Privacy Policy and Privacy Notice

Privacy and the National Disability Insurance Scheme

Privacy is a human right, and we respect the privacy of people with a disability. People with a disability have a right to privacy, including in relation to the collection, use and disclosure of information concerning them and the services they receive.

As an NDIS provider, we are subject to the NDIS Code of Conduct (2019) (the NDISCode). Amongst other things, this means we must:

• Respect and protect the privacy of everyone that receives supports and services from us and our workers;

• Manage health information about any people we support and our workers in accordance with privacy laws related to the management of health information; and

• Have this policy and provide you with this notice about our privacy policy and procedures to help ensure we (and our workers) understand our obligations

We are committed to treating you in a dignified way that maintains your personal privacy

Privacy is about more than simply meeting our legal obligations. It is also about the way we deliver our services to people with a disability. We will work hard to be aware of your privacy needs and preferences and will deliver our services in a way that maintains your personal dignity. Without limiting what we mean by this commitment, we will:

• Explain and request your permission to perform procedures that involve physical touch or the invasion of your personal space

• Provide services in a timely manner to prevent your embarrassment and discomfort, e.g. Such as toilet breaks; and

• Consider your everyday personal needs, such as being able to shower or dress in a private or comfortable space

What, specifically, is this Policy and Notice about?

In this Policy and Notice, we explain:

The kinds of personal information that we collect and hold, including recorded audio and visual materials;

• Why we hold this information;

• Who will have access to this information;

• How we ensure that information is secure;

• How we use the information;

• How you can access and amend information held about you; and

• How to make a complaint if you feel that we have breached our privacy obligations to you

We have several obligations to you under the Privacy Act 1988 (Cth) (including the Australian Privacy Principles) (the Privacy Laws). This Policy and Notice are intended to reflect our obligations under the Privacy Laws as well as under the NDIS Code.

Hard copies of this Policy and Notice are available for free in our reception area, and you may request a portable document format (pdf) copy, again at no charge, by way of email to our Privacy Officer.

When we refer to “clients” or "you" below, we mean both former and current clients, as well as people who make inquiries about our products and services (i.e. potential clients) and users of our website or digitally hosted services.

Information Collection and Management

What Kinds of Personal Information Do We Collect and Hold?

In this Policy and Notice, “personal information” means information or an opinion about an individual whose identity is apparent or can reasonably be ascertained. To provide our services to clients, we need to know personal information about them and others, including:

• Names, ages, dates of birth, genders, and other identifying information;

• Medicare and health fund details (including Medicare numbers and health fund insurers and the extent of their coverage);

• Developmental, medical, ethnic, language, cultural and social histories (including medications, diagnoses, surgeries, and allergies);

• Details about disabilities, impairments, challenges, barriers and facilitators;

• Family histories, to the extent they may be relevant to our services;

• Work and education histories;

• Hobbies, motivations, interests, and activities in which clients and their families like to participate;

• Financial information concerning the ability of clients to pay for our products and services;

• Details related to the NDIS, including details of negotiations, assessments, plans and packages;

• Call records, wireless locations, and unique web browser details (when you use our products and services, including online services);

For sensitive information – such as information about your health that is reasonably necessary for us to provide you with services or products – we will seek your informed consent.

How do we collect personal information?

We may collect personal information about you in several ways, including:

• By telephone (e.g. When you or someone else call us);

• Via our website when you use our networks, products and services, including our online services;

• Via pages on our social media sites;

• Through our client questionnaires;

• By written letters, reports and other documents (e.g. Through reports you provide to us);

• Through emails, SMS and other forms of electronic communication;

• In interviews and other interactions with you (including face-to-face interviews and interviews conducted electronically, such as by way of Facetime, Skype, Zoom, Coviu or other means of video communication technology); and

• By taking notes and making recordings of our interactions with you (including audio and visual recordings)

When we ask for your consent to use your personal information, we will ensure that consent is opt-in, affirmative and freely given. At any time, you have the ability to withdraw consent by contacting us to tell us that you are withdrawing your consent.

Who do we collect personal information from?

We collect personal information from clients or someone authorised to act on the behalf of clients (e.g. their parents, carers or guardians). Wherever practicable, we will ask for the information directly. However, we may need to contact others when relevant to a client’s circumstances (e.g. when working with clients who cannot communicate their needs without the assistance of others).

In these cases, we will, when practicable, make you aware of the fact that we have collected this information and the circumstances of the collection.

When you give us information about other people, we rely on you to have obtained their prior consent and tell them of the types of third parties we may provide the information to and why.

Why do we collect personal information?

We collect personal information to deliver, review and improve the products and services that we provide. Generally, these services and products relate to Allied health services. If we didn’t collect this information, we wouldn’t be able to carry out our business or provide our products and services to you in accordance with the standards required by law, the NDIS Code, or our professional ethics requirements. If you do not provide the personal information that we request, we would not be able to carry out our business and provide our products or services to you.

More specifically, we need personal information (including health information) to provide clients with assessment, diagnosis and management services and products related to the allied health services you receive in addition to disability support.

We also need this information:

• For administrative purposes of managing our business;

• When necessary, to fulfil our obligations under law, regulation, the NDIS Code and/or our professional ethics rules;

• For billing management (either directly or through insurers or other compensation agencies);

• For discussions between workers related to the care of clients;

• For discussions and other communications, e.g. With your doctors, other health professionals, and others related to your care;

• For discussions with insurers (including the NDIS and its agents);

• With NDIS appointed support coordinators and financial plan managers;

• For any insurance or compensation or other claims or litigation (including threatened litigation);

• For security and workplace safety purposes, e.g. To monitor the safety of participants, workers and others.

From time to time, we may use personal information (but not sensitive health information) to provide you with news or offers about our products or services that may be of interest to you. We will ensure that your consent to receive this type of communication from us is opt-in, affirmative and freely given.

These products and services will be related to our services described above and will be products and services that we believe will be relevant to you. You have a right, at any time, to tell us that you don’t want to receive this type of material or unsubscribe from our digital communications.

Security and Access of Collected Information and Data

Can people access our products and services anonymously?

No. Due to the nature of our services and products, we cannot offer them to people who wish to be anonymous, wish to use a pseudonym or who do not provide us with enough information to properly identify them for the purposes of providing services and products.

Who will see or have access to your personal information?

Your information may be seen or used by people working for or on behalf of us and other service providers including (without limitation):

• Our directors, founders and shareholders;

• Our professional workers (employed or contracted);

• Our administrative staff (employed or contracted);

• Our volunteers, trainees or students on clinical placement;

• Our third-party professional advisors and service providers, including (without limitation) our lawyers, book-keepers, accountants, auditors, tax consultants, actuaries, management consultants and it service providers (including software-as-a-service providers);

• Medicare, private health insurance providers, our insurers and reinsurers;

• The national disability insurance agency and its agents; and

We will not rent, sell, trade or otherwise disclose to any other third parties any personal information about you without your consent, or unless we are required to by law (including pursuant to a court or tribunal order), or where a permitted general situation (including a permitted health situation) exists within the meaning of the Privacy Act 1988 (Cth), or if we reasonably believe disclosure is necessary for enforcement-related activities.

Security Of Your Personal Information and Data Retention

We know that you are concerned about your personal information – especially your health information. We will use reasonable endeavours to prevent unauthorised access to, modification of, disclosure, misuse, or loss of that information, except as required by law (e.g. under mandatory reporting laws, and our obligations to report incidences of violence, exploitation, neglect and abuse, and sexual misconduct to the NDIS Quality and Safeguards Commission and the police).

Our directors and staff have reviewed the requirements of the Privacy Laws and our third-party service providers are aware that they are required to comply with the requirements of the Privacy Act 1988 (Cth).

We have data protection measures in place (including password-locked computers) when we store personal information electronically. Our hard copy health records are stored in a locked filing cabinet on site accessible only to authorised staff.

If we no longer need personal information about you for any purpose described above, then we will take reasonable steps to destroy the information or to ensure that such information is de-identified. This obligation is subject to an important exception – we may be required to retain some information (e.g. health, financial or tax records) to comply with our statutory and other legal obligations.

Access to and accuracy of your personal information

We take reasonable steps to ensure that personal information we collect about or from you is accurate, complete, up-to-date and relevant whenever it is used, collected or disclosed.

Subject to the recognised exceptions to access for organisations contained in the Australian Privacy Principles (APP12.3), you have a right to access your information if you wish (subject to any privilege or legal restrictions); and, if it is reasonable and practicable to do so, we will give you access to the information in the manner requested by you. By law, we may charge you a reasonable fee to cover the cost of retrieving and processing the information.

If you believe personal information that we hold about you is inaccurate, out-of-date, incomplete or misleading, we will, on receipt of your request, take steps that are reasonable in the circumstances to correct the information.

What happens if personal information is disclosed outside Australia?

Given the increasing globalisation of electronic information systems and the businesses of service providers, it is likely that personal information may be disclosed to a person or entity outside Australia (e.g. to a third-party technology-related service provider managed outside Australia). For the same reason, it is not practicable to specify the countries in which such recipients may be located.

If your personal information is disclosed by us to an overseas recipient (e.g. to an insurer or IT-service provider), we will take reasonable steps in the circumstances to ensure the overseas recipient does not breach the Australian Privacy Principles in relation to the information.

Information About Newsletters and Updates

If you have signed up or otherwise agreed to receive newsletters, emails, or other update services from us, we will use you contact data (including your name and email) to provide those services to you. We tailor information provided to you, we will look at user statistics and preferences. These activities are for marketing and business development purposes.

Information About Webinars, Seminars and Courses

We may offer webinars, seminars and training courses on a range of topics to you and others in the course of our business relationship with them. These are part of our business and business development efforts. If you sign up to a seminar, webinar, or course, we will process your registration data (including your name and email address) to administer access and to prepare and present the webinar, seminar or course (as the case may be). We will also use your registration data for the purposes of our business development.

Information About Social Media Plug-Ins

To improve the quality of our services to clients, our website includes social media plug-ins of the large social media networks, including Instagram, Twitter, Facebook, and LinkedIn. Upon opening a website on which a social media plug-in is embedded, the social network provider will collect and process information on your visit to our website for its own business purposes. This is not initiated or controlled by us, but is a built-in feature of most social media plug-ins. For further information about these plug-ins and privacy, refer to the social media platform’s privacy policy.

Information about cookies

Our websites use cookies to enable, optimise and analyse site operations, as well as to provide content and to allow you to connect to social media. Cookies are small text files that are stored on your computer’s browser directory or program data subfolders when you visit our website.

They are stored on your computer for the duration of your visit or for when you re-visit our website at a later time. They allow our website to store or access information from your browser about you, your settings, or your device. They are uses mainly to ensure our website works well and, as a rule, do not contain information that could identity you directly. You can find out more about cookies via: www.allaboutcookies.org.

When you first click on our website, you may get a message that says something like:

“This website uses cookies to enable, optimise and analyse site operations, as well as to provide personalised content and to allow you to connect to social media. By clicking “I agree” you consent to the use of cookies for non-essential functions and the related use of personal data.”

Complaints And Asserting Your Privacy Rights

If you believe your privacy has been prejudiced by something we have done or failed to do, you have a legal right to lodge a complaint. If you make a complaint to us, our Privacy Officer will treat it very seriously, run through our complaints management procedure to assist you.

Our Privacy Officer is Kimberley Campbell, who can be contacted by email at info@littlesparrows.com.au, and in writing at: Kimberley Campbell Privacy Officer U 1 192 Mulgrave Rd, WESTCOURT QLD 4870

What if you are not satisfied?

If you are not satisfied with our response, you can refer your compliant to our CEO and Managing Director - Josh Campbell, at management@littlesparrows.com.au who will look into your complaint and provide you with findings within 21 days of receiving such complaint or in writing at:

Joshua Campbell CEO / Managing Director

U 1 192 Mulgrave Rd, WESTCOURT QLD 4870

Breach of Privacy

A breach of your privacy may constitute a breach of the NDIS Code. In this situation, you or anyone can make a complaint to us, or to the NDIS. As suggested in the NDIS Code, we encourage you to contact us first, to see if we can resolve the matter directly.

You also have the right to lodge a complaint with the Office of the Australian Information Commissioner, who is the competent supervisory authority.

A breach of privacy by a professional who works for us (e.g. a health care worker) may also be a breach of their professional code of conduct or code of ethics.

As noted above, you have several statutory rights under privacy laws, including rights to information, access, rectification and the withdrawal of your consent to the collection and use of personal information. If you wish to assert any of these rights, please contact our Privacy Officer using the contact details included above.

Want More Information?

If you have any questions about this Policy or this Notice, or have any concerns about the personal information you or others have given us about you, please contact us at [insert contact details].

More information on the Privacy Act 1988 (Cth) can be found on the website of the Office of the Australian Information Commissioner: https://www.oaic.gov.au/

This Policy and Notice are in addition to, and do not relieve, remove or replace our rights and responsibilities under applicable laws. If there is a conflict between this Policy and this Notice, on the one hand, and an applicable law, on the other hand, the law shall prevail to the extent of any conflict.