Loading

Talk with us: 0469 794 614 info@progresscure.com.au
Follow Us:
phone-icon
Phone: 0469794614
phone-icon
Phone: 0469794614

What are you looking for?

Contact Us
we are here

Unit 25, 13 Yates Street, Mawson Lakes SA 5095

progressecure > Privacy Policy

Privacy Policy

Privacy and Confidentiality Policy & Procedure

Purpose

This policy ensures the privacy, confidentiality, and security of all personal and sensitive information collected, stored, used, or disclosed by Progress Cure Pty Ltd. It applies to all employees, contractors, and representatives of the organisation.

This policy aligns with:

  • NDIS Practice Standards
  • NDIS Code of Conduct
  • Privacy Act 1988 (Cth)
  • Australian Privacy Principles (APPs)

Failure to comply with this policy may result in disciplinary action, including termination of employment or contract.

Definitions

  • Personal Information – Any information about an individual that identifies them.
  • Sensitive Information – Personal information about health, disability, cultural background, or legal matters that requires higher protection.
  • Health Information – Medical history, diagnoses, treatments, and other related details.
  • Confidentiality – The obligation to keep information private and secure, only sharing with consent or legal authority.
  • Privacy – The right of individuals to control the collection, use, and disclosure of their information.

Policy Statement

Progress Cure Pty Ltd is committed to:

  • Protecting the privacy of participants, workers, and stakeholders.
  • Collecting only the minimum necessary information to provide services.
  • Securing information against unauthorised access, use, or disclosure.
  • Gaining informed consent before collecting or sharing personal information.
  • Meeting all NDIS, legislative, and contractual obligations for privacy and confidentiality.

Information Lifecycle Management

  • Collection – Personal information is collected directly from participants or their authorised representatives, with both verbal and written consent.
  • Use – Information is only used for legitimate service delivery, administration, and compliance purposes.
  • Storage – All data is stored securely in password-protected systems or locked filing cabinets, with access restricted to authorised personnel.
  • Retention – Participant records are retained for a minimum of 7 years after service exit, or 7 years after a participant turns 18, whichever is longer.
  • Disposal – At the end of the retention period, paper records are shredded and electronic files are permanently deleted.

Collection of Information

We may collect:

  • Contact details and emergency contacts
  • Service agreements, consent forms, and support plans
  • Medical and health information
  • Progress notes and incident reports
  • Audio, video, or photographic records (with consent)
  • Employment records for staff (qualifications, screening checks, payroll details)

Before collecting information, workers must explain:

  • Why the information is needed
  • How it will be stored and used
  • Who will have access
  • The participant’s right to refuse or withdraw consent

Participant Rights

  • Access their personal information
  • Request corrections or updates
  • Withdraw consent for the use or sharing of their data
  • Request deletion of personal information when no longer legally required to be kept
  • Make a complaint to the Office of the Australian Information Commissioner (OAIC) if they believe their privacy has been breached

Third-Party Providers

When engaging third-party providers (e.g., allied health professionals, subcontractors, IT services), Progress Cure Pty Ltd will:

  • Ensure they comply with the Privacy Act 1988 and APPs
  • Have written agreements in place covering confidentiality obligations
  • Limit access to the minimum necessary information for service delivery

Digital Security Measures

  • All electronic files are stored in secure, encrypted systems
  • Password protection and two-factor authentication are used where possible
  • Access is limited to authorised staff on a “need-to-know” basis
  • Staff must not share passwords or leave devices unlocked when unattended
  • Regular cybersecurity checks and backups are performed

Notifiable Data Breaches (NDB) Scheme

A data breach occurs when personal information is lost, stolen, or accessed without permission, and is likely to cause serious harm.

Examples include:

  • Lost/stolen devices containing personal data
  • Accidental email or mail sent to the wrong person
  • Unauthorised staff access to records
  • Phishing or scam incidents leading to disclosure of information

If a breach occurs:

  1. The staff member must immediately notify the Owner/Director.
  2. The Owner/Director will investigate and take steps to contain the breach.
  3. Impacted individuals will be informed within a reasonable timeframe, including:
    • The nature of the breach
    • What information was involved
    • Steps being taken to reduce harm
  4. If required, the breach will be reported to the OAIC under the NDB Scheme.
  5. Preventative measures will be put in place to avoid recurrence.

Staff Training

  • All staff will complete privacy and confidentiality training during induction.
  • Refresher training will be conducted annually.
  • Training will include data protection, consent, NDIS requirements, and breach reporting procedures.

Policy Review

This policy will be reviewed annually in consultation with workers, participants, families, and other stakeholders, and updated as required to meet legislative and NDIS requirements.