Privacy collection notice

On this page:

Privacy at the NDIS Quality and Safeguards Commission

The NDIS Quality and Safeguards Commission (NDIS Commission) is committed to protecting your privacy. 

The NDIS Commission privacy statement explains how we keep personal information secure and should be read alongside the NDIS Commission Privacy policy. 

Our Privacy policy details:

  • when and why, we may collect personal information
  • how we might use and disclose personal information
  • where we store personal information, and
  • how you can contact us to access, correct or make a privacy complaint. 

This page also includes links for Privacy collection notices issued by the NDIS Commission for specific activities involving the collection of personal information. These notices form part of the NDIS Commission's privacy practices.

Privacy collection statement 

The NDIS Commission must comply with the Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act) which regulate how certain types of organisations and agencies may collect, use, disclose and store personal information. 

The NDIS Commission must also comply with the provisions of the National Disability Insurance Scheme Act 2013 (Cth) (the NDIS Act) concerning management of information that the NDIS Commission holds about a person. This is “protected Commission information” under the NDIS Act. Unauthorised use and disclosure of protected Commission information by any person is a criminal offence under the NDIS Act.

Collection of personal information 

The NDIS Commission may collect your personal information (including sensitive information) directly from you, your representative, a third party, or from publicly available sources for the purpose of our statuary functions under the NDIS Act.

 This includes collecting personal information when we are:

  • considering and determining the outcome of an application to be a registered NDIS provider
  • handling a complaint related to the provision of supports and services under the NDIS
  • responding to a reportable incident the NDIS Commission has received
  • monitoring or investigating an NDIS provider’s or worker’s compliance with the NDIS Act, Rules and Code of Conduct
  • reviewing the use of restrictive practices and the provision of behaviour support services
  • taking compliance and enforcement action
  • assessing applications for employment with the NDIS Commission and associated employment matters (including security and pre-employment integrity checks)
  • assessing applications to participate in any NDIS Commission funded programs and initiatives
  • managing contracts and funding agreements, or
  • undertaking other regulatory action under the NDIS Act and the NDIS Rules.

We may also obtain your personal information collected by other Commonwealth agencies, State or Territory government bodies, or other organisations for the purposes of fulfilling our regulatory functions. Examples include the National Disability Insurance Agency (NDIA), State or Territory disability related regulators, non-disability related regulators (such as work health and safety regulators), law enforcement agencies, courts and tribunals, and workers screening units. From time to time, we may also receive personal information from members of the public without it being requested.

How we collect personal information

The NDIS Commission collects personal information that is reasonably necessary for, or directly related to, a function or activity of the NDIS Commission. We generally use forms, online portals and other electronic or paper correspondence to collect this information. We include a privacy collection notice for specific activities either on our paper-based forms or online portals that describes the reason why the information is being collected and to whom the information may be disclosed to.

We may also collect information through our website and online media services, such as Facebook (Meta), Google, YouTube and survey systems to improve our website and receive feedback from the community.

Kinds of personal information we collect and store

The kinds of personal information we may collect, and store is determined by the reason for collection. It may include:

  • name, address and contact details (e.g. phone, email and fax)
  • photographs, video recordings and audio recordings of you
  • information about the supports and services you have provided to NDIS participants and how you provided those supports and services
  • information about your personal circumstances (e.g. marital status, age, gender, occupation, accommodation and relevant information about your partner or children)
  • information about your financial affairs (e.g. payment details, bank account details and information about business and financial interests)
  • information about your employment (e.g. work history, referee comments, remuneration)
  • government identifiers (e.g. Centrelink Reference Number or Tax File Number) and/or
  • information about assistance provided to you under the NDIS.

Sensitive information may include information about:

  • your health
  • your identity (e.g. date of birth, country of birth, passport details, visa details, drivers licence, birth certificates, ATM cards)
  • your background (e.g. educational qualifications, the languages you speak and your English proficiency), and/or
  • your criminal history.

The NDIS Act authorises the collection, use and disclosure of protected Commission information in certain circumstances, including where this is for the purposes of the NDIS Act. Where the collection of personal information is authorised or required under the NDIS Act and Rules, not providing the information may constitute a contravention of the NDIS Act, which may lead to a criminal or civil penalty. Where the NDIS Commission asks you to provide personal information voluntarily, you should consider your own privacy obligations and seek advice if necessary.

Remaining anonymous or using a pseudonym

When engaging with the NDIS Commission there are some instances when you can remain anonymous or use a pseudonym. For example, you do not have to provide us with your personal information when you provide feedback, make a complaint or share information about compliance and fraud prevention. If you are unable to remain anonymous or your anonymity may impact our engagement with you the NDIS Commission will let you know. 

Use and disclosure of personal and sensitive information

The NDIS Commission may use or disclose some or all of the personal information collected from you for the purpose of performing the functions of the NDIS Commissioner under the NDIS Act such as in relation to the NDIS Worker Screening Database. This may include sharing information with the Worker Screening Units in States and Territories. 

If authorised by the NDIS Act, the NDIS Commission may also disclose personal information to other relevant parties, including other Commonwealth, State or Territory agencies, regulatory bodies or professional associations. The NDIS Commission may disclose personal information for the purpose of our functions to other Government agencies including, but are not limited to:

  • Services Australia
  • Department of Veterans’ Affairs
  • the National Disability Insurance Agency, including the NDIS Fraud Taskforce
  • the Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability
  • Coroners
  • State and Territory Worker Screening Units
  • Public Advocates
  • other regulators with a role that has a connection with NDIS supports and services, or
  • other law enforcement bodies including the state Police and Australian Federal Police.

The NDIS Commission is not likely to disclose personal information to overseas recipients. If the NDIS Commission is required to disclose personal information overseas, we will maintain compliance with the provisions of the Privacy Act.

Personal and sensitive information obtained by us will only be used and disclosed for the purposes, and in the circumstances, outlined above and will not be used or disclosed without your consent for any other purpose or in other circumstances, except as authorised under the Privacy Act or if authorised or required by law, including by the NDIS Act.

Accessing and correcting your personal and sensitive information

We store and hold your personal and sensitive information in accordance with the NDIS Commission’s obligations under the Privacy Act and the Archives Act 1983 (Cth). 

More information about how you can access and correct your personal information is set out in our Privacy policy.

How to make a privacy enquiry, request or complaint

Enquiries, requests and complaints relating to the Privacy Act and the collection of your personal information can be made by:

If you make a complaint regarding the collection, use or handling of your personal information we will deal with your complaint in accordance with the NDIS Commission’s Feedback and Complaints Policy.

Confirmation and consent 

By providing your personal information to the NDIS Commission you agree to the NDIS Commission managing your personal information in accordance with our Privacy policy, this Privacy statement and the privacy collection notices, where applicable. 

Privacy collection notices

The following Privacy collection notices (PCNs) relate to specific activities of the NDIS Commission. These Privacy collection notices explain why we are collecting your information, the type of personal information we collect, and how we might use or disclose that information. It is important that you read and understand the Privacy collection notice, and make sure you are aware of your rights and obligations before providing your personal information.