act that deal with personal information. Therefore, NDIA staff are required to comply with the provisions of both Acts.

It is important to note that there are situations where the NDIS Act does not closely reflect the APPs. These situations relate to the use and disclosure of personal and protected information. In these situations, the NDIS Act will generally prescribe the information handling requirements.

6.2 The Australian Privacy Principles (APPs)

There are 13 Australian Privacy Principles (APPs) contained within the Privacy Act. The APPs cover such things as collection, use, disclosure and storage of personal information. For the purposes of the Privacy Act, the NDIA is considered an 'APP entity' and so the APPs apply to the Agency and its staff.

These principles guide how the NDIA, including NDIA staff handle personal information. This means that the NDIA has various obligations in relation to the personal information it holds.

The full list of APPs are also located at the Office of Australian Privacy Commissioner website (External website).

The APPs most relevant to the NDIA are mentioned below:

6.2.1 APP 3 – collection of solicited personal information

Outlines when an agency or organisation can collect personal informationthat has been requested. It also provides guidance on the higher standards placed in relation to how sensitive information should be collected. For further information see collection of information.

6.2.2 APP 5 – notification of the collection of personal information

Outlines when, and in what circumstances an agency or organisation that collects personal information must notify an individual of certain matters. For further information see collection of information.

6.2.3 APP 11 – security of personal information

An agency or organisation must take reasonable steps to protect all personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. For further information see recording and storage of information.

7. Collection of information

The collection of information includes obtaining personal information and the recording and storage of that information. However, there are separate requirements which apply to recording information (see recording and storing information).

The unauthorised collection of information is an offence under the NDIS Act (section 61), and may also be a breach of the APS Code of Conduct (see criminal sanctions).

7.1 General power to collect information for the purposes of the NDIS Act

A person may collect protected information for the purposes of the NDIS Act (section 60(1)).

Collection of information will be for the purposes of the NDIS Act if:

  • it is authorised by the NDIS Act; or
  • it is required by the NDIS Act.

The collection of information is also taken to be for the purposes of the NDIS Act if the NDIA believes, on reasonable grounds, that it is reasonably necessary for one or more of the following purposes:

  • research into matters relevant to the National Disability Insurance Scheme (NDIS) (section 60(3)(a);
  • actuarial analysis of matters relevant to the NDIS (section 60(3)(b); or
  • policy development (section 60(3)(c)).

Therefore, the NDIS Act expressly allows the NDIA to properly perform its functions, and a person does not commit an offence where they collect information, in the performance of their duties, which is for the purposes of the NDIS Act.

NDIA staff must consult with the Privacy Contact Officer where there is any doubt in relation to whether collecting information would be for the purposes of the NDIS Act.

7.2 General principles applicable to collecting information

When collecting personal information, the NDIA will seek to advise the person giving the information:

  • who is collecting the information;
  • the purpose for which the NDIA is collecting the information, as long as this does not unlawfully disclose information about another individual;
  • whether the information is likely to be passed onto others and, if so, who those other persons are;
  • the consequences to the person for not providing the NDIA with the information;
  • that the NDIA's Privacy Policy contains information about how the person can complain about a breach of the APPs (External website) by the NDIA, and how the NDIA deals with complaints; and
  • whether the NDIA is likely to pass on the information to overseas recipients, and if practical, the countries in which those recipients are likely to be located.

If information is not relevant or useful, the NDIA should not retain the information in its records. For example, if the NDIA asks to see a passport to confirm a person's identity it will only keep the photographic page in its records as there is no need to keep a copy of the entire passport.

Instead of keeping a full copy of documents the NDIA will consider:

  • noting the information needed from a document then returning the document;
  • blanking out irrelevant parts of the document when copying it; or
  • if using a document to identify a person, make a note that the document has been sighted, including the date it was sighted, rather than keeping a copy.

7.3 Powers to request information

The NDIS Act contains a number of information gathering powers which the NDIA can use to request or obtain information in certain circumstances.

7.3.1 Requesting information for the purposes of determining access

Once a prospective participant has made a valid access request, the NDIA may request:

  • that the prospective participant, or another person, provide information that is reasonably necessary for deciding whether or not the prospective participant meets the access criteria (section 26(1)(a)); or
  • that the prospective participant do either or both of the following:
  1. undergo an assessment and provide to the NDIA the report of the person who conducts the assessment (section 26(1)(b)(i)); or
  2. undergo, a medical, psychiatric, psychological or other examination, conducted by an appropriately qualified person, and provide to the NDIA the report of the person who conducts the examination (section 26(1)(b)(ii)).

For further information see timeframes for deciding access requests and requesting further information or reports to inform the access decision.

7.3.2 Requesting information for the purposes of preparing and approving a participant's plan

For the purposes of preparing, or deciding whether to approve the statement of participant supports, the NDIA may request:

  • that the participant, or another person, provide information that is reasonably necessary for the purposes of preparing, or deciding whether to approve the statement of participant supports (section 36(2)(a)); or
  • that the participant do either or both of the following:
  1. undergo an assessment and provide to the NDIA the report of the person who conducts the assessment (section 36(2)(b)(i)); or
  2. undergo a medical, psychiatric, psychological or other examination, conducted by an appropriately qualified person, and provide to the NDIA the report of the person who conducts the examination (section 36(2)(b(ii)).

See also requesting further information or reports to inform a participant's plan.

7.3.3 Requesting information for the purposes of reviewing a participant's plan

For the purposes of reviewing a participant's plan, the NDIA may request:

  • that the participant, or another person, provide information that is reasonably necessary for the purposes of reviewing the participant's plan (section 50(2)(a)); or
  • that the participant do either or both of the following:
  1. undergo an assessment and provide to the NDIA the report of the person who conducts the assessment (section 50(2)(b)(i); or
  2. undergo a medical, psychiatric, psychological or other examination, conducted by an appropriately qualified person, and provide to the NDIA the report of the person who conducts the examination (section 50(2)(b(ii))).

See also requesting further information or reports for the purposes for reviewing a participant's plan.

7.4 Authority to obtain information

The NDIA is authorised to obtain information for a number of purposes. These powers operate to compel (rather than request) that certain persons provide information to ensure the integrity of the NDIS, or to provide information from a person, or about a person who owes a debt to the NDIA.

7.4.1 Power to obtain information from participants and prospective participants to ensure the integrity of the NDIS

If the NDIA has reasonable grounds to believe that a participant or a prospective participant has information, or has custody or control of a document, that may be relevant to one or more of the matters below, the NDIA may require the participant or prospective participant to give the information, or produce the document to the NDIA (section 53(1)).

The matters are as follows:

  • the monitoring of supports funded for, or provided to, a participant (section 53(2)(a));
  • whether NDIS amounts paid to the participant or to another person have been spent in accordance with the participant's plan (section 53(2)(b));
  • determining whether the participant was not entitled to be paid NDIS amounts because of the misleading statements or fraud of any person (section 53(2)(c));
  • whether the participant or other person has complied with the requirement to acquit NDIS amounts (see obligations in relation to NDIS amounts) (section 53(2)(d)); and
  • whether the participant or prospective participant receives:
  1. supports or funding through a statutory compensation scheme or a statutory care or support scheme (section 53(2)(iii)); or
  2. any other disability or early intervention supports (section 53(2)(e)(ii)).

7.4.2 Power to obtain information from persons other than prospective participants and participants to ensure the integrity of the NDIS

If the NDIA has reasonable grounds to believe that a person other than a participant or a prospective participant has information, or has custody or control of a document, that may be relevant to one or more of the matters mentioned below, the NDIA may require the person to give the information, or produce the document to the NDIA (section 55(1)).

The matters are as follows:

  • whether a prospective participant meets the access criteria (section 55(2)(a));
  • whether a participant continues to meet the access criteria (section 55(2)(b));
  • whether a person purporting to act on a person's behalf for the purposes of the NDIS Act has the authority to do so (section 55(2)(c));
  • the preparation or review of a participant's plan (section 55(2)(d));
  • the monitoring of supports funded for, or provided to, a participant (section 55(2)(e));
  • whether NDIS amounts paid to the participant or to another person have been spent in accordance with the participant's plan (section 55(2)(f));
  • whether a participant or other person has complied with the acquittal of NDIS amounts (section 55(2)(g));
  • whether a participant receives:
  1. supports or funding through a statutory compensation scheme or a statutory care or support scheme section 55(2)(h)(i); or
  2. any other disability support (section 55(2)(h)(ii));
  3. whether an applicant for approval as a registered provider of supports meets the criteria for approval (section 55(2)(i));
  4. whether a registered provider of supports continues to meet the criteria for approval (section 55(2)(j)); or
  5. for the functions of the NDIA (section 55(2)(k)).

If the NDIA requires a person other than participant or a prospective participant to provide information to confirm the above matters, it must issue a written notice under section 55 of the NDIS Act (section 56(1)).

The notice issued to the person must specify:

  • the nature of the information or document that is required to be given or produced (section 56(2)(a));
  • how the person is to give the information or produce the document (section 56(2)(b));
  • the period within which the person is to give the information or produce the document to the NDIA (section 56(2)(c));
  • the NDIA staff member to whom the information is to be given or the document is to be produced (section 56(2)(d)); and
  • that the notice is given under section 56 of the NDIS Act (section 56(2)(e)).

The period specified in the notice must be at least 14 days from the day on which the notice is given (section 56(3)).

The notice may require the person to give the information by appearing before a specified officer to answer questions (section 56(4)).

If the notice requires the person to appear before an officer, the notice must specify a time and place at which the person is to appear. The time must be at least 14 days after the notice is given (section 56(5)).

It is an offence to refuse or fail to comply with a requirement to give information or produce a document under section 55 of the NDIS Act (section 57(1)).

However, a person will not commit an offence if they have a reasonable excuse (section 57(2)).

For example, it is a reasonable excuse for an individual to refuse or fail to give information or produce a document on the grounds that to do so might incriminate the individual or expose the individual to a penalty (section 57(3)).

7.4.3 Power to obtain information from a person, or about a person, who owes a debt to the NDIA

Where a person owes a debt to the NDIA, the NDIA can make a decision to require the person to:

  • give the NDIA information that is relevant to the person's financial situation (section 186(a));
  • produce to the NDIA a document that the NDIA has reasonable grounds to believe is in the person's custody, or under the person's control, and is relevant to the person's financial situation (section 186(b)); or
  • if the person's address changes, inform the NDIA of the new address within 14 days after the change (section 186(c))

The NDIA can also require any person, other than the person who owes the debt, to give information or produce a document, if the NDIA has reasonable grounds to believe that the person has information, or has custody or control of a document:

  • that would help the NDIA locate another person (the debtor) who owes a debt to the NDIA under the NDIS Act (section 187(a)); or
  • that is relevant to the debtor's financial situation (section 187(b)).

If the NDIA requires a person who owes a debt to provide information, or requires a person to provide information about a person who owes a debt to the, the NDIA must issue a written notice to the person from which the information is sought (section 188(1)).

The notice issued to the person must specify:

  • the nature of the information or document that is required to be given or produced (section 188(2)(a));
  • how the person is to give the information or produce the document (section 188(2)(b));
  • the period within which the person is to give the information or produce the document to the NDIA (section 188(2)(c));
  • the officer to whom the information is to be given or the document is to be produced (section 188(2)(d)); and
  • that the notice is given under section 188 of the NDIS Act (section 188(2)(e)).

The period specified in the notice must be at least 14 days from the day on which the notice is given (section 188(3)).

The notice may require the person to give the information by appearing before a specified NDIA staff member to answer questions (section 188(4)).

If the notice requires the person to appear before an officer, the notice must specify a time and place at which the person is to appear. The time must be at least 14 days after the notice is given (section 188(5)).

It is an offence to refuse or fail to comply with a requirement to give information or produce a document under sections 186 and 187 of the NDIS Act (section 189(1)).

However, a person will not commit an offence if they have a reasonable excuse (section 188(2)).

For example, it is a reasonable excuse for an individual to refuse or fail to give information or produce a document on the grounds that to do so might incriminate the individual or expose the individual to a penalty (section 188(3)).

7.5 Effect of State, Territory and Commonwealth laws on collecting information

Generally, a requirement under the NDIS Act to give information or evidence, or to produce documents, to the NDIA is not affected by State or Territory laws (section 58(1)).

However, a person is not required to give information, produce a document or give evidence to the NDIA for the purposes of the NDIS Act if:

  • the person would be prevented from doing so under a law of a State or Territory (section 58(2)(a)); and
  • the law of the State or Territory is prescribed by the Protection and Disclosure of Information Rules (section 58(2)(b)).

Also, the NDIS Act does not require a person to give information or produce a document to the extent that doing so would contravene law of the Commonwealth (section 59(2)(b)).

7.6 Unsolicited information

Sometimes, the NDIA may receive personal information that is not necessary for, or related to, a purpose of the NDIA. This includes:

  • when people send information to the NDIA without being requested; or
  • when the NDIA requests information but a person provides more information than is required.

If this occurs, the NDIA must assess whether the NDIA could have collected the personal information underAPP 3 (External website) had it requested such information.

7.7 Recording and storing information

NDIA staff who collect personal information from a participant, prospective participant, carer, nominee, provider of supports or other person are to make a record of the information.

NDIA staff should ensure:

  • information is recorded promptly;
  • information is accurate, up to date and complete;
  • a record of the information is made either by way of scanning (if in document form) or by summary (if in oral form); and
  • the record is made without unnecessary or misleading comment on the information.

An NDIA staff member who has possession or control of a record that contains personal information must ensure:

  • that the record is protected by reasonable security safeguards (such as use of strong passwords and not sharing the password with others), against misuse, interference, loss, unauthorised access, modification or disclosure; and
  • that if it is necessary for the record to be given to a person in connection with the provision of a service, everything is done to prevent unauthorised use or disclosure of the protected information contained in the record.

7.8 Deleting information collected under, or for the purposes of the NDIS Act

Under Archives Act, the NDIA is not authorised to delete a Commonwealth record which details the business functions, activities and transactions of the NDIA.

This is particularly important where an NDIS decision is being reviewed as it is important that all information relating to that decision is retained by the NDIA for the purposes of the review process.

If, for example, a person asks for the deletion of information relating to their access request, the NDIA must advise that it is not permitted to delete any information, including material provided in support of the access request, because of the operation of the Archives Act.

In giving this advice, the NDIA should reassure the person that the NDIA adheres to strict obligations to protect information from misuse, interference, loss and from unauthorised access, modification and disclosure under both the Privacy Act and the NDIS Act.

The inappropriate or unlawful disposal of a Commonwealth record is an offence under the Archives Act.

8. Recording, disclosing and using information

The NDIS Act contains a number of specific authorisations that allow NDIA staff and other persons in lawful possession of protected information (for example, contractors, local area co-ordinators or providers of supports) to record, disclose to any person or otherwise use protected information to people outside the NDIA (section 60(2)).

The unauthorised disclosure and use of protected information is an offence under the NDIS Act (section 62), and may also be a breach of the APS Code of Conduct (see criminal sanctions).

8.1 General power to record, disclose and use information for the purposes of the NDIS Act

A person may make a record, disclose to any person or otherwise use protected information for the purposes of the NDIS Act (section 60(2)(d)(i)).

Making a record, disclosure or use of protected information will be for the purposes of the NDIS Act if:

  • it is authorised by the NDIS Act; and
  • it is required by the NDIS Act.

The recording, disclosure or use of protected information is also taken to be for the purposes of the NDIS Act if the NDIA believes, on reasonable grounds, that it is reasonably necessary for one or more of the following purposes:

  • research into matters relevant to the NDIS (section 60(3)(a));
  • actuarial analysis of matters relevant to the NDIS (section 60(3)(b)); or
  • policy development (section 60(3)(c)).

NDIA staff must consult with the Privacy Contact Officer where there is any doubt in relation to whether recording, disclosing or using information would be for the purposes of the NDIS Act.

8.2 Recording, disclosing and using information with the consent of the person to whom the information relates

The NDIS Act allows for the recording, disclosure or use of protected information when a person to whom the information relates requests or consents to the disclosure (express consent) or can be taken to have requested or consented to the disclosure (implied consent) (section 60(2)(d)(iii)).

When determining whether a participant has consented to the disclosure of protected information about them, it is important to remember that the consent can be in writing (such as an email) or provided orally (such as over the telephone or in a face to face meeting).

Where consent is given orally, NDIA staff must make a written record of that consent.

It is also possible that a participant can be taken to have given their consent where they agree to a course of action that requires the disclosure of their protected information. For example, a participant will be taken to have consented to the disclosure of their protected information to a service provider where the participant has requested they receive services from that service provider (i.e. during the development of the participant's plan) and disclosure is necessary to facilitate the provision of those services.

NDIA staff must contact the Privacy Contact Officer where they are considering whether to disclose a participant's protected information and are not sure whether the participant or their parent/guardian have consented to the disclosure.

NDIA staff must also ensure that any person receiving protected information understands the obligations on them to comply with information handling provisions of the NDIS Act.

8.3 Recording, disclosing and using information to prevent or lessen a serious threat to an individual's life, health or safety

The NDIS Act expressly allows for the recording, use or disclosure of protected information where a person believes on reasonable grounds that the making of the record, or the disclosure or use of the information, is necessary to prevent or lessen a serious threat to an individual's life, health or safety (section 60(2)(e)).

If the urgent disclosure of protected information is necessary to prevent or lessen a serious threat to an individual's life, health or safety, the NDIA will carefully consider the matter and proceed with the urgency required by the circumstances.

A serious threat to life, health or safety could arise when a person is subject to, or at risk of, harm, abuse, neglect or exploitation. Such threats could be physical or emotional, such that the person has suffered or is likely to suffer physical or psychological injury that jeopardises, or is detrimental to their wellbeing.

Harm, abuse, neglect or exploitation may also involve a reasonable likelihood of a person being killed, injured, abused or neglected by a person they live with, a person who has threatened to kill or injure them before or a person who has killed, abused or neglected another person in the past.

Whether a serious threat exists, and whether there are reasonable grounds to believe that the disclosure is necessary to prevent or lessen the threat to the individual's health, life or safety are questions of fact to be determined in the individual circumstances of each case.

Careful consideration and judgement is required, along with supporting evidence on which to form the belief required.

If time permits, NDIA staff must discuss the matter with the most senior person available and seek advice from the Privacy Contact Officer, particularly where it is unclear whether the disclosure would prevent or lessen a serious threat to an individual's life, health or safety.

All disclosures must be documented as soon as possible after the disclosure is made. The record should contain:

  • a copy of the protected information released or a record of any oral disclosures;
  • the circumstances of the release, including to whom, the method of release and the time and date; and
  • a clear description of the factual information which was relied on to demonstrate that the belief was based on reasonable grounds.

A copy of this information must also be provided to the Privacy Contact Officer as soon as possible after the disclosure.

9. Disclosing protected information in other circumstances

The NDIS Act also contains other provisions that specifically deal with the disclosure of protected information. The NDIS Act authorises the disclosure of protected information to people outside the NDIA in the following circumstances:

9.1 Disclosure in the public interest

The NDIA may disclose protected information when it certifies that the disclosure is necessary in the public interest to do so in a particular case or class of cases (section 66(1)(a)).

Note, all requests for disclosures in the public interest are to be referred to the Privacy Contact Officer. NDIA staff should also refer to the Procedures for dealing with Public Interest Disclosures.

The Protection and Disclosure of Information Rules set out guidance with respect to disclosure that is necessary in the public interest. However, the guidance in the Rules is not intended to limit the circumstances in which the NDIA may give a public interest certificate under the NDIS Act (Rule 4.2 of the Protection and Disclosure of Information Rules).

The NDIA may give a public interest certificate for the disclosure of protected information if:

  • the information cannot reasonably be obtained from another source other than the NDIA; and
  • the person to whom the information will be disclosed has a sufficient interest in the information (rule 4.3 of the Protection and Disclosure of Information Rules).

A person has sufficient interest in the NDIS information if:

  • the NDIA is satisfied that, in relation to the purpose of the disclosure, the person has a genuine and legitimate interest in the information; or
  • the person is a Commonwealth, State or Territory Minister (rule 4.4 of the Protection and Disclosure of Information Rules).

In considering whether to give a public interest certificate, the NDIA should have regard to whether the person to whom the disclosure is to be made would be likely to be in a position to seek assistance themselves or give notice of their circumstances (rule 4.5 of the Protection and Disclosure of Information Rules).

Circumstances in which a public interest certificate may be provided are where disclosure is necessary for:

Where information is disclosed, the NDIA will provide the information to the recipient by the most secure method as possible.

The NDIA must also explain to the recipient that the information is, and continues to be, protected information and that the information must not be disclosed further unless required to further the purposes of disclosure. For example, further disclosure may be necessary in cases where misinformation is to be corrected, or a missing person is to be located.

9.2 Disclosure to Heads of Agencies

The NDIA Chief Executive Officer (CEO) may disclose information to the Secretary of a Commonwealth Department, the Chief Executive (however described) of a State or Territory Department, or the head of an authority of the Commonwealth or of a State or Territory. The disclosure must be for the purposes of the Department to which the information is disclosed (section 66(1)(b)(i) and (v)).

The CEO may also disclose information to the Chief Executive of Centrelink for the purposes of a Centrelink program or to the Chief Executive of Medicare for the purposes of a Medicare program (section 66(1)(b)(iii) and (iv)).

Requests of this kind must be referred to the office of the CEO and the Privacy Contact Officer.

If the CEO decided to disclose protected information the Privacy Contact Officer will make a record of:

  • the information that was disclosed;
  • the Secretary, Chief Executive (however described) or head of authority to whom the information was disclosed; and
  • where relevant, the purpose for which the disclosure was requested by the Secretary, Chief Executive (however described) or head of authority, or if the information was disclosed on the CEO's own initiative, the purpose for which the information was disclosed (rule 5.5 of the Protection and Disclosure of Information Rules).

9.3 Disclosure of information to participant's nominee

The NDIA may disclose protected information to a participant's nominee if the protected information:

  • relates to the participant (section 66(3)(a)); and
  • is or was held in the records of the NDIA (section 66(3)(b)).

10. Criminal sanctions may apply to people dealing with protected information

The NDIS Act contains a number of criminal offences for the collection, recording, disclosure and access of protected information. The offences that carry a penalty of 2 years imprisonment or 120 penalty units and, in summary, relate to:

  • unauthorised collection of protected information (section 61);
  • unauthorised use or disclosure, including making a record of protected information (section 62);
  • soliciting the disclosure of protected information (section 63); and
  • offering to supply protected information (section 64).

The NDIS Act allows NDIA staff to properly perform their duties. An NDIA staff member does not commit an offence if the person is authorised, or required by the NDIS Act to collect, record, disclose or use the protected information.

The criminal offences in the NDIS Act are not limited to NDIA staff. They apply to all people, including contractors of the NDIA, as offences in the NDIS Act specifically apply to 'a person' who deals with protected information.

When protected information is disclosed to a person other than the NDIA, it still retains its relevant protections under the NDIS Act and the Privacy Act.

In addition, the provisions of the Privacy Act are enforced by the Office of the Australian Information Commissioner (OAIC). The OAIC has the power to make determinations in relation to privacy breaches, initiate investigations, impose sanctions (such as the payment of compensation) and the power to accept an enforceable undertaking from an APP entity.

Additionally, the OIAC may make an application to the Federal Court or Federal Circuit Court to make an order that an entity pay a civil penalty, where there has been a serious or repeated interference with privacy. It is up to the court to decide whether the entity has contravened the civil penalty provision and the appropriate penalty amount.

This page current as of
1 April 2019