Privacy Commitment

What Personal Information We Collect

We only collect personal information that is reasonably necessary to deliver our services and meet our legal obligations. The types of information we may collect include:

• Personal Details: Your name, contact information (address, phone number, email), date of birth, and other identifying detailsndism.com.au.

• Health and Disability Information: Details about your health condition or disability, medical history, and support needs relevant to the services you receivendism.com.au. This may include information about medications, diagnoses, or functional assessments needed to plan your support.

• NDIS Plan and Support Details: Information about your NDIS plan, goals, and funding, such as your NDIS participant number, plan start/end dates, and the supports or services you receivendism.com.au. We also document your support needs, goals, and progress to ensure services are aligned with your NDIS planndism.com.au.

• Service Delivery Records: Records of the services we provide to you, including session notes, schedules, assessments, and reports on outcomes or incidents (if any)ndism.com.au. These records help us maintain continuity and quality of care.

• Financial Information: Details necessary for billing and payments, such as funding approvals, invoices, or bank details (for example, if we need to process payments or claim funding through the NDIS)ndism.com.au.

• Media (Photos or Videos): With your consent, we may occasionally collect photographs, videos, or audio recordings (for instance, to celebrate achievements or for training and quality purposes)ndism.com.au. Providing this type of information is completely optional and we will only use it with your explicit permission.

• Website Usage Data: When you visit our website, we may collect basic technical information like your IP address and browsing data (e.g. pages visited and time on site). This data is collected by standard website analytics tools to help improve our website and is not used to identify you personallykangaroocare.com.au. We do not collect cookies or tracking information beyond what is needed for basic site functionality and analytics, and no personal details are gathered unless you actively provide them (for example, by submitting a contact form).

How We Collect Personal Information

Where possible, we will collect personal information directly from you. This can happen in several ways:

• Directly from You: We obtain information when you contact us or fill out forms (such as our contact form or service agreement), during intake assessments, and through your ongoing interactions with our staff. For example, you provide personal and health details when signing up for our services, and we gather further information during support sessions or phone/email communications.

• From Your Representatives: With your authorization, we may collect information from your family members, carers, guardians, or advocates. For instance, a parent or guardian might provide information on behalf of an NDIS participant.

• Through Service Delivery: We gather information in the course of providing services – for example, our staff will document progress notes, support plans, or incident reports as part of delivering carendism.com.au. These service records are a form of personal information we compile to ensure you receive appropriate support.

• From the NDIA: With your consent, we may collect relevant information from the National Disability Insurance Agency (NDIA) or the NDIS participant portal (MyPlace)ndism.com.au. For example, we might obtain a copy of your NDIS plan, funding details, or approvals from the NDIA to coordinate and claim funding for services. This helps us tailor our support to your plan and make required service claims.

• From Other Providers or Professionals: With your permission, we might also collect or exchange information with other people who support you. This can include health professionals (like doctors or therapists), support coordinators, plan managers, or previous service providersndism.com.au. For instance, if you are transitioning from another provider or if we are working alongside an allied health professional, we may request relevant reports or support plans (with your consent) to ensure continuity of care.

In all cases, we aim to be transparent and will inform you why we are collecting any piece of information and how it will help in delivering your supportslegalvision.com.au. You have the right to decline providing information that is not mandatory – however, please understand this might affect the level of support we can offer (if we lack information needed to safely and effectively assist you).

Why We Collect and How We Use Your Information

We collect your personal information primarily to provide you with the best possible support and to meet our obligations under the NDIS. Specifically, we use the information we collect to:

• Deliver and Tailor Services: We use your details, health information, and goals to develop and deliver personalized support services that meet your needs and help you pursue your goals. This information allows us to create support plans, match you with appropriate support staff, and adjust services as needed over timendism.com.au.

• Ensure Safety and Quality: Your information helps us maintain your safety and well-being. For example, knowing your medical conditions or support needs means we can provide services safely and respond to any health issues or risks appropriately. We also keep records (like incident reports or progress notes) to monitor quality of care and improvementsndism.com.au.

• Meet NDIS and Legal Requirements: As an NDIS provider, we must meet certain legal and regulatory obligations. We use your information to fulfill requirements such as reporting to the NDIA/NDIS (for instance, making service payment claims, or mandatory notifications of serious incidents to the NDIS Commission)ndism.com.au. In some cases, law requires us to collect or disclose information (e.g. to comply with the NDIS Act, or if a court subpoena or government audit demands information – see Disclosure section below). We will only collect what is necessary for these purposes.

• Administrative and Business Operations: We also use personal information for legitimate administrative purposes, like scheduling services, managing staff assignments, billing and invoicing, and internal record-keepingndism.com.au. This ensures the business runs smoothly in support of delivering services to you. For example, we may use your email or phone number to contact you about appointment reminders or updates to our services.

• Communication and Support: We might use your contact details to communicate with you about your services or respond to your inquiries. This includes confirming appointments, sending information you have requested, providing updates on your support plan, or asking for feedback. We will not use your personal information for any unsolicited marketing purposes unless we have your consent.

• Improvement and Training: In order to improve our services, we may analyse de-identified information (stripped of personal details) to review outcomes, identify trends, or train our staff. For example, we might look at general service usage patterns or feedback to improve our programs. Any data used for these purposes would not identify you personally.

We will not use your personal information for purposes other than those above unless we obtain your consent or are required/authorized by law to do so. We do not sell your personal details to any third parties.

Disclosure of Personal Information (When We Share Your Info)

YAS Care understands that your information is private, and we treat it confidentially. We will only share your personal information with third parties in certain circumstances, such as with your consent or when required by law. As an NDIS registered provider, we must follow strict privacy rules and will not disclose your personal information without your permission except as required under the NDIS or other lawsndis.gov.au. Situations where we might share information include:

• With Your Explicit Consent: We will share information with others if you ask us to or explicitly agree. For example, if you want us to coordinate with a family member, doctor, or another support provider, we will share relevant information with them only with your approvalndism.com.au. You can let us know which people or providers we may discuss your support with.

• Within YAS Care Team: Our staff who are directly involved in supporting you will access your information as needed. All staff are bound by confidentiality agreements and the NDIS Code of Conduct to keep your information privatendism.com.au. We restrict internal access so that only authorized team members (e.g. your support workers, program coordinators, or nursing staff who need the info to assist you) can view your details.

• NDIS and Government Agencies: We may be required to share certain information with the National Disability Insurance Agency (NDIA) or the NDIS Quality and Safeguards Commission as part of our participation in the NDIS. For instance, we submit service delivery data to NDIA to claim payments, and we must report serious incidents to the NDIS Commission as part of safeguarding requirements. In doing so, we only provide the information that is required or authorized under law or NDIS ruleslegalvision.com.au. Such disclosures are made to fulfill our obligations as your service provider and ensure continuity of your funded supports.

• Other Health and Support Providers: With your permission, we might share information with others involved in your care, such as your support coordinator, plan manager, medical professionals, or therapistslegalvision.com.au. For example, if a therapist or specialist is treating you, we may exchange relevant information (like therapy reports or support plans) to coordinate your care. This helps all parties work together in your best interest. We will discuss with you what information will be shared and obtain your consent.

• When Required or Permitted by Law: We may disclose personal information if we are legally required to do so. This includes situations like:

  • Mandatory Reporting: If there is a risk of harm, abuse, or a serious incident, we might need to report certain details to authorities under the law or NDIS rules (for example, child protection services or the NDIS Commission’s mandatory reporting for critical incidents)ndism.com.au.

  • Court Orders or Subpoenas: If a court of law or tribunal compels us to provide information (for instance via subpoena), we are legally obligated to comply and may have to disclose the requested recordsndism.com.au.

  • Safety Exceptions: In rare cases, we might share information without consent if it’s necessary to prevent a serious threat to someone’s life, health or safety. For example, if you have a medical emergency while in our care, we might share relevant health info with emergency responders or hospital staff to ensure you get appropriate treatmentndism.com.au. This would be done under the "duty of care" and allowed by privacy laws in emergencies.

• Funding or Regulatory Reporting: Sometimes we must provide reports to government funding bodies or regulators. Whenever possible, these reports do not identify you personally. For example, we may provide anonymous service statistics to the NDIA or government (like number of service hours, or demographics) for auditing or funding purposesndism.com.au. Any such statistical data will be de-identified, meaning it won’t include your name or other direct identifiers.

We do not share, sell, or disclose your personal information to any third-party marketers. We also do not send your information overseas unless necessary (see next section). In the event that we ever need to share information in a new way not covered above, we will seek your consent first.

Data Storage and Security

We take the security of your personal information very seriously. YAS Care uses a combination of technical, physical, and administrative measures to safeguard the information we hold from misuse, interference, loss, and unauthorized access or disclosurendism.com.au. Here are some key steps we take to protect your data:

• Secure Digital Systems: Personal information stored electronically is kept in password-protected systems. We use encryption and security software to protect our databases and computersndism.com.au. For example, our client management system and any cloud storage are secured with encryption and multi-factor authentication to prevent unauthorized access.

• Restricted Access: Only staff members who need your information to perform their duties are permitted to access itndism.com.au. All staff and any contractors are bound by strict confidentiality and trained in privacy protection. We regularly review user access rights and remove or update access when staff roles change.

• Physical Security: Any paper records or forms (if we have any hard copies) are stored in locked cabinets or secure office areas when not in usendism.com.au. Our offices have controlled entry, and we take care not to leave documents in the open. We are moving toward mainly digital records, but any necessary physical documents are handled securely.

• Training and Policies: We train our team in privacy and data protection protocolsndism.com.au. We have internal policies to ensure data is handled consistently and confidentially. Staff are required to adhere to this Privacy Policy and sign confidentiality agreements as part of their employment.

• Regular Security Reviews: We periodically update our security practices and systems. This includes applying security patches to software, running virus/malware protection, and conducting audits to identify and address potential vulnerabilitiesndism.com.au. By staying up to date with best practices, we aim to reduce the risk of data breaches or unauthorized access.

• Data Retention: We only keep personal information for as long as it is needed. This means we retain your information for the duration of providing services to you and for any period required by law (for example, certain records might need to be kept for a number of years under NDIS or healthcare regulations). When personal information is no longer required, we will destroy it or de-identify it in a secure manner.

Use of Online Services and Third Parties

Our services may involve the use of online tools or third-party platforms to support you. For example, we may assist you in using the NDIS participant portal (MyPlace) for managing your plan, or we might utilize secure video conferencing software to conduct virtual support sessions. Please note that when you use external third-party services or websites, your personal information may be subject to their privacy policies as well, which are outside our control.

• NDIS Systems: If we help you use the NDIA’s online portals or systems, the information entered there is handled in accordance with the NDIA’s own Privacy Policy (as the NDIA is the agency that manages that system). We will support you in understanding and using these tools, but your data on those systems is managed by the NDIA, not by YAS Care. For example, if you share parts of your NDIS plan through the MyPlace portal, that portal is operated by the NDIA under their privacy and security protocols.

• Telehealth / Communications Platforms: We may use reputable third-party applications (such as Zoom or Microsoft Teams for video meetings, or cloud-based document services) to deliver services or communicate. We choose platforms that are secure and compliant with privacy standards. However, these providers have their own privacy terms which you might be asked to agree to when using their service. We will let you know what platform is being used and direct you to their privacy information when relevant.

• Website Links: Our website might contain links to external websites or resources (for example, information blogs or allied organizations). If you follow a link to another site, please be aware that those sites have their own privacy policies. We are not responsible for how other websites handle your information. We advise you to read the privacy statements of any external sites or services you use.

In summary, we only collect and manage personal information within our own systems (website, internal records, etc.) as described in this policy. If we assist you in accessing other services (like NDIS portals or external programs), any personal data you provide on those external systems is governed by the privacy policy of the respective service provider. We will make sure you are informed when this is the case, and we are happy to help if you have questions about how your information is handled by others.

Your Privacy Rights

We respect your rights to control your personal information. Under privacy laws and NDIS guidelines, you have several important rights regarding the information we hold about you:

• Access Your Information: You have the right to request access to the personal information we hold about youndism.com.au. This means you can ask us for a copy of your records or details of what information we have. We will provide this unless legal restrictions apply. For example, you can request to see your service notes or the contact details we have on file. We will respond to access requests within a reasonable time and usually free of charge (or for a minimal administrative cost if the request is extensive, as allowed by law).

• Correct Your Information: If you believe any personal information we have is inaccurate, out-of-date, or incomplete, you have the right to request that we correct itndism.com.au. We encourage you to keep us informed of any changes (like a new phone number or updated medical info). We will promptly update our records and confirm the correction with you.

• Withdraw Consent: Where you have given consent for us to use or share your information, you generally have the right to withdraw that consent at any timendism.com.au. For instance, if you previously allowed us to share information with a family member or another provider, but later change your mind, let us know and we will stop that sharing. (Keep in mind, if the sharing or use is required for us to provide services or by law, we will explain the implications or if we are unable to cease certain uses).

• Opt Out of Communications: If we send any non-essential communications (for example, a newsletter or general updates), you can opt out of receiving them. Note that we do not send marketing emails without consent. Any service-related communications (like appointment reminders or important notices about your support) would still be sent as needed even if you opt out of newsletters.

• Anonymity/Pseudonymity: Where practical and lawful, you have the option to remain anonymous or use a pseudonym when dealing with us. In most cases, due to the nature of disability support services, we need to know who you are to effectively assist you. However, for general inquiries or website visits, you do not have to provide your name if you prefer not to.

• Choose Participation in NDIS Audits: If there is an NDIS audit or review of our services, and your involvement is requested (for example, an auditor wants to speak with some participants or review files), you have the right to choose whether to participatendism.com.au. We will respect your decision if you prefer not to be involved in any audit interviews or have your records reviewed beyond what is legally required.

• Lodge a Complaint: If you believe your privacy has been breached or you have a concern about how we are handling your information, you have the right to complain. Please see the Complaints and Enquiries section below for how to do so and who you can contactndism.com.au.

To exercise any of these rights, you can contact us (see our contact details below). We may need to verify your identity before fulfilling certain requests (to ensure we don’t accidentally give your data to someone else). There are some circumstances under law where we might refuse access or correction (for example, if giving out the information poses a serious threat to life or health, or if we are legally prevented from doing so), but we will always provide you with reasons if that is the case. Our goal is to be transparent and helpful in addressing your requests.

Data Breaches and Incident Response

While we strive to protect your information, we have plans in place in the unlikely event of a data breach (such as unauthorized access to, or disclosure of, personal information). A “notifiable data breach” is one that is likely to result in serious harm to individuals and must be reported under Australian law. If such a situation occurs, we will respond swiftly as follows:

• Containment: As soon as we become aware of a potential data breach, we will take immediate steps to contain it and prevent any further unauthorized accessndism.com.au. For example, this might involve shutting down a compromised system or changing access credentials.

• Assessment: We will investigate the incident to understand what happened, what information is affected, and the risk posed to individuals. This includes determining whether the breach is likely to cause serious harm (which triggers formal notification requirements).

• Notification: If a data breach occurs that may result in serious harm, we will notify the affected individuals and the relevant authorities in line with the Notifiable Data Breaches schemendism.com.au. Specifically, we will inform you of the breach, the information involved, and any recommended steps for you to protect yourself. We will also report to the Office of the Australian Information Commissioner (OAIC) and/or NDIS Commission as required. Our aim is to do this promptly – in many cases, we would contact affected individuals within 24 hours of identifying the breachndism.com.au.

• Remedial Action: We will take all necessary actions to mitigate any harm and prevent future breachesndism.com.au. This could involve recovering lost data, improving security measures, training staff, or other corrective steps.

• Follow-up: A full investigation will be conducted for any major incident, and we will review and update our practices based on the findingsndism.com.au. We will keep affected individuals informed of outcomes and measures taken.

We treat any breach of privacy as a serious incident. Our staff are instructed to report any suspected data security issues immediately so that we can address them. We are also aware that intentional or negligent breaches by any staff member are subject to disciplinary actionndism.com.au. Our priority is to ensure your information remains safe and to maintain your trust.

Complaints and Enquiries

Your privacy is important to us, and we welcome any questions or concerns you might have about how we handle your personal information. If you: (a) have a question about this Privacy Policy or our data practices, (b) want to request access or correction of your info, or (c) believe your privacy has been compromised, please contact us first so we can assist. You can reach us at:

YAS Care Privacy Officer
Email: admin@yascare.com.au
Phone: 03 9071 1866

Please provide details of your question or complaint, and our Privacy Officer will respond as soon as possible. We aim to acknowledge complaints within 2 business days and provide a resolution or update within 30 days. We take all privacy complaints seriously. Our team will investigate your concerns and consult with you to find a fair solution.

If you are not satisfied with our response or believe we have not handled your complaint properly, you have further options:

• NDIS Quality and Safeguards Commission: The NDIS Commission oversees the conduct of NDIS providers. You can lodge a complaint with the Commission if it involves the quality of service or confidentiality by an NDIS provider. Visit the NDIS Commission website or call them for guidance on how to complain.

• Office of the Australian Information Commissioner (OAIC): The OAIC is Australia’s federal privacy regulator. If your complaint is about how we handled your personal information under the Privacy Act, you can contact the OAIC. They can investigate privacy breaches and have the authority to enforce privacy laws. You can find more information on making a complaint to the OAIC on their website.

Other avenues (depending on the issue) might include state privacy commissioners or guardianship bodies, but generally the above are the key contacts for privacy concerns. We can assist you with contact details for these bodies if needed. According to our policy, privacy complaints can be made to our Privacy Officer, the NDIS Commission, or the OAIC and we will cooperate with any official investigationsndism.com.au.

We encourage you to come to us with any questions or issues, as we genuinely want to resolve them and improve our practices. Your feedback on privacy matters is valued.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal compliance. If we make significant changes, we will post an updated notice on our website. The "last updated" date below shows when the policy was last revised. We encourage you to review this policy periodically to stay informed about how we protect your information. By continuing to use our services after any changes, you will be deemed to have accepted the updated terms.

Last updated: 25 September 2025.