Privacy and Dignity Policy and Procedure
1.0 Purpose
Anchored Care provides our participants with access to services and supports that respect and protect their dignity and right to privacy.
2.0 Scope
3.0 Policy
Anchored Care requires staff and management to be considered and consistent when writing documents regarding a participant and when deciding who has access to this information.
Anchored Care is subject to NDIS Quality and Safeguards Commission rules and regulations. Anchored Care will follow the guidelines of the Australian Privacy Principles in its information management practices.
Anchored Care will ensure that each participant understands and agrees to the type of personal information collected and the reasons for collection. If the material is to be recorded in an audio or visual format, the participant must agree to their involvement in writing before any material can be collected. The participant must also be informed when the material is recorded in an audio or visual format.
Anchored Care will advise each participant of our Privacy Policy using the language, mode of communication and terms that the participant is most likely to understand (Easy Read documents are made available to all participants).
Anchored Care will ensure that:
- it meets its legal and ethical obligations as an employer and service provider concerning protecting the privacy of participants, and organisational personnel
- participants are provided with information about their rights regarding privacy and confidentiality
- participants and organisational personnel are provided with privacy, and confidentiality is assured when they are being interviewed or discussing matters of a personal or sensitive nature
- all staff, management and volunteers understand the requirements to meet their obligations
- participants are informed of Anchored Care's confidentiality policies using the language, mode of communications and terms they are most likely to understand
- to attempt to locate interpreters and use easy-read materials.
This policy conforms to the Federal Privacy Act (1988) and the Australian Privacy Principles, which govern personal information collection, use, and storage.
This policy will apply to all records, whether hard copy or electronic, containing personal information about individuals and interviews or discussions of a sensitive personal nature.
4.0 Procedure
4.1 Dealing with personal information
In dealing with personal information, Anchored Care staff will:
- ensure privacy for the participants, staff, or management when they are being interviewed or discussing matters of a personal or sensitive nature
- collect and store personal information that is only necessary for the functioning of the organisation and its activities
- use fair and lawful ways to collect personal information
- collect personal information only with consent from the individual
- ensure that people know of the type of personal information collected, the purpose of keeping the information, the method used when information is collected, used or disclosed, and who will have access to the information
- ensure that personal information collected or disclosed is accurate, complete, and up-to-date and provide access to the individual to review information or correct wrong information about themselves
- take reasonable steps to protect all personal information from misuse, loss and unauthorised access, modification or disclosure
- destroy or permanently de-identify personal information no longer needed or after legal requirements for retaining documents that have expired
- ensure that participants understand and agree with the type of personal information being collected and the reason/s for the collection
- ensure participants are advised of any recordings in either audio or visual format. Before collecting material, the participant's involvement in any recording format has been agreed to in writing.
4.2 Participant records
Participant records will be kept confidential and only handled by staff directly engaged in delivering service to the participant. Information about a participant may only be made available to other parties with the consent of the participant, or their advocate, guardian or legal representative. A written agreement providing permission to keep a recording must be stored in the participant’s file.
All hard copy files of participant records will be kept securely in a locked filing cabinet in the office of the DIRECTOR.
4.3 Responsibilities for managing privacy
- appropriate consent is sought and obtained for the inclusion of any personal information about any individual, including Anchored Care personnel (see Consent Policy and Procedure)
- information provided by other agencies or external individuals conforms to our privacy principles
- our website contains a Privacy Statement that clearly outlines the conditions regarding any collection of personal information from the public captured via their visit to the website.
The DIRECTOR is responsible for safeguarding personal information relating to Anchored Care’s staff, management and contractors. The DIRECTOR will be responsible for:
- ensuring that all staff members are familiar with the Privacy Policy and administrative procedures for handling personal information
- providing participants and other relevant individuals with information about their rights regarding privacy and dignity
- handling any queries or complaints about a privacy issue.
4.4 Privacy information for participants
During the first interview/onboarding, participants are notified of:
- the information being collected about them,
- how their privacy will be protected, and
- their rights concerning this data.
Information sharing is part of our legislative requirements. Participants must consent to any information sharing between our organisation and government bodies. The participant is informed they can opt-out of any NDIS information sharing during audits.
4.5 Privacy for interviews and personal discussions
- is given voluntarily
- will be stored securely on the Anchored Care database.
When in possession, or control, of a record containing personal information, Anchored Care will ensure that the record shall be protected against loss, unauthorised access, modification or disclosure by such steps as is reasonable in the circumstances. In cases when a record must be provided to a person in connection with the provision of a service to Anchored Care, everything reasonable will be done to prevent unauthorised use or disclosure of that record.
Anchored Care will not disclose any personal information to a third party without an individual’s consent unless that disclosure is required or authorised by, or under, law.
4.6 Storage of Information
Anchored Care ensures all personal and sensitive information is securely stored and managed in accordance with the Privacy Act 1988, the Australian Privacy Principles (APPs), and NDIS Practice Standards.
Data sovereignty (stored in Australia)
- All electronic records are hosted on Australian-based infrastructure. We do not store participant data offshore. Any cross-border disclosure would only occur where required by law or with explicit consent and documented safeguards.
- Our IT environment is managed by an Australian based certified IT professionals who are also members of the Australian Cyber Security Centre (ACSC) partner network
Electronic records & access controls
- Systems use encryption at rest and in transit, role-based access, unique logins, and multi-factor authentication.
- Daily, secure backups are performed and retained in Australian data centres. Backup access follows the same least-privilege controls.
Remote and overseas workforce security
- Staff may work from any location, including outside Australia; however, no participant data is stored outside Australia. Team members connect to Australian systems via secure, authenticated channels such as Virtual Desktop Interfaces (VDI), Multi-Factor Authentication (MFA) and Role-Based Access Control (RBAC)
- Company devices are protected with centrally managed endpoint security with Extended Detection and Response (EDR) full-disk encryption, automatic patching, and remote-wipe capability. A 24/7 Security Operations Centre (SoC) oversees this.
- Local storage of participant information on personal devices is prohibited. Copying/downloading records is restricted; access is logged and audited.
Physical records
- Paper files are stored in locked cabinets in restricted-access offices. Removal from premises requires Director approval.
Retention and disposal
- Records are retained in line with legal/NDIS requirements (typically seven years after service completion) and then securely destroyed:
- Physical: cross-cut shredding/secure destruction.
- Electronic: verified, permanent deletion from production and backups per our data-destruction procedure.
Monitoring, incident response, and accountability
- The Director and IT Manager oversee ongoing security reviews, access audits, and staff training.
- Suspected or confirmed breaches are escalated and managed under the Privacy Breach Response Procedure, with notifications made as required by law.
5.0 Related documents
- Code of Conduct Agreement
- Easy Read Privacy Document
- Privacy and Confidentiality Agreement
- Consent Policy and Procedure
7.0 References
- NDIS Practice Standards and Quality Indicators 2021
- Privacy Act 1988 (Commonwealth)
- Australian Privacy Principles (Commonwealth)