Privacy & Confidentiality Statement

At Recovery Plus Support, we are committed to upholding the privacy and confidentiality of our Participants, staff, and stakeholders. Our privacy practices comply with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and all applicable State and Territory privacy laws. We respect individuals’ rights to control their personal information and ensure it is collected, stored, used, and disclosed responsibly and lawfully.

Collection of Personal and Health Information

Before collecting any personal or health information, we inform individuals of the purpose of collection, how their information will be used and stored, and their rights to access and correct it. Recovery Plus Support collects only the personal and health information necessary for the safe, effective, and person-centred delivery of services. This includes, but is not limited to:

• Contact details of Participants, their representatives, and emergency contacts
• Health and medical information, including diagnosis, treatment history, medications, and medical reports
• Allied health assessments, psychosocial assessments, and therapy progress reports
• Case notes, support coordination records, and daily progress summaries
• Service delivery assessments, monitoring, and review documentation
• Incident reports, feedback, and complaints
• Staff employment details, qualifications, and screening checks

Use and Disclosure of Personal and Medical Information

Personal and medical information, including case notes and health reports, will only be used for the purpose for which it was collected, and in line with participants’ consent or lawful obligations. Disclosure may occur under the following circumstances:

• With the individual’s informed consent
• To medical professionals for emergency treatment or clinical support
• To external agencies, regulators, or funding bodies as required by law
• To meet NDIS auditing and compliance obligations
• For internal quality assurance, case management, and service planning
• When required for mandatory reporting obligations, such as concerns of abuse or neglect
• We do not disclose medical information to third parties for marketing or other unrelated purposes.

Storage and Security of Personal and Medical Information

Recovery Plus Support implements strict safeguards to protect the security and confidentiality of all personal and health-related information. This includes:

• Secure digital storage systems with role-based access controls
• Password protection, firewalls, two-factor authentication, and encryption
• Physical storage in locked cabinets with restricted access
• Staff access limited strictly to what is necessary to perform their duties
• Regular audits of information systems and handling practices

Medical documents, case notes, and assessments are securely stored within our client management system, with audit trails in place to monitor access.

Access and Corrections

Participants and staff have the right to access their personal, medical, and support-related records held by Recovery Plus Support. This includes case notes, medical reports, assessments, and other related documentation. Requests can be made by contacting:

• Participants: Risk, Compliance & Quality Manager
• Staff: People and Culture Manager

We will respond to access or correction requests within two working days. If access is restricted (e.g., due to risk of harm or legal requirements), we will explain the reason and provide alternatives where appropriate.

Confidentiality Obligations of Staff

All staff members are bound by confidentiality agreements and professional conduct standards. They must maintain the privacy and confidentiality of all Participant information, including case notes and medical records. Staff receive mandatory training on:

• The handling of sensitive health and personal information
• Privacy and confidentiality legislation
• Recordkeeping requirements and secure communication methods
• Participant rights under the NDIS Code of Conduct

Breaches of confidentiality are taken seriously and may result in disciplinary action, including termination and report to the NDIS Commission or regulatory authorities.

Data Breach Management

Recovery Plus Support complies with the Notifiable Data Breaches (NDB) Scheme under the Privacy Act 1988 (Cth). In the event of a data breach likely to result in serious harm, we will:

• Contain and assess the breach
• Notify affected individuals and the Office of the Australian Information Commissioner (OAIC)
• Investigate the root cause and implement corrective actions
• Review policies and staff training to prevent future breaches

Photography and Video Recordings

Photographs, videos, and other recordings of Participants are considered personal information. We obtain written consent before capturing or using any images. All images are stored securely, labelled appropriately, and only used for agreed-upon purposes. We respect cultural sensitivities and the right to withdraw consent at any time.

NDIS Audits and Compliance

As a registered NDIS provider, Recovery Plus Support complies with the National Disability Insurance Scheme (Approved Quality Auditors Scheme) Guidelines 2018. Participants who do not wish their personal or medical information to be used during NDIS audits can opt out by informing a staff member. This decision will be documented and respected.

Privacy Complaints and Inquiries

If you have concerns regarding privacy or confidentiality, including the handling of your medical information or case notes, you may contact:

The Risk, Compliance & Quality Manager
Email: deon.k@primacygroup.com.au
Phone: +61 (0) 403 299 145

Complaints will be handled promptly and fairly under our internal dispute resolution procedure. If you are dissatisfied with the outcome, you may escalate your complaint to:

• Office of the Australian Information Commissioner (OAIC) – www.oaic.gov.au
• NDIS Quality and Safeguards Commission – www.ndiscommission.gov.au