INREACH Supports Privacy Policy

Last updated: 1 September 2025

1. Our Commitment to Privacy

INREACH Supports is committed to protecting the privacy and personal information of our clients, participants, and stakeholders. We manage personal information in accordance with the Privacy Act 1988 (Cth), the 13 Australian Privacy Principles (APPs), the NDIS Practice Standards, and the Notifiable Data Breaches (NDB) scheme.

By engaging with INREACH Supports, you agree to the terms outlined in this Privacy Policy.

2. What Personal Information We Collect

We may collect and hold the following types of information:

• Name, date of birth, and contact details
• NDIS participant numbers and plan details
• Health and medical information (including disability-related data)
• Emergency contact or authorised representative details
• Service preferences and care plans
• Records of service delivery and progress notes

Sensitive information is only collected with your consent or where required by law.

3. Consent Procedures

We obtain informed consent for all information collection and sharing through:

• Clear, written consent forms at service commencement
• Supported decision-making processes for participants with reduced capacity
• Authorized representative consent procedures where applicable

Specific consent is obtained for:

• Sharing behavior support plans between practitioners
• Photography and media use (social media, marketing, progress documentation)
• Emergency medical treatment disclosures
• Communication with external professionals and support coordinators

You have the right to withdraw consent at any time. Withdrawing consent may impact our ability to deliver certain services, which we will discuss with you. All consent forms are available upon request or at service commencement.

4. How We Collect Your Information

We may collect personal information:

• When you complete our service agreements and intake forms
• During support delivery or communications with you or your representatives
• From allied health professionals, Support Coordinators, or third parties (with your consent)
• Through our systems, including Shiftcare, Microsoft 365, and Dropbox

5. Why We Collect and Use Your Information

We collect your information to:

• Provide disability and community support services
• Coordinate care with health professionals and external providers
• Meet legal and regulatory obligations under the NDIS
• Record and monitor your wellbeing and service outcomes
• Respond to incidents, feedback, or complaints
• Improve service quality

6. Disclosure of Personal Information

We may disclose personal information:

• To health professionals and stakeholders involved in your care
• To third-party service providers under confidentiality agreements (e.g., IT platforms, auditors)
• Where required by law or the NDIS Act
• To prevent serious threats to life, health, or public safety
• In compliance with mandatory reporting obligations

We will inform you of disclosures where lawful and practical.

NDIS Quality and Safeguards Commission Reporting

We have mandatory reporting obligations to the NDIS Commission, including:

• Reporting of all reportable incidents as required by law
• Information sharing during Commission audits and compliance monitoring
• Retention of incident reports for a minimum of 5 years
• Commission's right to access participant records during investigations

7. Cross-Border Data Storage

Some of our systems (e.g., Microsoft 365, Dropbox, Shiftcare) may store or process data overseas. INREACH Supports ensures these providers comply with privacy safeguards equivalent to the Australian Privacy Principles.

By engaging our services, you consent to your information being securely stored in such environments.

Use of Technology and AI Systems

We may use artificial intelligence and automated systems to:

• Assist with rostering and service coordination
• Analyze service patterns for quality improvement
• Support compliance monitoring and reporting

All AI systems are subject to strict privacy controls and human oversight to ensure your information is protected.

8. How We Keep Your Information Secure

We protect your information using:

• Secure cloud-based systems with role-based access controls
• Password-protected access for authorised staff only
• Physical safeguards for any printed records
• Regular monitoring and updates to our security systems

9. Data Breach Notification

In the event of a serious data breach likely to cause harm, we will act in line with the NDB scheme by:

• Containing the breach
• Assessing the scope and risk
• Notifying affected individuals and the Office of the Australian Information Commissioner (OAIC) where required

10. Data Retention

We retain records according to legal requirements:

• General participant records: 7 years from last service
• Participants under 18: Until age 25
• Incident reports: Minimum 5 years
• Medication records: 7 years
• Financial records: 7 years
• Behavior support plans: 7 years from last review
• Consent forms: Duration of service plus 7 years
• Aboriginal and Torres Strait Islander participants: Extended retention for cultural/historical significance (with consent)

11. Your Rights

You have the right to:

• Access your personal information held by us
• Request corrections to inaccurate or outdated information
• Withdraw or amend your consent (noting this may affect service delivery)

12. Privacy Complaints

If you have concerns about how we manage your information, please contact us:

If you're not satisfied with our response, you may contact:

13. Privacy Training and Compliance

INREACH Supports maintains the highest standards of privacy protection through:

• All staff complete annual privacy and confidentiality training
• Staff sign confidentiality agreements upon employment
• Regular privacy impact assessments for new systems or processes
• Established breach response team with clear procedures
• Annual review and updates of this policy as required

14. Policy Updates

This policy is reviewed annually and updated as needed. The latest version will always be available on our website or upon request.