Common Ground Disability

Share this post

Common Ground Disability
Common Ground Disability
Consent. Privacy. Data.
Copy link
Facebook
Email
Notes
More

Consent. Privacy. Data.

Privacy is priceless. What price should you have to pay for support?

Common Ground Disability
Aug 01, 2024

Share this post

Common Ground Disability
Common Ground Disability
Consent. Privacy. Data.
Copy link
Facebook
Email
Notes
More
Share

Imagine bumping into your kid’s principal at the local shops and she asks (with a bit of side-eye) how you enjoyed your time at the Bvlgari Resort in Bali last month. 

As you walk away, you wonder how she even knew you’d been on holiday…? Oh right, she's friends with your support worker who had a week off while you were away.

Fantastic. Privacy? Never heard of it.

Or what if you hire a new speech therapist and they ring your LAC because they’re worried you didn’t have enough funding available? Bless their heart. 

Would you be concerned if a service provider sent you someone else’s speech report by mistake? What about if they sent your child’s report straight to your LAC?

Common Ground Disability is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Sometimes people and organizations just want to help, but in their efforts to be supportive, they can step over the line into micromanaging, meddling or even breaching privacy laws without realizing it. Its a classic example of treating disabled people like children or like adults who can’t make decisions and advocate for themselves.

I recently read a service agreement that stated if there were multiple cancellations, the service provider would contact the NDIS to trigger a plan review. Excuse me, what? I’ve never seen this in a service agreement before. Sometimes a provider will cease services or check in with the participant after a lot of cancellations. But I found it really odd that they thought they had the right to contact the NDIS on this matter.

PS: Cancellations happen. They're part of life and to be expected, unfortunately... but that’s beside the point. Life happens. Disabled people are allowed to rest when they are sick. Without guilt or fear of being ‘reported’ to the NDIS for cancelling a booking.

Data breaches happen too!

It’s a great reason why we want to think about who has our private details and why. Data collection should be on a need-to-know basis and only at the time that it’s actually required. When making referrals, I usually contact a provider first to check if they even have capacity because I don’t want 15 service providers to have my clients' confidential data on file unless it’s actually necessary.

Imagine how many different service providers are storing yours and your child’s confidential information right now and don’t actually need it. This might be because you put your child on a waitlist, you ceased services with them, or maybe a referral was sent that you never ended up needing. Service providers sometimes ask for a huge amount of personal information at first contact—before you even know if you want to work with them. And it has the potential to make us more lax over time about what data we provide and to whom.

If I have a client’s mobile number in my phone, the contact will say ‘Suzie O’ rather than their full name. These are all little ways that we can prioritize privacy and build a culture of valuing personal data and, by extension, protect our identity. At the end of the day, the more organizations who have our data, the greater the likelihood of an accidental (oops, emailed the wrong person) or intentional (hacking) breach of your privacy.

Access to your data is a privilege and the information collected about you has value.

The number of service providers who consistently ask for a copy of the participant’s full NDIS plan at the outset still shocks me. There are a few limited circumstances where a service provider needs to know the budget available to them. One example is when the funding is agency-managed and they need to set up a service booking. When a service provider does ask you for your full plan or your budget, you can still say, ‘Actually, I’ll just send you a copy of the goals.’

Privacy. A quaint notion?

I have seen service agreements where a service provider had a media consent clause giving themselves permission to take photos and videos of the participant, and to edit and use them in social media, marketing materials, websites, and anywhere else they pleased—with no compensation or consultation with the participant. This consent was stipulated to be irrevocable (can never be taken back) and perpetual (lasts forever). How nice for that business to have a constant stream of free marketing material instead of fairly compensating disabled people for their image and talent! It would be easy to skim over this clause and accidentally sign away your child’s privacy—forever.

Who knows your child's NDIS number? Have you recommended your own plan manager in a Facebook group to others? Some plan managers are pretty relaxed about paying invoices. If someone out there knows your child’s NDIS number, who their plan manager is, and knows how to structure an invoice for NDIS purposes, they could claim thousands of dollars from your NDIS plan manager before you even know what’s happening. I always recommend having a pre-authorization process in place so that your Plan Manager won’t pay any invoices until you have the opportunity to check them.

The implications can be far-reaching.

I have seen therapists completing a report or assessment state that they would send the report directly to the NDIS when it was completed. Not only does the participant not get an opportunity to fact-check it for accuracy, but as soon as the NDIS receives a document relating to an NDIS participant, they COULD start a plan review immediately. If you were intending to submit five pieces of evidence and the NDIS completed your plan review based on one report, I hate to imagine what kind of plan you would end up with!

And a crucial point here which SO many participants are unaware of and SO many service providers seem to completely forget about is consent. A therapist or service provider cannot discuss a participant’s plan or support needs with the NDIS without the participant’s consent. The NDIS cannot discuss a participant’s plan or support needs with a service provider without the participant’s consent.

For participants under 18, there will always be a plan nominee or a child representative and this person also has consent to discuss NDIA matters. A person who does not have legal capacity to make their own decisions may also have a Guardianship in place whereby the Guardian can speak to the NDIA and make decisions on behalf of the participant.

But other than that, the participant’s information belongs to them. Reports and assessments belong to them. Case notes, shift notes, and documented information about the participant are protected data and cannot be shared with any third party without the participant giving express consent.

*Caveat: There are exemptions where it is lawful to share protected information without consent (i.e., if obligated by mandatory reporting requirements on child protection matters and obligations to report incidences of violence, exploitation, neglect, and abuse, and sexual misconduct to the Commission and police).

A therapist sending a report directly to the NDIS (or to anyone for that matter) without your consent is in breach of privacy laws. Support workers speaking to therapists, team care meetings, therapists speaking to the school, your pediatrician speaking to the NDIS, or even if you want your local Member of Parliament to make representations or escalate complaints on your behalf—these are all times where consent must be sought and voluntarily given to discuss an NDIS participant’s plan or services.

There are specific documents you can complete and submit to the NDIS if you want certain people to be able to discuss your NDIS supports with the NDIA. You can give people ‘Consent to Share’ where the NDIS can share information about the participant. Or ‘Consent to Act’ where the stated person can make changes such as requesting a plan review or making a complaint.

The Privacy Act 1998 is the principal piece of Australian legislation protecting the handling of our personal information. This includes the collection, use, storage, and disclosure of personal information in the federal public sector and in the private sector. It provides 13 Australian Privacy Principles that apply to government agencies and private sector organizations with an annual turnover of $3 million or more.

Accuracy matters too!

One small mistake in your file with the NDIS can radically change the support and budget available to you. Principle 10 of the Australian Privacy Principles requires Agencies to “take reasonable steps to ensure the personal information it collects is accurate, up to date, and complete.” You have the right to correct information an agency holds about you if it is:

  • - inaccurate

  • - out of date

  • - incomplete

  • - irrelevant

  • - misleading.

An organization or agency must respond to that request to correct your personal information within a reasonable period. The Office of the Australian Information Commissioner states that 30 days is a reasonable period. If they refuse to make the correction, they must advise you why in writing and explain how you can make a complaint.

The Notifiable Data Breaches scheme commenced as part of the Privacy Act on 22 February 2018. It requires notification to affected individuals and the Office of the Australian Information Commissioner (OAIC) where an entity subject to the Privacy Act experiences a data breach of personal information which poses a likely risk of serious harm to affected individuals.

Even when consent has been provided, nothing is fail-safe. Mistakes occur. Nefarious individuals take advantage. In late 2023, the NDIA reported a data breach from within the Agency where an NDIA staff member was arrested for sharing participant information with two service providers. The staff member was alleged to have shared around 11,000 “records.” Imagine the money-making potential for service providers who have the right information.

So what can we learn, or perhaps take a quick refresher course on when it comes to privacy, consent, and data? Some concepts to consider are:

  • - Don’t give private information until it’s actually necessary. The initial inquiry doesn’t mean you need to provide 100 points of ID and your grandmother’s maiden name.

  • - Only give the information that is actually needed. Some documents request far more information than is required. You might only choose to complete some parts of the form.

  • - Ask why particular pieces of information are being requested and how they might be used.

  • - Cross out parts of the service agreement you don’t agree with. Don’t provide information that you aren’t comfortable with or at least seek answers as to how it will be used.

Disabled people will quite possibly fill out far more intake forms, consent forms, referral forms, and a zillion other forms than a typical person in Australia, so there is more risk of that data being shared in places it shouldn’t. 

You have the right to question what is being asked for and why. And to take measures to protect yourself wherever possible.

Common Ground Disability is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Share this post

Common Ground Disability
Common Ground Disability
Consent. Privacy. Data.
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 Anna Commons
Publisher Terms
Substack
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More