Privacy and Confidentiality Policy and Procedures

Policy authorised by Board of Management
Procedure authorised by Chief Executive Officer
Revised Date: 8 August 2022

Policy Statement

Kyeema Support Services (Kyeema) is committed to the transparent management of personal and health information about its participants and workers.

To ensure that management of personal information for participants meets all relevant legislative and regulatory requirements. Kyeema Privacy and Confidentiality Policy and Procedure is made publicly available via the website.

This policy supports Kyeema Support Services Inc. to apply National Standards Disability Services: Standard 1: Rights and into the future, National Disability Insurance Scheme Practice Standards: 1. Rights and Responsibilities (Privacy and Dignity); 3. Provision of Supports (Access to Supports) and the Australian Privacy Principles (APPS) July 2019

The Australian Privacy Principles set minimum standards covering the legitimate use of personal information. Kyeema is committed to complying with those Principles.


This policy applies to all workers, contractors, volunteers or students/trainees. It includes confidentiality of information about the people Kyeema Support Services support and the people who work with Kyeema Support Services. The Board is responsible for this policy.

Related Legislation and Policy

  • Australian Privacy Principles (APPs) guidelines July 2022
  • Privacy Act 1988 (Cwlth)
  • Privacy Amendment (Notifiable Data Breaches) Act 2017Privacy Policy, Department of Human Services, endorsed June 2002 (amended August 2005) (Vic)
  • Health Records Act 2001 (Vic)
  • Information Privacy Act (2000) (Vic)
  • Freedom of Information Act 1982 (Cwlth)
  • NDIS Practice Standards and Quality Indicators 2020


Because people with disabilities are more vulnerable to exploitation and abuse than others in the community, workers with access to participant information automatically occupy risk-assessed roles under the NDIS Commission.

The primary risk to privacy and confidentiality arises from the collection, storage and sharing of participant information. Access by non-authorised persons may expose participants to risk. Safe storage and access policy protects participants from abuse and exploitation. This policy addresses these issues.

There is a risk that information will be shared inadvertently and without the intention to do harm. Information may be unintentionally disclosed by use of tablet- or phone-based software, shared with a participant’s supporters against the participants wishes, or disclosed to peers on the assumption that the information is publicly known. Cultural assumptions around sharing information are diverse and change rapidly. Social media platforms may allow participants to be identified. This risk may be minimised by:

  • raising worker awareness of privacy and confidentiality
  • ensuring consent is obtained before gathering data (including audio and photographic data)
  • ensuring that consent is specific to the use of data, and that consent is current
  • encouraging participants to provide feedback and complaints about the use of their information.

These issues are addressed in this policy.


Personal information – Recorded information (including images) or opinion, whether true or not, from which the identity (including those up to thirty years deceased) could be reasonably ascertained.

Sensitive information – Information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political party, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preference or practices, or criminal record. This is also considered to be personal information.

Health information – Any information or an opinion about the physical, mental or psychological health or ability (at any time) of an individual.

Information Privacy – refers to the control of the collection, use, disclosure and disposal of information and the individual’s right to control how their personal information is handled.

Informed consent - voluntary agreement and/or action where the person making the decision has appropriate information, understands the consequences of the decision and capacity to make the decision


Personal information

Personal information may include:

  • name
  • date of birth
  • gender
  • current and previous addresses
  • residency status
  • telephone numbers and e-mail addresses
  • bank account details
  • tax file number
  • driver's licence number,
  • Centrelink information
  • photographs
  • race or ethnicity, and
  • medical history or information provided by a health service.

In collecting personal information, Kyeema will inform the participant:

that information is being collected; the purposes for collection; who will have access to the information; the right to seek access to, and/or correct, the information; and

the right to make complaint or appeal decisions about the handling of their information.

Participant information is used to:

  • assess and provide services;
  • administer and manage those services;
  • evaluate and improve those services;
  • contribute to research;
  • contact family, carers, or other third parties if required; and
  • meet our obligations under the NDIS.

Participant Consent

Participants are to be provided with the Participant Intake Package and Participant Handbook which will include:

  • Consent to Share Information and Photos – CCF-01
  • Consent to Share Information – Easy read CCF-57

At the time of commencing service with Kyeema the consent forms are to be signed and placed in the participants file; held securely with access limited to workers in the performance of their role.

Other forms are available to use where needed:

  • Consent to Release Information - Supported Employment Enterprises BF-17
  • Privacy KCF-16
  • Consent to copyright any of my work CCF-36
  • Photo Consent Form for Specific Projects CCF-25
  • Outcomes and Support Plan Checklist CCF-10

Updating Participant Information

To ensure that participant information is accurate, complete, current, relevant and not misleading, Kyeema checks personal details and updates participant files accordingly:

  • whenever reviewing a participant’s service; and / or
  • upon being informed of changes or inaccuracies by participants or other stakeholders

There will be no charge for any correction of personal information.

Where Kyeema has previously disclosed participant personal information to other parties, should the participant request us to notify these parties of any change to their details, we must take reasonable steps to do so.

Collection and Storage of Personal Information

Kyeema Support Services collects information:

  • directly from participants orally or in writing;
  • from third parties, such as medical practitioners, government agencies, participant representatives, carer/s, and other health service providers;
  • from participant referrals; and
  • from publicly available sources of information.

Kyeema will collect sensitive information:

  • only with participant consent, unless an exemption applies: e.g. the collection is required by law, court/tribunal order or is necessary to prevent or lessen a serious and imminent threat to life or health;
  • fairly, lawfully, and non-intrusively;
  • directly from participant, if doing so is reasonable and practicable;
  • only where deemed necessary to support:
  • service delivery to participants;
  • worker activities and functions; and
  • giving the participant the option of anonymity, if lawful and practicable.

Kyeema takes all reasonable steps to protect personal information against loss, interference, misuse, unauthorised access, modification, or disclosure. Kyeema will destroy, or permanently de-identify personal information that is no longer needed; unsolicited and could not have been obtained directly; or not required to be retained by, or under, an Australian law or a court/tribunal order.

Kyeema has appropriate security measures in place to protect stored electronic and hard-copy materials:

  • participant individual procedures can be found in files of the relevant individuals for whom they have been written rather than on the Quality Management System (QMS)
  • hard copies can be found in participant folders
  • participant procedures are created in consultation with the participant where possible, worker and management. They are then tabled at worker meetings.

Kyeema has an archiving process for participant files which ensures files are securely and confidentially stored and destroyed in due course.

Personal information is collected for the provision of services and is stored securely.

Computers are password-protected and the system is protected from unauthorised digital access as far as is reasonably possible.

Filing cabinets containing personal information are locked when not in use.

Should a breach in privacy occur, potentially exposing participant information (e.g. computer system hacked, laptop stolen etc.) the CEO will immediately act to rectify the breach in accordance with organisational policy and processes - Notifiable Data Breaches procedure.

Disclosing information

Kyeema respects the right to privacy and confidentiality, and will not disclose personal information except:

  • where disclosure would protect the participant and / or others;
  • where necessary for best service practice; or
  • where obligated by law.

For these purposes, Kyeema may disclose participants personal information to other people, organisations or service providers, including:

  • medical and allied health service providers who assist with the services we provide to participants;
  • a 'person responsible' if the participant is unable to give or communicate consent e.g. next of kin, carer, or guardian;
  • the participant’s authorised representative/s e.g. legal adviser;
  • our professional advisers, e.g. lawyers, accountants, auditors;
  • government and regulatory authorities, e.g. Centrelink, government departments, and the Australian Taxation Office;
  • organisations undertaking research where information is relevant to public health or public safety; and
  • when required or authorised by law

Any information released for evaluation or research purposes will be de-identified.

Accessing personal information

Participants can request and be granted access to their personal information, subject to exceptions allowed by law.

Requests to access personal information must state:

  • the information to be accessed
  • the preferred means of accessing the information,
  • and should be forwarded to the CEO or Supports Manager either verbally, or in writing

The CEO will assess the request to access information, taking into consideration current issues that may exist with the participant, and whether these issues relate to any lawful exceptions to granting access to personal information.

Should the CEO decide that access to personal information will be denied, they must, within 30 days of receipt of the request, inform the participant in writing of:

  • the reasons for denying access and
  • the mechanisms available to complain or appeal

Should access be granted, the CEO will contact the participant within 30 days of receipt of the request to arrange access to their personal information.

Should Kyeema be unable to provide the information in the means requested, the CEO will discuss with the participant alternative means of accessing their personal information.

Reasonable charges and fees, incurred by Kyeema in providing the data as requested, may be passed on to the participant.

Worker access to files

Workers have the right to access information on their worker file except where information:

  • Concerns the affairs of another person
  • Contains information supplied in confidence by another person
  • Is the subject of legal process.

Workers are required to give their manager three business days’ notice of their wish to inspect their files. Managers may concede to the request any time within those three days or advise the worker member of the reason for the delay. The records will be made available to be viewed at the workplace or, by arrangement, at an alternative location.

An employee/worker will not be provided with access to another employee’s/worker records.

Maintenance of Records

Kyeema is required to keep employee/worker records for seven years from the date on which an entry is made or from termination of an employee’s/worker employment, depending on which happens first.

In the case of other records such as tax records, Kyeema Support Services must maintain those records for a continuous period of seven years from the date the entry is made.

Employee/Worker Obligations

Worker of Kyeema must not disclose confidential or personal information which is collected about participants, suppliers, customers, agents, or contractors. If an employee/worker is not sure whether information is confidential or personal then they must check with their immediate manager or CEO.

Confidential and Personal Information is information that is not in the public domain. It includes, but is not limited to, the following types of information:

  • Any personal information about an individual;
  • Any information about a supplier, customer, agent or contractor of Kyeema
  • Any personal information about an employee/worker or colleague (including a prospective or former employee/worker); and
  • Any information about Kyeema business affairs or business systems


Complaints about perceived or suspected breaches of privacy will be dealt with using the Complaints and Feedback Policy and Procedure

Questions or concerns about Kyeema’s privacy practices should be brought, in the first instance, to the CEO’s attention.

Participants may directly email the CEO at

In investigating the complaint Kyeema may, where necessary, contact the participant making the complaint to obtain more information.

The participant will be advised either via phone call, or in a face-to-face meeting, of the outcomes and actions arising from the investigation.

If concerns cannot be resolved and participants wish to formally complain about how their personal information is managed, or if they believe Kyeema has breached an Australian Privacy Principle they may send their concerns in writing to:

Notifiable data breaches

Kyeema is required to disclose a data breach to the Office of Australian Information Commissioner if the data contains personal information that is likely to result in “serious harm”, which includes any of the following: physical, psychological, financial or reputational harm. Personal information is information about an identified individual, or an individual who is reasonably identifiable.

Any worker who identifies a potential breach must immediately inform their supervising manager, who must report to the CEO for further action.

Depending on nature of the breach one or more of the following actions will commence.

  1. A notification can be submitted to
  2. The person or persons involved may be counselled, trained or performance managed by a manager and /or CEO.
  3. In the event of a deliberate or serious breach in confidentiality or privacy by a person or persons termination of employment may result.

If the breach of confidentiality is caused by the CEO or a Board director, the Chairperson of the Board will take action deemed appropriate.

Any affected participant or carer will be informed that an appropriate process is being undertaken by management and that the breach is taken seriously.

Related Policies, Procedures and Documents:

Consent to Share Information - Easy read CCF-57
Consent to Release Information - Supported Employment Enterprises BF-17
Consent to Share Information and Photos CCF-01
Privacy Poster KCF-16
Outcomes and Support Plan Checklist CCF-10
Complaints and Feedback Management Policy and Procedure
Privacy Amendment (Notifiable Data Breaches) Act 2017
Consent for Obtaining the use of Participant Photos
Australian Privacy Principles Fact Sheet