6.1 How does the NDIS Act interact with the Privacy Act?
All individuals have the right to expect that their personal information is managed in accordance with the Privacy Act.
All NDIA staff are required to comply with the provisions of the NDIS Act that deal with protected information and the provisions of the Privacy Act that deal with personal information. Therefore, NDIA staff are required to comply with the provisions of both Acts.
It is important to note that there are situations where the NDIS Act does not closely reflect the APPs. These situations relate to the use and disclosure of personal and protected information. In these situations, the NDIS Act will generally prescribe the information handling requirements.
6.2 The Australian Privacy Principles (APPs)
There are 13 Australian Privacy Principles (APPs) contained within the Privacy Act. The APPs cover such things as collection, use, disclosure and storage of personal information. For the purposes of the Privacy Act, the NDIA is considered an 'APP entity' and so the APPs apply to the Agency and its staff.
These principles guide how the NDIA, including NDIA staff handle personal information. This means that the NDIA has various obligations in relation to the personal information it holds.
The full list of APPs are also located at the Office of Australian Privacy Commissioner website (External website).
The APPs most relevant to the NDIA are mentioned below:
6.2.1 APP 3 – collection of solicited personal information
Outlines when an agency or organisation can collect personal information that has been requested. It also provides guidance on the higher standards placed in relation to how sensitive information should be collected. For further information see collection of information.
6.2.2 APP 5 – notification of the collection of personal information
Outlines when, and in what circumstances an agency or organisation that collects personal information must notify an individual of certain matters. For further information see collection of information.
6.2.3 APP 11 – security of personal information
An agency or organisation must take reasonable steps to protect all personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. For further information see recording and storage of information.