We keep this plain and simple - because that’s how we do things. This policy explains what personal information we collect, why we collect it, and how we handle it. It applies to everyone we deal with. If you have any questions, just ask.

1. Who we are

Bloody Good Care (ABN 11 843 351 123) is an NDIS support provider based in Melbourne, Victoria. We provide community access, social and recreational support to NDIS participants. We are committed to handling personal information responsibly and in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Health Records Act 2001 (Vic) and its Health Privacy Principles (HPPs), and all other applicable legislation listed at the end of this policy.

This policy applies to NDIS participants and their families or carers, referrers and support coordinators, contractors and support workers, and anyone who contacts us or uses our website or social media channels.

2. Anonymity and pseudonymity (APP 2)

Where it is lawful and practicable to do so, you may interact with us without identifying yourself or by using a pseudonym - for example, if you contact us with a general enquiry. However, if you are seeking to receive NDIS supports, we will generally need to identify you in order to deliver those services safely and appropriately. We will tell you if anonymity is not an option and why.

3. What personal information we collect

Participants, families and referrers

Contractors and support workers

Website and social media visitors

4. How we collect personal information

We collect personal information:

Where practicable, we collect personal information directly from the individual it relates to. At or before the time of collection, we will take reasonable steps to notify you of who we are, why we are collecting the information, who we may share it with, and the consequences of not providing it.

Consequences of not providing information: If you choose not to provide personal information we request, we may be limited in our ability to provide supports or respond to your enquiry. Where information is required to safely deliver NDIS services, we will tell you this at the time of collection.

5. Unsolicited personal information (APP 4)

Occasionally we may receive personal information we did not request - for example, a referral containing more detail than necessary, or documents sent to us in error. Where this occurs, we will assess whether we could have collected it lawfully. If not, we will destroy or de-identify the information as soon as practicable, unless it would be unlawful to do so. If we can lawfully retain it, we will handle it in accordance with this policy.

6. Sensitive information

Some information we collect is sensitive information under Australian privacy law - particularly health and disability information about participants, and criminal history check results for workers. Sensitive information attracts a higher standard of protection.

We will only collect sensitive information where it is reasonably necessary for our functions, and where we have obtained your consent or another lawful basis applies. You may withdraw your consent at any time by contacting us using the details in Section 20. Withdrawal of consent may affect our ability to deliver certain supports - we will tell you this if it applies.

Worker Screening and Working with Children Check information is handled in accordance with the NDIS Worker Screening Act 2020 (Cth) and the Working with Children Act 2005 (Vic), including strict limits on its use and disclosure beyond screening and compliance purposes.

7. Children and young people

Some of the participants we support are under 18 years of age. Where a participant is a child or young person, we collect consent from a parent, guardian, or person with legal authority to consent on their behalf. We apply additional care to personal information relating to children, and we only collect what is necessary to safely deliver their supports.

Personal information about child participants is retained for seven years after the participant turns 18, or seven years after services end, whichever is later (see Section 15).

8. NDIS numbers and government-related identifiers (APP 9)

NDIS participant numbers are government-related identifiers. We collect and use NDIS numbers only for the purpose of delivering and administering NDIS supports - including billing, communication with plan managers, and meeting our regulatory obligations. We do not adopt NDIS numbers as general internal identifiers, and we do not disclose them except as necessary for NDIS service delivery or as required by law.

9. Why we collect personal information - primary purpose

We collect and use personal information to:

10. Secondary use and disclosure (APP 6)

We will not use or disclose personal information for a purpose other than the primary purpose for which it was collected, unless:

11. Direct marketing (APP 7)

We do not currently use personal information for direct marketing purposes. If this changes in future, we will only send direct marketing communications where we have your consent or where otherwise permitted by law, and every communication will include a clear and easy way to opt out. You can opt out at any time by contacting us using the details in Section 20.

12. Who we share personal information with (APP 6)

We may share personal information with:

We do not sell, rent, or trade personal information. We do not share personal information with other organisations for their own marketing purposes.

13. Overseas disclosure (APP 8)

Some third-party service providers we use are based overseas or store data on overseas servers. These currently include:

Before using these services, we take reasonable steps to satisfy ourselves that they protect personal information consistently with the Australian Privacy Principles. By submitting information to us via email or our website form, you acknowledge that your information may be processed by these providers subject to their respective privacy policies.

Aside from the above, we do not disclose personal information to overseas recipients, except where required by law.

14. Data quality (APP 10)

We take reasonable steps to ensure that the personal information we hold is accurate, up to date, complete, and relevant. We rely on individuals to let us know when their information changes. If you believe information we hold about you is inaccurate or out of date, please contact us and we will take steps to correct it (see Section 17).

15. How we store, protect, and retain personal information (APP 11)

We store personal information electronically using secure, password-protected platforms. We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure - including through access controls, secure passwords, and using reputable service providers.

Retention periods:

When personal information is no longer required and we are not legally required to keep it, we will take reasonable steps to destroy or permanently de-identify it.

16. Notifiable data breaches (NDB Scheme)

As a provider that handles health information, we are subject to the Notifiable Data Breaches (NDB) Scheme under the Privacy Act 1988 (Cth). An eligible data breach occurs when personal information is accessed, disclosed, or lost in circumstances where it is likely to result in serious harm to one or more individuals.

If we experience or suspect an eligible data breach, we will:

If you believe your personal information held by us may have been compromised, please contact us immediately using the details in Section 20.

17. Accessing and correcting your information (APP 12 & 13)

You have the right to request access to, and correction of, the personal information we hold about you. To make a request, contact us using the details in Section 20. We will acknowledge your request promptly and respond within 30 days. We may need to verify your identity before responding.

We will not charge you to correct your information. For access requests, we may charge a reasonable fee to cover administrative costs if the request is complex - we will advise you of any fee before proceeding.

In limited circumstances we may be unable to provide access - for example, where doing so would unreasonably affect the privacy of another person or is restricted by law. If we refuse access or correction, we will explain why in writing and tell you how to complain.

18. Making a complaint

If you believe we have not handled your personal information appropriately, please contact us first. We take all privacy complaints seriously and will respond within 30 days.

If you are not satisfied with our response, you may escalate your complaint to:

19. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or legal obligations. The current version, including version number and date, will always be available on our website. Where changes are material, we will take reasonable steps to notify individuals who may be affected.

20. Contact us

For any privacy-related questions, access or correction requests, complaints, or consent withdrawals:

Bloody Good Care, Melbourne, Victoria

Legislation and standards

This policy seeks to comply with: