Operational Guideline – Information Handling – Disclosing Protected Information
Legislation
1.Read ss.4, 9 (definition of ‘protected information’), and 60 to 67 of the National Disability Insurance Scheme Act (2013) (NDIS Act) and Parts 4 and 5 of the National Disability Insurance Scheme (Protection and Disclosure of Information) Rules 2013 (Protection and Disclosure of Information Rules).
General Principles
2.People with disability should have their privacy and dignity respected.
See s.4(10) of theNDIS Act.
Content
3.There are three Operational Guidelines that deal with protected information:
a.This Operational Guideline deals with the disclosure of protected information to people outside the National Disability Insurance Agency (NDIA).
b.Operational Guideline – Handling Information – Collecting, accessing and recording Protected Information deals with the collection, accessing and recording of protected information. It deals with how people inside the NDIA are to deal with protected information.
See Operational Guideline – Information Handling – Collecting, accessing and recording Protected Information.
c.Operational Guideline – Information Handling – Serious Threat to Life, Health or Safety deals with the disclosure of protected information to people outside the NDIA when there is a serious threat to a person’s life, health or safety.
See Operational Guideline– Information Handling – Serious Threat to Life, Health or Safety.
Strict controls exist to protect the privacy of information that identifies a person or is about a person
4.Every officer in the NDIA is required to comply with the provisions in the NDIS Act that deal with protected information and the provisions of the Privacy Act 1988(Privacy Act) which deal with personal information. There are also NDIA policies and directions made by the CEO that must be complied with.
5.The provisions in the NDIS Act are backed up by criminal offences in the NDIS Act that attract a penalty of up to 2 years imprisonment. Additionally, the provisions of the Privacy Act are policed by the Privacy Commissioner and the sanctions that can be imposed include the payment of compensation.
See s.52(1) of the Privacy Act and ss.61 to 64 of the NDIS Act
Wide definitions of ‘protected information’ and ‘personal information’
6.The definition of ‘protected information’ in the NDIS Act is wide and protected information means:
a.Information about a person that is or was held in the records of the NDIA, or
b.Information to the effect that there is no information about a person held in the records of the NDIA.
7.The definition of ‘personal information’ in the Privacy Act is also wide and essentially includes any information about an identified person.‘Personal information’ is defined to mean:
information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a)whether the information or opinion is true or not, and
(b)whether the information or opinion is recorded in a material form or not.
See s. 6 of the Privacy Act and s.9 of the NDIS Act.
8.‘Person’ in the NDIS Act extends to corporations, partnerships, joint ventures and other entities that are not human beings. Therefore NDIA officers need to be careful in dealing with information about inanimate entities such as companies, trusts and partnerships as these are protected in the same way under the NDIS Act as is information about individuals.
See s.6 of the Privacy Actand s.9 of the NDIS Act.
Criminal sanctions may apply to people dealing with protected information
9.The NDIS Act contains a number of criminal offences for the collection, use, accessing and recording of protected information. The offences carry a penalty of 2 years imprisonment or 120 penalty units and, in summary, relate to:
a.Collecting protected information
b.Making a record of protected information
c.Soliciting the disclosure of protected information, and
d.Offering to supply protected information.
See ss.61, 62, 63 and 64 of theNDIS Act.
The privacy protection extends to all people, including contractors, and to further dealing with the protected information after it leaves the NDIA
10.The criminal offences in the NDIS Act for the collection, use, accessing and recording of protected information extend to:
a.All people and not just NDIA officers. This is because the obligations and offences in the NDIS Act apply to ‘a person’ who deals with protected information. Contractors and others who deal with protected information are required to comply with the obligations in relation to the protection of the privacy of the protected information – the term ‘person’ includes individuals, corporations, a body politic (such as a Minister) and, in some cases, un-incorporated bodies (such as partnerships).
See s.203 of the NDIS Act.
b.The rules regarding any further dealing with protected information after it leaves the NDIA are as follows. The NDIS Act defines protected information as ‘information about a person that is or was held in the records of the Agency’. Protected information retains its privacy protection after it is disclosed to a person outside the NDIA and people who deal with protected information are required to comply with the obligations in relation to the protection of the privacy of the protected information.
11.When protected information is given to a person in connection with the provision of a service to the NDIA, the Terms of Business that registered providers must abide by require them to treat protected information in accordance with this set of Operational Guidelines on information handling.
The criminal sanctions do not stop the NDIA doing its job
12.The NDIS Act allows NDIA officers to properly perform their duties. A person does not commit an offence if:
a.The person is authorised by the NDIS Act, or required by the NDIS Act, to disclose the protected information, and/or
b.The officer is acting in the performance of his or her duties, powers or functions under the NDIS Act.
See ss.61(b), 62(b), 63(b) and 64(3) of the NDIS Act.
Disclosure to people outside the NDIA, disclosure to people inside the NDIA and serious threats to life, health or safety
13.There are three Operational Guidelines that deal with the disclosure of protected information:
a.This Operational Guideline deals with the disclosure of protected information to people outside the NDIA
b.The disclosure of protected information to people inside the NDIA is dealt with in Operational Guideline – Handling Information – Collecting, Accessing and Recording Protected Information, and
c.The disclosure of protected information to people outside the NDIA when there is a serious threat to a person’s life, health or safety is dealt with in Operational Guideline –Handling Information – Serious Threat to Life, Health or Safety.
The NDIS Act authorises officers to disclose protected information to people outside the NDIA
14.The NDIS Act contains a number of specific authorisations that allow NDIA officers and other persons in lawful possession of protected information such as contracted local area coordinators and registered providers to disclose protected information to people outside the NDIA. The disclosure must be by a delegate who is an officer of the NDIA.
See s.202(2) of the NDIS Act.
15.Protected information may only be disclosed by NDIA officers to people outside the NDIA through one of the seven ways that disclosure is authorised in the NDIS Act:
a.To prevent or lessen a serious threat to an individual’s life, health or safety (See Operational Guideline – Handling Information – Serious Threat to Life, Health or Safety).
See s.66(1)(a) and 66(1)(b) of the NDIS Act and Operational Guideline – Handling Information – Serious Threat to Life, Health or Safety.
b.For the purposes of the NDIS Act. This includes disclosures made when an officer is performing any of his or her functions and duties under theNDIS Act.
See s.66(2)(e) of the NDIS Act.
c.Where a person to whom the information relates requests or consents to the disclosure or can be taken to have consented or requested the disclosure. This is called an express or implied authorisation.
See s.66(2)(d)(iii) of the NDIS Act.
d.Where disclosure is to a nominee and relates to the participant represented by the nominee.
See s.66(3) of the NDIS Act.
e.When a delegate certifies that it is necessary in the public interest. Part 4 of the Protection and Disclosure of Information Rules sets out a number of categories for disclosure in the public interest.
See s.66(1)(a) of the NDIS Act and Part 4 of theProtection and Disclosure of Information Rules.
f.To a Secretary or head of a Commonwealth, state or territory department, chief executive of an authority, Centrelink or Medicare. The disclosure must be for a purpose related to the functions of the organisation receiving the information.
See s.66(1)(b) of the NDIS Act.
g.When a delegate believes on reasonable grounds that the information is reasonably necessary for research relevant to the National Disability Insurance Scheme (NDIS), actuarial analysis relevant to the NDIS or policy development.
See ss.60(3) of the NDIS Act.
NDIA procedure
16.NDIA officers will generally not be permitted to disclose protected information to persons outside the NDIA using the following ways that disclosure is authorised under theNDIS Act:
a.A delegate certifying that it is necessary in the public interest
b.To a Secretary or head of a Commonwealth, state or territory department, chief executive of an authority, Centrelink or Medicare, or
c.When a delegate believes on reasonable grounds that the information is reasonably necessary for research, actuarial analysis or policy development.
17.Disclosing information to host jurisdictions to facilitate transition into the NDIS is necessary to ensure responsible funds management and administration of eligibility criteria. All other requests for disclosure of protected information under the above authorisations are to be referred to the Privacy Contact Officer for action.
18.The Privacy Contact Officer should also be contacted whenever assistance is required. In the case of urgent disclosures to prevent or lessen a serious threat to an individual’s life, health or safety officers are to use Operational Guideline – Handling Information – Serious Threat to Life, Health or Safety.
Disclosure for the purposes of the NDIS Act
19.The NDIS Act allows for the disclosure of protected information when the disclosure is ‘for the purposes of the NDIS Act’.
See s.66(2)(e) of the NDIS Act.
20.Officers in the NDIA do not have to make a decision under the NDIS Act before disclosing protected information when the disclosure is for the purposes of the NDIS Act.
21.This is because the disclosure is authorised by the words of NDIS Act itself when it relates to an officer doing something for a purpose under the NDIS Act. For example, a disclosure will be for the purposes of the NDIS Act if the disclosure is authorised by the NDIS Act, required by the NDIS Act or when an officer is acting in the performance of his or her duties, powers or functions under the NDIS Act.
22.A disclosure of protected information will also be for the purposes of the NDIS Act when a person provides information to the NDIA for a purpose under theNDIS Act and the information is used for that purpose.
23.Of course, the disclosure of protected information for any purpose other than a purpose under the NDIS Act will not be authorised and may be a criminal offence. For example, disclosures for a private purpose.
Participant request or consents to disclosure of information
24.The NDIS Act allows for the disclosure of protected information when a person to whom the information relates requests or consents to the disclosure, or can be taken to have requested or consented to the disclosure. This is called an express or implied authorisation.
See s.60(2)(d) of the NDIS Act.
25.The request or consent can be in writing (such as by email), by telephone, or orally in a face to face conversation. NDIA officers are to record the request or consent and seek to obtain a written request or consent when they consider it appropriate because of the circumstances or sensitivity of the information.
26.A person will be taken to have consented to the disclosure of the information when the person requests or agrees to a course of action and the disclosure is necessary to carry out their wishes. For example, a disclosure to a service provider when a participant has requested that services be obtained from that provider.
27.NDIA officers do not have to make a decision under the NDIS Act before disclosing protected information to persons outside the NDIA when the disclosure is with the express or implied authorisation of the person to whom the information relates.
28.In doing so, NDIA officers should ensure that the receiving person understands the obligations on them to comply with theNDIS Act.
Disclosure to nominees
29.Where disclosure is to a nominee and relates to the participant represented by the nominee the disclosure is authorised under the NDIS Act.
See s.66(3) of the NDIS Act.
Disclosure in the public interest
30.Thedelegate may disclose protected information when the delegate certifies that the disclosure is necessary in the public interest.
See s.66(1)(a) of the NDIS Act.
31.Before information can be disclosed in the public interest a delegate is required to make a decision under the NDIS Act. Decisions are made on a case by case basis. Officers are to note that a public interest disclosure decision under s 66(1)(e) of the NDIS Act is to be made centrally and all requests are to be referred to the Privacy Contact Officer. The Privacy Contact Officer prepares the required release certificate for signature by a delegate, most usually a launch manager.
32.The delegate may give a public interest certificate for the disclosure of NDIS information if:
a.The information cannot reasonably be obtained from another source, and
b.The person to whom the information will be given has a sufficient interest in the information.
See r.4.3 of theProtection and Disclosure of Information Rules.
33.A person has sufficient interest in the NDIS information if:
a.The delegate is satisfied that, in relation to the purpose of the disclosure, the person has a genuine and legitimate interest in the information, or
b.The person is a Commonwealth, state or territory Minister.
See r.4.4 of the Protection and Disclosure of Information Rules.
34.In considering whether to give a public interest certificate the delegate should have regard to whether the person to whom the disclosure is to be made would be likely to be in a position to seek assistance themselves or give notice of their circumstances.
See r.4.5 of theProtection and Disclosure of Information Rules.
35.The situations in which a certificate will usually be provided are where disclosure is necessary for:
a.Enforcement of the criminal law
b.Enforcement of a law imposing a pecuniary penalty
c.Prevention of an act that may have a significant adverse effect on the public revenue
d.Correction of a mistake of fact concerning the administration of the NDIA such as where it is alleged that the NDIA mishandled a person’s access request
e.Briefing of a Commonwealth, state or territory Minister in the context of complaints about the NDIA received by the Minister or the anomalous effects of NDIS laws
f.Locating a missing person
g.Assisting a coronial or similar inquiry
h.Assisting the administrator of a deceased’s estate, or
i.Assisting a child welfare agency in carrying out its responsibilities for child welfare or contacting a parent or relative of a child (see Operational Guideline – Information Handling – Serious threat to Life, Health or Safety for additional information).
See rs.4.6 to 4.10 of theProtection and Disclosure of Information Rules.
36.The information is to be provided to the person requesting it by as secure a method as possible. It must be explained to the recipient that the information is, and continues to be, protected information and the contents are not to be further disclosed, unless further disclosure is required to further the purposes of disclosure. For example, further disclosure may be necessary in cases where misinformation is to be corrected, or a missing person is to be located.
Disclosure to heads of agencies
37.The CEO may disclose protected information to the Secretary of a Commonwealth Department, the chief executive (however described) of a state or territory department, or the head of an authority of the Commonwealth or of a state or territory. The disclosure must be for the purposes of the agency to which the information is disclosed. This power or function is not delegated by the CEO.
See ss.66(1)(b)(i) and (v) of the NDIS Act.
38.The CEO may also disclose protected information to the Chief Executive of Centrelink for the purposes of a Centrelink program or to the Chief Executive of Medicare for the purposes of a Medicare program.
See ss.66(1)(b)(iii) and (iv) of theNDIS Act and r.5.4 of theProtection and Disclosure of Information Rules.
39.Before information can be disclosed to heads of agencies the CEO is required to make a decision under the NDIS Act. Decisions are made on a case by case basis. Officers are to note that disclosure decision under s.66(1)(b) of the NDIS Act are to be made centrally and all requests are to be referred to the office of the CEO or the Privacy Contact Officer. Officers are not permitted to disclose protected information to agency heads. The CEO exercises this function personally.
40.If the CEO discloses protected information the Privacy Contact Officer will make a record of:
a.The information that was disclosed
b.The Secretary, chief executive (however described) or head of authority to whom the information was disclosed, and
c.Where relevant, the purpose for which the disclosure was requested by the Secretary, chief executive (however described) or head of authority or, if the information was disclosed on the CEO’s own initiative, the purpose for which the information was disclosed.
See r.5.5 of theProtection and Disclosure of Information Rules.
Disclosure for the purposes of research, actuarial analysisand policy
41.The CEO may disclose protected information where the CEO believes, on reasonable grounds, that it is reasonably necessary for one or more of the following purposes:
a.Research into matters relevant to the NDIS
b.Actuarial analysis of matters relevant to the NDIS, or
c.Policy development.
See s.60(3) of the NDIS Act.
42.Before information can be disclosed for these purposes a delegate is required to make a decision under the NDIS Act. Decisions are made on a case by case basis. Officers are to note that disclosure decision under s.60(3) of the NDIS Act are to be made centrally and all requests are to be referred to the office of the Privacy Contact Officer. Officers will generally not be permitted to disclose protected information for the purposes of research, actuarial and policy development.
Page 1 of 8
Operational Guideline – Information Handling – Disclosing Protected Information(v 2.0)
Publication date: 8 April 2014