Privacy, Confidentiality and Data Policy

As an NDIS-registered provider, CRAMLI Psychological and Behavioural Services is committed to maintaining the highest standards of privacy, confidentiality, and data protection. This policy aligns with the Privacy Act 1988 (Cth), the NDIS Practice Standards, and all relevant Commonwealth and State legislation to safeguard personal and sensitive information. 

Scope of the Policy

This policy applies to:

• All CRAMLI staff (permanent, temporary, and contractors).
• Participants, families, and stakeholders.
• External providers, including IT services and consultants, who may access CRAMLI data.

Purpose: To ensure all parties understand their obligations regarding the collection, use, storage, and disposal of personal and sensitive information.

 Collection of Information

CRAMLI collects personal information necessary for:

• Service delivery, including behaviour support, counselling, and assessments.
• Compliance with NDIS requirements and legal obligations.
• Operational and administrative purposes.

Information may include:

• Personal details: name, contact, and date of birth.
• Health and support data: medical history, NDIS plan details, and progress notes.
• Financial details for invoicing and funding purposes.

Key Measure: Information is collected with informed consent, ensuring transparency and lawful use.

 Use and Disclosure of Information

CRAMLI ensures personal and sensitive information is:

• Used strictly for the purposes for which it was collected, as outlined in the signed service agreement.
• Disclosed only with explicit, informed consent, except where legally required (e.g., child protection reporting or compliance audits).

Under the signed service agreement, participants authorise CRAMLI to share relevant information with individuals directly involved in their care team (e.g., support workers, allied health professionals, NDIS planners) to facilitate service delivery. This includes:

• Sharing information necessary for the development and implementation of care and behaviour support plans.
• Coordinating with other professionals and stakeholders for integrated service delivery.

CRAMLI ensures that:

• Only information necessary for the provision of services is shared.
• All disclosures are documented and align with the participant’s consent and NDIS requirements.

Important Note: Participants retain the right to limit or withdraw consent for sharing information at any time. CRAMLI will respect such requests, provided they do not conflict with legal or compliance obligations.

Data Security Measures

CRAMLI takes privacy and data security seriously, recognising the importance of safeguarding personal and sensitive information. To uphold this commitment, CRAMLI implements the following measures:

• Digital Security: Password-protected systems, encryption protocols, and access restrictions based on role to ensure data is secure and accessible only to authorised personnel.
• Physical Security: Secure storage of physical files, with access limited to authorised personnel to prevent unauthorised handling or breaches.
• Regular Monitoring: Periodic audits and system reviews to ensure compliance with this policy and identify potential vulnerabilities.

Any external providers or contractors with access to CRAMLI data must:

• Sign binding confidentiality agreements.
• Adhere to this policy and all applicable laws.
• Return or destroy all CRAMLI data upon termination of services.

All CRAMLI employees must:

• Complete privacy and confidentiality training.
• Follow internal policies for secure file sharing and data handling.
• Immediately report suspected breaches to management.

CRAMLI has zero tolerance for breaches of client privacy. Any staff member, contractor, or third party found to have violated privacy protocols will be subject to disciplinary action, including termination of services. Furthermore, CRAMLI will report all privacy breaches involving client information to the relevant authorities, such as the Office of the Australian Information Commissioner (OAIC) or other authorised organisations, as required by law.

Retention and Archiving of Data

CRAMLI retains personal and sensitive information in compliance with the Privacy Act 1988 (Cth) and NDIS requirements. When records are no longer required for active use, they are securely archived to preserve them for future reference, auditing, or compliance purposes.

Archiving Practices:

• Archived records are stored securely with access restricted to authorised personnel only.
• Records are retained for the minimum period required by law, such as seven years for client-related data or longer if legally required.
• Regular reviews ensure archived data remains secure and in compliance with privacy laws.

Participant Rights:

• Participants can request access to their archived records, subject to legal and operational requirements- if still available.
• CRAMLI will correct or update archived records if a participant identifies inaccuracies, in line with the Privacy Act 1988 (Cth).