Part A – About the NDIA
What is the NDIA?
The National Disability Insurance Agency (NDIA, we, our) is responsible for delivering the National Disability Insurance Scheme (NDIS). The NDIS is a once in a generation social and economic reform. It is a new way of providing support for people with a disability, their families and carers. We help people with a disability to, among other things:
- access mainstream services and supports;
- access community services and supports;
- maintain informal support arrangements; and
- receive reasonable and necessary funded supports.
Information about NDIS across Australia’s states and territories can be found here:
- New South Wales
- South Australia
- Australian Capital Territory.
- Western Australia
- Northern Territory
What are the NDIA’s privacy obligations?
Personal information is information or an opinion about an individual whose identity is reasonably identifiable. Examples of personal information include a person’s name, address, date of birth and details about their health or disabilities.
Privacy laws do not apply to the information of corporate entities, such as providers or community partners. However, the personal information of individuals connected with those entities (such as employees) will be protected by privacy laws.
In dealing with personal information, we abide by the obligations imposed on us under federal law, including the Privacy Act 1988 (Cth) Privacy Act and the National Disability Insurance Scheme Act 2013 (Cth) (NDIS Act).
The Privacy Act authorises our collection of personal information where this is required to facilitate access to the NDIS and perform our other functions.
We are also bound by confidentiality and secrecy provisions in the National Disability Insurance Scheme Act 2013 (Cth) (NDIS Act). These provisions limit how we collect and use personal information and when and to whom information can be disclosed.
Part B – Our personal information handling practices
What kinds of personal information does the NDIA collect and hold?
We collect and hold information which is reasonably necessary for us to carry out our role. The kinds of information we collect and hold includes (but is not limited to) personal information about participants and other users of our services, and about our employees, contractors and providers.
Examples of personal information that we may collect includes:
- name, contact details date of birth and age
- gender, details about participants’ physical or mental health, including disabilities
- information about participants’ support requirements
- details of guardians and nominees, including names, addresses and contact details
- Centrelink Customer Reference Number (CRN)
- details of feedback or complaints about services provided by us
- bank account details
- employee records.
We may also collect some ‘health information’ as defined under the Privacy Act, such as information about your health or disability, doctors you have seen or health services you have received.
Information about an individual that is or was held by the NDIA is considered ‘protected information’ for the purposes of the NDIS Act.
You can choose to deal with us anonymously, in which case your personal information is not subject to privacy laws. However, if a person becomes, or applies to become, a participant in the NDIS or a registered provider of supports, it is impractical to deal with that person on an anonymous basis and in this case we may not be able to assist you if you seek to deal with us anonymously.
How will the NDIA collect and hold personal information?
We often collect personal information from people directly or from people who are authorised to represent them. While you do not have to provide us with all information requested, not providing this information to us may mean that:
- we may not be able to decide whether you can become a participant;
- decisions may be delayed while we seek further information; and
- we may not be able to approve your plan and the supports funded through the NDIS.
We sometimes collect personal information from a third party if you have consented, been told of this practice, or would reasonably expect us to collect the information in this way. An example of this is collecting information from a healthcare service, such as a residential care facility, which is managing a participant’s care.
We, or contracted service providers acting on our behalf, may also collect personal information from third party disability support providers, state and territory governments and other Commonwealth government entities (for example, Services Australia (formerly the Department of Human Services)) where this collection is authorised under law.
Federal law allows us to require the provision of information in certain circumstances. We do this in order to perform our functions, including facilitating the NDIS. The information collected is usually about participants, prospective participants, registered providers or persons with a disability who may wish to access the NDIS and is collected from other government bodies, registered providers of NDIS supports or anyone else who may hold relevant information.
Contracted service providers that may collect personal information on our behalf and access your personal information on our record management systems include:
- our community partners; and
- other parties contracted to collect information, such as the Services Australia.
We, or entities acting on our behalf, (such as community partners) may contact you by phone, for example, to facilitate your access to the NDIS. In the event we do contact you, we will ask for certain personal information over the phone, but will only request this information once we have explained the purpose for asking for this information and once we have your consent to proceed.
Your personal information may also be collected if and when you communicate with us electronically as described in Part C, through the mail or in person. In some cases, we may record your telephone interactions with us.
If you are ever unsure about whether a person calling you is from the NDIA, or one of our community partners, before you give them any information, you should ask the person to verify your NDIS reference number. Alternatively, you should take their name and number and call the NDIA back. If you think you may have been contacted by someone wrongly claiming to be from the NDIA, please contact us by emailing [email protected] or calling 1800 800 110.
Calls to the NDIA are recorded in most cases and are retained in accordance with the Archives Act 1983 (Archives Act).
We collect personal information about employees and prospective employees in order to conduct employment and employment-related activities such as payroll services, recruitment and selection, performance management, reporting and work health and safety. Our collection, use and disclosure of personal information about employees and prospective employees is in accordance with the Public Service Act 1999.
How do we use and disclose personal information?
We collect, hold, use and disclose personal information for the purpose of providing services, including implementing the NDIS, conducting our operations, communicating with participants and health service providers, conducting research and evaluation on the NDIS, and complying with our legal obligations. For example, our activities in implementing the NDIS may involve conducting an assessment of an individual’s disability in order to determine reasonable and necessary supports, and managing that individual’s support payments.
All our personnel (including staff and contractors), board members and community partners are issued with NDIA email addresses. When we need to use personal information for our business purposes, we will limit this use to only those NDIA personnel, board members or community partners who need to know that information. Where business use requires us to email personal information internally to NDIA personnel, board members or community partners, we will use NDIA email addresses to send that information.
If we need to disclose personal information outside the NDIA, we will de-identify the information prior to disclosure, wherever it is practicable to do so. We will not normally disclose a person’s personal information to anyone outside the NDIA except where we refer participants to external providers of in-kind supports under an approved NDIS plan; where that person consents; or where the disclosure is authorised or required under law. In such circumstances, we will use an NDIA email address to disclose any personal information if it is sent by email.
Some examples of when we may disclose personal information include:
- in delivering the NDIS and our other functions (for example, quality assurance purposes, training and purposes related to improving our services);
- referrals to external providers of supports for NDIS participants, or sharing information with support coordinators where this is required for services included in an approved NDIS plan;
- this is required or authorised by law, including under the NDIS Act;
- it will prevent or lessen a serious and imminent threat to someone's life or health or a threat to public health or safety;
- it is a necessary part of an internal investigation following a complaint; or
- we engage a contractor to provide some NDIS services and the contractor needs personal information of certain participants, providers, carers or other persons in order to perform that service for us;
- data sharing or data integration with other Australian Government agencies, including but not limited to, data sharing or data integration with the Australian Bureau of Statistics for the Multi-Agency Data Integration Project and the Data Integration Partnership for Australia.
We rely on contracted service providers, such as community partners and Services Australia, to undertake certain roles on our behalf. These third parties have access to our records and may use those records in order to facilitate your access to the NDIS or to implement your NDIS plan. When we use third parties, such as community partners and other contractors, to perform certain functions, the third parties are contractually required to work in accordance with the Privacy Act and the NDIS Act, and to access and store all personal information using our IT systems, not their own. The contractor is also required to treat personal information they may see or handle with care and confidentiality. Because we retain control over all personal information, the mere use of that personal information by contracted service providers as required by their role is considered a lawful use by the Agency and does not require your consent.
If you apply to become a participant in the NDIS, you will be asked to provide your consent for us to share your personal information with third parties, such as medical practitioners, accommodation facilities, support coordinators and other government entities. This is required as part of assessing whether you meet the access requirements for the NDIS and to implement your plan, if you do become a participant.
We make a record of some phone calls to help us in ensuring that the service we provide meets the highest standards.
We may use your information to seek feedback from you regarding your level of satisfaction with our services.
Users of the NDIA computer system may at times be able to see a person’s name (if the person is a participant, provider of supports, nominee or other person known to the NDIA) when performing duties either as an NDIA employee or on behalf of the NDIA, but are only permitted to record, use or disclose that information if it is directly related to performing those duties.
A state or territory government official may also have access to personal information as part of the intergovernmental arrangements.
We will not sell or rent your information to anyone.
We will, on occasion, disclose personal information to overseas recipients. The situations in which we may transfer personal information overseas include:
- the provision of personal information to overseas consultants (where consent has been given for this or we are otherwise legally able to provide this information)
- the provision of personal information to recipients using a web-based email account where data is stored on an overseas server, and
- the provision of personal information to foreign governments and law enforcement agencies (in limited circumstances and where authorised by law).
It is not practicable to list every country to which we may provide personal information as this will vary depending on the circumstances.
However, you may contact us (using the contact details set out at Part E of this Policy) to find out which countries, if any, your information has been given to.
We always liaise with a participant directly, unless they have a nominee appointed, or they request us to liaise with an authorised representative. In the case of child participants, we liaise with their child representatives (who are usually their parents, or legal guardians), rather than with them directly.
We may also use personal information of participants, providers and community partners to ensure the integrity of the NDIS, which includes identifying and responding to any fraudulent activities or misuse of NDIS funds.
How does the NDIA deal with Tax File Numbers?
If a person gives us their Tax File Number (TFN), we keep that information secure.
Due to legal restraints on the disclosure of TFNs, if a person asks us for their TFN, we will not be able to provide it to them. If a person wants to obtain their TFN, or the TFN of a family member, they will need to obtain this from the Australian Taxation Office directly.
In limited circumstances, the Australian Taxation Commissioner can be required by law to provide a person’s TFN to us.
How does the NDIA protect personal information?
We take steps to ensure that no-one outside the NDIA can access information we hold about someone without that person’s consent, unless that access is authorised or required under law.
We have systems and procedures in place to protect personal information from misuse and loss, as well as from unauthorised access, modification or disclosure. These steps include:
- paper records are held securely in accordance with Australian government security guidelines;
- access to personal information is on a need-to-know basis, by authorised personnel;
- our premises have secure access; and
- storage and data systems and protections are regularly updated and audited.
When no longer required, personal information is destroyed in a secure manner, or archives or deleted in accordance with our obligations under federal law.
Part C – Our website and social media channels
What are the NDIA’s web-based services?
Our web-based services are included on our website, which also contains links to myplace, our participant and provider portals.
We provide secure web-based services through myplace, our participant and provider portals. However, users are advised that there are inherent risks in transmitting information across the internet, including the risk that information sent to or from a website may be intercepted, corrupted or modified by third parties. You can communicate with us, or provide documents to us, by a range of means, including in person or by post, as well as electronically (via email or through our website or myplace).
What is Clickstream data? What data does the NDIA collect through Clickstream Data?
Clickstream data is the process of collecting, analysing and reporting aggregate data about which pages a website visitor visits - and in what order.
When you visit a NDIA managed website, our servers may record clickstream data when navigating our website.
The clickstream data we may collect include:
- the user's server (IP) address and machine name
- the location details such as longitude, latitude, city, region and country
- the date and time of visit to the site
- the top level domain name
- the pages accessed and documents downloaded
- the number of bytes transmitted and received for each request
- the previous site or page visited
- search terms used
- the type of browser and device used.
The NDIA examines this information to determine the traffic through the server and to specific pages or applications. To opt out of clickstream data collection, visit Aboutads . No attempt will be made to identify users or their browsing activities except in the unlikely event of an investigation, where a law enforcement agency may exercise a warrant to inspect server logs. The statistics and log files may be preserved indefinitely and used at any time and in any way necessary to prevent security breaches and to ensure the integrity of the information supplied by the website.
How do we use and disclose information collected from our website?
We will only use personal information submitted through our website for the purposes for which the information was provided.
Email addresses provided through website queries will only be used for the purpose of responding to those queries and will not be added to any mailing lists (unless that person has elected to subscribe to our mailing list). We will not use or disclose an email address for any other purpose without the relevant person’s consent, unless it is otherwise in accordance with the Privacy Act or the NDIS Act.
We may collect information about you to secure our network and to mitigate ICT security threats where necessary.
A "cookie" is a small file supplied by the NDIA and stored by the web browser software on a person’s computer when they access our website. (An explanation of cookies can be found at the website of the Australian Information Commissioner )
We use a session cookie for maintaining contact with a user throughout a web browsing session. At the end of the session, the user may choose to manually logoff and the cookie is immediately deleted. If a person does not logoff at the end of the session, we will automatically log that person off after about 20 minutes. This will ensure that no other person has access to this information.
In order to use certain features which personalise our website, users must use a browser which is enabled to accept cookies.
We analyse non-identifiable website traffic data (including through the use of third party service providers) to improve our services and for statistical purposes. No attempt will be made to identify anonymous users or their browsing activities.
These cookies collect anonymous, non-identifiable data, including browsing data. They will be deleted after 90 days or when a user clears their cache. A user may also use a browser which does not accept cookies, but as noted above this may affect usability of our website.
The NDIA may receive aggregated, non-identifiable data from Google Ads for analytical purposes.
External links to third party websites
Our website contains external links and applications operated by certain third parties, such as Facebook, YouTube, Instagram, Twitter, Linkedin and Google. These external third parties may not be subject to the Privacy Act. We are not responsible for the privacy practices of these third parties, or the accuracy, content or security of their websites. You should examine each website's privacy policies and use your own discretion regarding use of their site.
Will the NDIA know my personal details including my name, address, phone number or personal information?
No. We respect and protect the privacy of our users. The NDIA which is responsible for managing all NDIS websites does not collect personal information about the users of its websites. . When visiting the website, the NDIA will be able to see certain data regarding your use of the website, including pages accessed, dates and times visited and type of platform used to access website; for the purpose of delivering improved information tailored for our growing participants and providers.
Can I turn off data tracking?
Yes. Facebook and Google recommend Aboutads . AboutAds is a free software that blocks clickstream data collection from any website that is visited. This free software will ensure that any website (including the NDIS website) is unable to collect data from your browsing habits.
To provide our news we will collect the following information about you:
- your name
- your email address
- which State or Territory you live in, and
- what news you would like to receive from us.
We will only use this information to:
- create, send and manage emails relating to the work of the NDIA
- measure email campaign performance
- improve the features for specific segments of customers
To deliver our news to you we use Salesforce, which provides online tools to create, send and manage emails.
Salesforce does not use your information for its own purposes, for example its own marketing.
We have a contract with Salesforce to ensure the safety and security of your information.
You can opt out of our mailing list by clicking the ‘unsubscribe’ button in the emails you receive from us, or by contacting us.
Part D – Privacy Impact Assessment register
The Privacy (Australian Government Agencies – Governance) Australian Privacy Principles Code 2017 (Cth) (the Code) requires the NDIA to conduct a Privacy Impact Assessment (PIA) for all projects that involve personal information.
This Register lists PIAs completed since the Code came into effect on 1 July 2018.
|5575||August 2019||Partner Access to the NDIA Staff Portal (Partner Portal)|
|7607||December 2019||NDIA Business to Government Application Programmable Interface Phase 1|
|8600||April 2020||Bring your own device|
|12614||June 2020||NDIA Business to Government Application Programmable Interface Phase 2|
|15044||October 2020||ACE Foundation Program (Release 1)|
|17910||March 2021||Future Operating Environment|
|16871||May 2021||NDIA Monitoring Aggregator|
|20095||June 2021||Participant Portal Refresh Project|
|24616||November 2021||Eligibility Integrity Uplift Project|
|23858||December 2021||Assisting NDIS Participants with COVID-19 Vaccinations|
|24184||March 2022||Object Storage and Analysis Service Project (OSAS) (Phase 1)|
|28721||October 2022||3P Project|
|31547||November 2022||Processes in 3P (Participants, Platforms and Processes) Improvement Initiative|
|29569||June 2023||Staff Identity and Access Management Project|
|34370||June 2023||National Contact Centre Transformation Strategy|
|37680||July 2023||Migration of the i2 iBase Case Management System|
For further information, please email [email protected].
Last updated: September 2023
Part E – Queries, concerns and further information
How can a person access or update the information the NDIA holds about them?
We aim to ensure that the information we hold about a person is accurate, up to date, complete and relevant before acting on it. If a person learns that personal information we hold about them is inaccurate, outdated, incomplete, irrelevant or misleading, that person should contact us so that their information can be updated.
Where a person requests us to correct personal information we hold about them, we will action this request promptly. A person can also request that we notify that change to any other agencies or organisations that we have previously disclosed the personal information to.
If we do not agree to correct our records as requested, we will give written notice of the decision, setting out our reasons for refusing the request and how that person can lodge a complaint about our decision.
If a participant or registered provider would like to see what information we hold about them, we recommend checking the myplace Participant’s Portal or myplace Provider’s Portal (accessed through the myGov platform) as a first step. This will contain almost all the information we hold about them. In addition, the person can ask to access the information (see our Access to Information page). Sometimes it may not be possible to give the person a copy of all information we hold about them, especially if it contains details about other people, or if it providing the information may lead to harm being done to another person. Where a person’s own information can be provided to them, we will provide this information as soon as possible (and by no later than 30 days of the request).
If we do not agree to a request for access to personal information, we will take reasonable steps to give the person access to the information in an alternative form. We will also provide the person with a written notice setting out the reasons for refusal, and how they can lodge a complaint about the decision.
What if I have a complaint?
If you would like to leave feedback or complain about the service you have received from us, or if you think we have breached your privacy obligations, please contact us through the Feedback and complaints page, or call us on 1800 800 110.
We will promptly investigate and resolve your complaint and respond to you as soon as possible. Sometimes this may mean we have to speak to other NDIA staff members who are handling your matter. In all cases, we will inform you of the progress of your complaint.
If after receiving our response, you are unsatisfied with the resolution of the matter, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC). See the OAIC website for information regarding how to make a complaint.
The OAIC is independent of the NDIA and has the power to investigate complaints about possible interferences with a person’s privacy. It is usually best to contact us first about any privacy concerns. This is because the OAIC will generally ask us to investigate the matter first and provide it with our findings concerning the matter.
We comply with the Privacy Act in handling privacy breaches and will notify affected individuals and the OAIC of serious data breaches where appropriate.
How can you contact us regarding privacy matters?
Send an email to [email protected] or call us on 1800 800 110.
Event registration through third party services
The NDIA uses third party services to manage ticketing, registration and promotion of NDIA events.
If you visit and register for our events using the third-party services, you will be sending information (including personal information/data) to servers, which may be located in Australia or overseas.