1. What is the purpose of this Operational Guideline?
This Operational Guideline outlines the information handling obligations that apply to all staff, contractors and outsourced providers of the National Disability Insurance Agency (NDIA).
This Operational Guideline will also provide guidance on how persons should collect, record, use and disclose protected information, as well as the information handling considerations in situations where there is a serious threat to life, health or safety.
2. What is the relevant legislation?
- Sections 4, 9, 26, 36, 50, 53-57, 60-68, 186-187 and 197(2) of the National Disability Insurance Scheme Act 2013 (NDIS Act);
- National Disability Insurance Scheme (Protection and Disclosure of Information) Rules 2013 (Protection and Disclosure of Information Rules);
- Sections 6 and 52(1) of the Privacy Act 1988 (Privacy Act)
- Archives Act 1983 (Archives Act)
- Australian Privacy Principles (APPs).
3. Principles relating to information handling
There are a number of general principles which guide all actions under the NDIS Act.
The following principle is particularly relevant to information handling:
- people with disability should have their privacy and dignity respected (section 4(10)).
The NDIS Act governs the collection, recording, disclosure and use of protected information by all people, including contractors, outsourced partners and others who deal with protected information (i.e. not just NDIA staff).
This is because the privacy obligations and criminal sanctions in the NDIS Act apply 'to a person' who deals with protected information. Therefore, references to 'NDIA staff' in this Operational Guideline extend to any person who deals with protected information.
The NDIS Act allows NDIA staff to properly perform their duties. A person does not commit an offence if the person is authorised by the NDIS Act, or required by the NDIS Act, to collect, record, disclose or use protected information.
The NDIA Act contains a number of criminal offences for the unauthorised collection, use, accessing and recording of protected information. There are strict controls in the NDIS Act and the Privacy Act that relate to how NDIA staff collect, use, disclose and record information that identifies, or is about, a person.