Karakan is committed to protecting the privacy of personal information which the organisation collects, holds and uses.

Karakan is bound by laws which impose specific obligations when it comes to handling information. The organisation recognises the essential right of individuals to have their information administered in ways they would reasonably expect – protected on one hand and made accessible to them on the other.  The organisation is committed to the development and maintenance of systems that ensure only information reasonably necessary to the activities of the organisation is collected. That information is collected with consent and managed with in accordance with the Australian Privacy Principles.
This policy ensures we protect and handle personal information in accordance with the NDIS and relevant privacy legislation. We acknowledge an individual’s right to privacy while recognising that personal information is required to be collected, maintained and administered in order to provide a safe working environment and a high standard of quality.

The information we collect is used to provide services to participants in a safe and healthy environment with individual requirements, to meet duty of care obligations, to initiate appropriate referrals, and to conduct business activities to support those services.


  • applies to all personal information and sensitive personal information including the personal information of employees and participants
  • applies to all company confidential information – that is any information not publicly available.
  • applies to all representatives including key management personnel, directors, full time workers, part time workers, casual workers, contractors and volunteers.


Term Description
data breach A data breach is type of security incident where personal, sensitive or confidential information normally protected, is deliberately or mistakenly copied, sent, viewed, stolen or used by an unauthorised person or parties.
A data breach where people are at risk of serious harm as a result, is reportable to the Office of the Australian Information Commissioner.
personal information

Personal information includes (regardless of its accuracy):

  • name
  • address
  • phone number
  • email address
  • date of birth
  • recorded opinions or notes about someone
  • any other information that could be used to identify someone.
sensitive personal information

Sensitive personal information can include personal information that is normally private such as:

  • health information
  • ethnicity
  • political opinions
  • membership of a political association, professional or trade association or trade union
  • religious beliefs or affiliations
  • philosophical beliefs
  • sexuality
  • criminal record
  • biometric information (such as finger prints).



Privacy Principles

Collecting Information. Information necessary to the activities of the organisation and the functions of service delivery will be collected with the consent of the person or their representative.  This will include information about and from:

  • Customers and their family.
  • Volunteers, members and staff

Sharing Information. For the purposes of the activities of the organisation and functions of service delivery it is necessary for people to have access to information held.  Only those authorised persons will be permitted access to information held.
It is not within the necessary activities of the organisation or the function of service delivery to disclose personal information to overseas recipients.  Should this be required, consent would be sought as per the Australian Privacy Principles.

Anonymity and Pseudonymity. Individuals who contact Karakan are able to remain anonymous or utilise a pseudonym for some enquiries.  Where a person wishes to receive services from Karakan they are required to identify themselves.
Unsolicited Personal Information. If Karakan receives personal information that we have not solicited and is not reasonably necessary for the functions or activities of Karakan that information will be destroyed in a secure manner.

Direct Marketing. Karakan will not disclose any personal information it holds for the purpose of Direct Marketing.

Access to Personal Information. Karakan will provide access to the personal information held about an individual at the request of the individual.  Karakan will respond in a timely manner consistent with the Australian Privacy Principles to requests for access to personal information.  Karakan will ensure that the information accessed does not have an unreasonable impact on the privacy of other individuals or is in conflict with any other legislative requirements or legal proceedings.

Notifiable Data Breaches. Should the information held by the organisation be subject to a notifiable data breach then Karakan will comply with the requirements of the Notifiable Data Breaches (NDB) Scheme.  Information about the NDB Scheme can be sourced from the Office of the Australian Information Commissioner.

Making a Complaint. If anyone is concerned that the organisation has breached the Australian Privacy Principles, they are encouraged to advise the organisation and can make a complaint using the Complaints Management process.

Information is not disclosed about an individual without their consent (or the consent of the person responsible or guardian) except:
to comply with the laws of the Commonwealth, State or Territory or when compelled by a court
to prevent or minimise violence or any threat to a person’s life, health or property.

Karakan’s responsibilities

Karakan and its employees will ensure that we meet our responsibilities and are committed to:
managing personal information in accordance with the law and in an open and transparent way

  • not collecting personal information unless the information is necessary for our service delivery
  • not collect or share sensitive information without a customer’s (or their delegate’s) consent
  • not use or disclose your information for the purpose of direct marketing without your consent
  • endeavouring to ensure all personal information that is collected is accurate, up-to-date and complete
  • putting security measures in place to protect personal and sensitive information from misuse and unauthorised access
  • providing access to any individual whose information is held by us and correcting any inaccuracies
  • disposing of personal and sensitive information in accordance with legal and funding body requirements.

Collecting Information
Karakan and its employees will:

  • only collect information that is necessary for the performance and primary function of Karakan
  • notify individuals about why we collect the information and how it is administered
  • notify individuals that this information is accessible to them and how they can access this.

Data Quality

Karakan will:

  • take reasonable steps to ensure the information Karakan collects is accurate, complete, up to date, and relevant to the functions we perform.

Access and correction
Karakan and its employees will:

  • ensure individuals have a right to seek access to information held about them and to correct it if it is inaccurate, incomplete, misleading or not up to date.

Use and disclosure
Karakan and its employees will:

  • only use or disclose information for the primary purpose for which it was collected or a directly related secondary purpose
    for other uses, Karakan and its employees will obtain consent from the affected person.

Karakan and its employees will:

  • ensure individuals are aware of Karakan’s Privacy Policy and its purposes
  • make this information freely available in relevant publications and on the organisation’s website.
  • Making information available to other organisations

Karakan and its employees can:

  • only release personal information about a person with that person’s express permission
  • for personal information to be released, the person concerned must sign a release form
  • release information to third parties where it is requested by the person concerned.
  • Data security and retentionK

Karakan and its employees will:
safeguard the information we collect and store against misuse, loss, unauthorised access and modification
only destroy records in accordance with the appropriate legislation and funding body requirements.

Security of Information
Karakan is required to:

  • take reasonable steps to protect the personal information we hold against misuse, interference, loss, unauthorised access, modification and disclosure.
  • ensure personal information is accessible to the participant and is available for use by relevant workers
  • provide password protection for IT systems, locked filing cabinets and physical access restrictions with only authorised personnel permitted access to personal information
    securely destroyed or de-identify personal information no longer required.

Data breaches
Karakan will:

  • take reasonable steps to reduce the likelihood of a data breach occurring including storing personal information securely and accessible only by relevant workers
  • take reasonable steps to reduce the chance of harm and advise you of any breach or suspected breach where your personal information may have been accessed by
  • unauthorised parties a
  • notify the Office of the Australian Information Commissioner as required.

Karakan will:

  • give individuals the option of not identifying themselves when completing evaluation forms or opinion surveys.
    Privacy and confidentiality guidelines

Karakan is committed to:

  • complying with the privacy requirements of the Privacy Act, the Australian Privacy Principles and for Privacy Amendment (Notifiable Data Breaches) as required by
  • organisations providing disability services
  • complying with the consent requirements of the NDIS Quality and Safeguarding Framework and relevant state or territory requirements
  • providing all individuals with access to information about the privacy of their personal information
  • ensuring each individual has the right to opt out of consenting to and providing their personal details if they wish
  • ensuring that individuals have access to their personal records by requesting this
  • reporting to government funding bodies in a way that is non-identifiable and related only to services and support hours provided, age, disability, language, and nationality
  • ensuring personal information will only be used by us and will not be shared outside the organisation without your permission unless required by law (e.g. reporting assault,
  • abuse, neglect, or where a court order is issued)
  • ensuring images or video footage of participants will not be used without their consent
  • ensuring customers are involved in external NDIS audits if they wish.

Breach of privacy and confidentiality

  • a breach of privacy and confidentiality is an incident—follow the Manage incident process to resolve
  • a breach of privacy and confidentiality may require an investigation
  • an intentional breach of privacy and confidentiality by a Karakan employee will result in disciplinary action up to and including termination of employment.

Approval details

CONTROLLED DOCUMENT Privacy and confidentiality
Approved by: Karakan board Date of Approval: 31/1/2008
Revision Number:8
Date: March 2019