Maintaining Confidentiality and Data Security in Your NDIS Records

Winter, EnableUs Community

Hey everyone, welcome back to The EnableUs Community Podcast. It’s Winter here, and today we’re diving into something that can feel super dry on paper, but is actually really human and really high stakes in real life – maintaining confidentiality and data security in your records.

Will, EnableUs Community

And I’m Will. If you’ve ever stared at your Privacy Policy or your ICT Security Policy and thought, yep, I have no idea how this actually plays out day to day, this episode is for you, especially if you’re a smaller NDIS provider with, you know, five, ten, maybe fifty staff.

Winter, EnableUs Community

Yeah, because in our space, when participants share their diagnoses, their financial situation, what’s happening at home, all of that really personal stuff, they’re not just ticking a form. They’re trusting you, and your whole team, to protect that information like gold.

Will, EnableUs Community

Exactly. And it’s not just a moral thing, it’s also a legal thing. We’re talking the Privacy Act, the Australian Privacy Principles, and the NDIS Code of Conduct. All of those expect you to not only avoid obvious big breaches, but to have proper systems in place so information isn’t accidentally exposed.

Winter, EnableUs Community

Let’s break that down in human language for a small provider. So, if you’re running, say, a ten‑person support service, the law is expecting that you only collect information that you genuinely need to provide supports, you explain to the participant what you’re collecting and why, you get informed consent before you use or share it, and you store it securely.

Will, EnableUs Community

And that “store it securely” bit is where lots of people kind of wave their hands and hope for the best. It actually means things like access controls, strong passwords, proper disposal of paper, and having a plan if something goes wrong. Plus, participants have a right to access their own information if they ask. That’s often overlooked in practice.

Winter, EnableUs Community

Let’s paint a quick picture. Imagine you’re that small ten‑person provider. One of your support workers takes some paper notes home in their bag, stops at a café, the bag gets stolen from the car, and inside those notes are a participant’s NDIS number, diagnosis, and a few sensitive details about home life. That’s not just an “oops, I lost my notebook”, that’s a serious breach of trust and potentially an eligible data breach.

Will, EnableUs Community

Yeah, and this isn’t hypothetical in the sector. A few years back there was a major breach involving a cloud‑based client management system where highly sensitive health info for thousands of NDIS participants was exposed, and a lot of that stuff ended up on dark web forums. We’re talking diagnoses, treatment details, personal identifiers, the whole lot.

Winter, EnableUs Community

And that has real‑world impact. You’ve got participants at risk of identity theft and fraud, they feel violated and scared, and they’re thinking, why did I ever give this information to a provider in the first place? That kind of event can absolutely destroy participant confidence, not just in that one provider but in the system more broadly.

Will, EnableUs Community

And for the provider, you’re suddenly dealing with investigations from the Office of the Australian Information Commissioner, potentially the NDIS Commission asking questions, negative media coverage, legal action, and, in really serious or repeated cases, possible cancellation of registration. Even if you survive it, rebuilding your reputation can take years, and some organisations just never recover.

Winter, EnableUs Community

I think that’s the key mindset shift. Privacy isn’t this box you tick in your documentation. It’s like a core part of the safety you’re promising people. The NDIS Code of Conduct literally calls out respecting privacy as a requirement because it’s a basic human right, right up there with dignity and respect.

Will, EnableUs Community

And when auditors come in – whether it’s verification or certification – they’re not just looking for a document labeled “Privacy and Confidentiality Policy” and going, “Cool, job done.” They’re trying to work out if you actually live that policy. So they’ll look at your documents, but they’ll also talk to staff and ask questions like, “How do you make sure participant information is kept confidential?”

Winter, EnableUs Community

Yeah, they’re checking: do you have the right policies, do your systems protect information, do workers understand their responsibilities, and do participants genuinely know how their data is being used? If a worker says, “Um, I’m not really sure, I think the office handles that,” that’s a red flag in an audit.

Will, EnableUs Community

So, from a compliance documents angle, think about your Privacy and Confidentiality Policy and your ICT/records procedures as living tools, not shelf decoration. They need to clearly spell out what information you collect, why, how you store it, who can see it, and what happens if something goes wrong. And then your day‑to‑day practice needs to line up with those words.

Winter, EnableUs Community

In the rest of the episode, we’re going to get super practical. We’ll talk about the everyday ways privacy actually gets breached – which are often really boring, simple things – and how to stop them. Then we’ll show you how to turn your policies into training, checklists, and a clear incident response plan that makes you much more audit‑ready.

Will, EnableUs Community

Alright, let’s get into the real‑world stuff that trips people up. Because, honestly, most privacy breaches in NDIS services don’t come from some Hollywood‑style hacker in a hoodie. They come from small, everyday lapses.

Winter, EnableUs Community

Yeah, one of the big ones the blog talks about is support workers doing handovers in public places. So you’ve got staff at a busy café, talking about “John with schizophrenia who had a meltdown yesterday” or “Sarah at this address who’s having issues with her ex”. You don’t know who’s sitting at the next table, and suddenly very personal information is floating around.

Will, EnableUs Community

So, how do we turn that into a practical rule? In your Privacy or Confidentiality Procedure, you can literally spell out: no participant‑identifying discussions in public spaces where you can be overheard. That might mean doing handovers back at the office, in the car with windows up, or over a secure call, not shouted across a café.

Winter, EnableUs Community

And then you reinforce it in training. Like, actually role‑play it: “You’re in a café, you’re about to debrief, what do you do instead?” Because a lot of staff genuinely don’t think about it until you point it out. It’s convenience over confidentiality unless you make it really explicit.

Will, EnableUs Community

Another classic one is group emails. Someone needs to send out a message to a few participants or families, and they just whack all the email addresses in the “To” field. Suddenly everyone can see everyone else’s email address, which is their personal information. That is a privacy breach, even if the content of the email is pretty harmless.

Winter, EnableUs Community

The simple fix? In your Email or Communications Procedure, you put a rule: whenever you’re emailing multiple participants or families, their addresses go in BCC, never in “To” or “Cc”. And then you show staff how to do that in practice. It sounds tiny, but you’d be amazed how many breaches are literally just the “To” field.

Will, EnableUs Community

Then we’ve got the old‑school, physical document risks. Paper files left open on desks where visitors or other staff can see them, cabinets that don’t lock, or just tossing documents with names, NDIS numbers, or health information straight into the general rubbish instead of shredding.

Winter, EnableUs Community

I always think of the scenario where someone nips out for lunch and leaves a participant file wide open on their desk. It feels like, “I’ll only be five minutes,” but in that five minutes, cleaners, contractors, or other visitors could easily walk past and see really private information. Your procedure should say: if you leave your desk, you close the file and put it away, full stop.

Will, EnableUs Community

You can back that up with something simple like a paper records checklist on the wall: close files when unattended, store records in locked cabinets, use a shredder or secure disposal bin for anything with participant details, don’t take files home unless there’s a documented reason and an approved process.

Winter, EnableUs Community

Let’s jump to digital habits, because that’s where a lot of people feel lost. The blog calls out weak passwords – you know, “Password123” or the same password across your email, your client system, your banking. If one account is compromised, it’s like a key that opens every door in your organisation.

Will, EnableUs Community

So, for small to medium providers, a really practical step is to set a password standard in your ICT Security or Access Control Procedure. For example: at least 12 characters, mix of upper and lower case, numbers, symbols, and no reuse of passwords across systems. Then, to make that realistic, you roll out a password manager so staff aren’t trying to remember thirty complex passwords in their heads.

Winter, EnableUs Community

And the blog also mentions “curiosity access” – staff looking at participant files they don’t actually need for their role. Maybe someone’s bored and clicks into a random file. That’s still unauthorised access. So your access control rules should be role‑based: support workers see only their own participants, team leaders see their team, admin staff see billing but not clinical notes.

Will, EnableUs Community

On top of passwords, multi‑factor authentication – MFA – is a big one. It’s that extra code to your phone or an authenticator app. Even if someone does steal a password, without that second factor they can’t log in. In your documentation, you can state: MFA is mandatory on all systems that hold participant information. Then you work with your software providers to make sure it’s actually turned on.

Winter, EnableUs Community

Encryption is the other piece. The blog talks about encrypting data when it’s stored and when it’s being transmitted. For a small provider using cloud‑based NDIS software, that usually means double‑checking that your provider encrypts data by default. You don’t have to be a tech wizard – you just ask them to confirm it in writing and keep that as part of your due diligence records.

Will, EnableUs Community

And we can’t forget dodgy emails. Phishing is still one of the most common ways systems get compromised. Someone gets an email that looks like it’s from a bank or from “NDIS”, clicks a link, and suddenly malware is on the device. That’s why your training and your procedures should include basic checks – don’t click links from unknown senders, double‑check addresses, and if in doubt, ask before you open anything.

Winter, EnableUs Community

So if you’re listening and thinking, “Wow, we do some of those risky things,” don’t panic. The good news is, most of these are fixable with some clear rules, simple tech like password managers and MFA, and a bit of habit change. And we’re about to talk through how you bake that into training and into your incident response process.

Will, EnableUs Community

Okay, so we’ve talked about why privacy matters and some of the sneaky ways it can be breached. Now we want to bring it home: how do you make your Privacy and Confidentiality Policy, and your related procedures, actually live day to day in a small team?

Winter, EnableUs Community

The first big piece is training. The blog is really clear that tech and policies alone can’t protect privacy. Your workers need to understand why it matters and what it looks like in their actual job. So, before a new staff member touches any participant information, you build an onboarding session that covers your legal obligations, real examples of breaches, and the specific situations that are risky in your service.

Will, EnableUs Community

Yeah, think about that onboarding as walking them through your key compliance documents in a really practical way. Not reading out the policy line by line, but saying, “Here’s what our Privacy and Confidentiality Policy means for how you do handovers, how you email participants, how you store notes, and what you do if something goes wrong.” And then you keep a record that they’ve done that training – that’s gold in an audit.

Winter, EnableUs Community

I love using scenarios. So you might say: “You’re at a café and want to debrief about a shift – what’s the right option?” Or “You accidentally receive an email with someone else’s participant information in it – what do you do next?” Role‑playing those situations makes it stick way more than just saying, “Respect confidentiality.”

Will, EnableUs Community

And training isn’t one‑and‑done. The blog talks about ongoing refresher training – bringing privacy up at regular team meetings, sharing lessons from near misses, and updating staff when there are new regulations or high‑profile breaches in the sector. You can literally have a standing agenda item for “Privacy and data security” every couple of months.

Winter, EnableUs Community

From a documentation perspective, that’s where your Training and Induction Procedure comes in. You can list “Privacy and Confidentiality” as a mandatory module for all positions, set a refresher frequency, and keep sign‑in sheets or LMS records that show who’s completed what. Then, when an auditor asks, you don’t just say, “Oh yeah, we tell them about privacy,” you’ve got evidence.

Will, EnableUs Community

The second big piece is what happens when things go wrong. Because, like the blog says, even with good systems, breaches can still happen. What matters is how quickly and how well you respond. You want a clear, written incident response or privacy breach protocol that every staff member knows about.

Winter, EnableUs Community

Step one in that protocol should be: report it immediately to the right person – a manager, privacy officer, or director – don’t just sit on it and hope it goes away. So, if someone emails participant info to the wrong person, they don’t try to quietly fix it and never tell anyone. They report it as an incident straight away.

Will, EnableUs Community

Then you’ve got containment steps. The blog gives some good examples: contact the unintended recipient and ask them to delete the email without reading or forwarding it, remote wipe a laptop or phone if it’s been stolen, and force password resets if an account might’ve been compromised. Your procedure should spell those out so managers aren’t inventing a response on the fly.

Winter, EnableUs Community

The next step is assessing whether it’s an “eligible data breach” under the notifiable data breach scheme, which is when there’s likely to be serious harm to the individuals affected. The blog notes you’ve got up to 30 days to make that assessment. If it is eligible, you must notify the Office of the Australian Information Commissioner and the affected people.

Will, EnableUs Community

Now, we’re not giving legal advice here, but from a compliance documents point of view, your Incident Management or Privacy Breach Procedure should at least say: we will assess suspected breaches against the OAIC requirements, we’ll seek advice if needed, and we’ll notify OAIC and individuals when it meets the threshold for serious harm. That shows auditors you understand your obligations.

Winter, EnableUs Community

And documentation of the breach itself is crucial. You want a record of what happened, when it happened, what information was involved, how many people were affected, what you did to contain it, and what changes you’re making so it doesn’t happen again. That document does two jobs: it shows you took the breach seriously, and it becomes a learning tool.

Will, EnableUs Community

I really like the idea of closing the loop. So, after a breach or even a near miss, you might update your Privacy Policy or ICT procedure, tweak your onboarding training, maybe tighten access so fewer people can see certain records. Then you can show auditors: here’s the incident, and here’s what we changed because of it. That’s powerful evidence of continuous improvement.

Winter, EnableUs Community

If you’re listening and thinking, “Where do I even start?” let’s give you a kind of minimum viable setup for a small to medium provider. You want, at the very least: a clear Privacy and Confidentiality Policy, an ICT or data security procedure that covers passwords, access controls, MFA and encryption, and an Incident or Privacy Breach Procedure that sets out reporting, containment, assessment, and documentation.

Will, EnableUs Community

And then wrap those documents in training – onboarding plus regular refreshers – and some really simple habits: no public handovers, BCC groups on emails, lockable storage for paper, strong passwords with a manager, and MFA switched on for any system with participant data. None of that requires a massive IT budget, it just needs a bit of focus.

Winter, EnableUs Community

Alright, we might leave it there for today. Hopefully this has helped you see your privacy and data security documents as real, practical tools rather than just admin. Take one small step this week – maybe review your Privacy Policy or write a simple breach response checklist – and build from there.

Will, EnableUs Community

Yeah, and if you’re in that 1–50 staff range, you absolutely can get this right without needing to become a full‑time IT person. It’s about clear expectations, simple systems, and good habits. Thanks for hanging out with us on The EnableUs Community Podcast.

Winter, EnableUs Community

I’m Winter…

Will, EnableUs Community

And I’m Will. Take care, look after your participants’ information like you’d want yours looked after, and we’ll catch you in the next episode.