Privacy Policy
This policy explains how Havenridge Care collects, uses, stores, and discloses personal information.
1 About this policy
Havenridge Care Pty Ltd (“Havenridge Care,” “we,” “us,” or “our”) is committed to protecting the privacy and confidentiality of all personal information we collect, use, and store. We operate as an NDIS service provider in Queensland, Australia.
This Privacy Policy applies to all individuals whose personal information we handle, including NDIS participants, families, carers, support workers, referrers, coordinators, and website visitors.
We handle personal information in accordance with the Privacy Act 1988 (Cth), the 13 Australian Privacy Principles (APPs), the NDIS Act 2013, the NDIS Practice Standards, and applicable Queensland legislation including the Information Privacy Act 2009 (Qld) where relevant.
By using our website, making an enquiry, or entering a service agreement with us, you acknowledge that you have read and understood this Privacy Policy. We will never use your information in ways that are inconsistent with the purposes described here.
2 What personal information we collect
We collect personal information that is necessary for the delivery of our services and to meet our legal obligations. Types of information we may collect include:
| Category | Examples | Who it relates to |
|---|---|---|
| Identity information | Full name, preferred name, date of birth, gender | Participants, workers, referrers |
| Contact information | Address, phone number, email address | All individuals |
| NDIS information | NDIS number, plan type, funding categories, plan dates | Participants |
| Health & disability information | Diagnoses, medical conditions, medications, functional needs | Participants |
| Support information | Goals, behaviour support plans, risk assessments, incident reports | Participants |
| Financial information | Plan manager details, invoicing records, service agreement values | Participants, plan managers |
| Employment information | Worker screening numbers, qualifications, references | Support workers |
| Website information | IP address, browser type, pages visited (via cookies) | Website visitors |
3 Sensitive information
Health and disability information is classified as “sensitive information” under the Privacy Act 1988 (Cth) and attracts a higher level of legal protection. We only collect, use, and disclose sensitive information with your explicit consent, or where required by law or necessary to prevent a serious threat to life, health, or safety.
Sensitive information we may collect includes:
- Health information, including diagnoses, medications, and medical histories
- Disability-related information including functional needs, behavioural triggers, and support requirements
- Mental health information relevant to support planning
- Racial or ethnic origin (where disclosed for cultural support matching)
- Criminal history information (for worker screening purposes only)
We will always seek your informed consent before collecting sensitive information and will explain clearly how it will be used.
4 How we collect personal information
We collect personal information through:
- Directly from you — when you contact us by phone, email, or our website forms
- Referrals — from support coordinators, LACs, allied health professionals, or other providers with your consent
- Service delivery — intake forms, service agreements, progress notes
- Third parties — NDIA, plan managers, or other providers where authorised
- Our website — cookies and general analytics (see Section 11)
- Documents you provide — such as NDIS plans, reports, behaviour support plans
Where practicable, we will collect personal information directly from the individual it relates to. Where we collect information from a third party, we will notify you as soon as reasonably practicable.
5 How we use personal information
We use personal information for the primary purpose it was collected, or directly related secondary purposes, including to:
- Respond to enquiries and provide information about our services
- Deliver NDIS supports and manage service agreements
- Match participants with qualified and compatible support workers
- Communicate with participants, families, carers, and coordinators
- Meet NDIS registration, reporting, and compliance obligations
- Process invoices and manage funding arrangements
- Manage worker screening, employment and training records
- Conduct quality assurance and improve service delivery
- Meet legal, safety, and mandatory reporting obligations
- Respond to complaints and resolve disputes
We will not use your personal information for a purpose that is incompatible with the original purpose without your additional consent.
6 Disclosure & sharing of information
We do not sell, rent, or trade personal information. We may disclose personal information only where necessary and with appropriate authorisation to:
| Recipient | Reason for disclosure | Consent |
|---|---|---|
| Support workers | To deliver supports safely and effectively | Implied via service agreement |
| Plan managers | Invoice processing and budget management | Implied via plan arrangement |
| Support coordinators / LACs | Service coordination and progress updates | With participant consent |
| Allied health professionals | Care coordination and goal alignment | With participant consent |
| NDIS Quality & Safeguards Commission | Compliance, incident reporting, audits | Legal obligation |
| NDIA | Plan registration and compliance | Legal obligation |
| Emergency services | Where immediate safety risk exists | Overriding safety obligation |
| Legal or regulatory bodies | Where required by court order or law | Legal obligation |
Mandatory reporting: As an NDIS provider, we have obligations to report certain incidents to the NDIS Quality and Safeguards Commission. This may occur regardless of consent where the safety of a participant or others is at risk.
7 Overseas disclosure
Havenridge Care is a Queensland-based provider and primarily stores and processes information within Australia. Some third-party software tools we use (such as cloud-based document storage, email platforms, or practice management systems) may store data on servers located overseas, including in the United States or European Union.
Where personal information is disclosed to overseas recipients, we take reasonable steps to ensure those recipients handle the information consistently with the Australian Privacy Principles. By engaging our services, you acknowledge that some information may be stored on overseas servers as part of standard digital infrastructure.
We will notify you if we become aware of a material change to overseas storage arrangements that affects your personal information.
8 Children’s privacy
Havenridge Care applies the highest standard of privacy protection to information relating to children and young people. We are a child-safe organisation and comply with Queensland child safety legislation and the NDIS Practice Standards relating to child safety.
Where we collect personal information relating to a child under 18 years of age:
- We obtain consent from a parent or legal guardian before collecting or using the child’s information
- We collect only the minimum information necessary to deliver safe, appropriate support
- We do not share a child’s personal information without explicit guardian consent, except where required by law or mandatory reporting obligations
- All workers involved with children hold current Blue Cards and NDIS Worker Screening clearances
- Images, videos, or identifying information about children will never be used in marketing or public materials
Parents and guardians may contact us at any time to access, correct, or request deletion of information held about their child.
9 Storage & security
We take reasonable technical and organisational measures to protect personal information from misuse, loss, and unauthorised access, including:
- Password protection and access controls on digital systems
- Secure, encrypted storage for sensitive documents
- Limiting access on a need-to-know basis
- Regular review of data handling practices
- Secure disposal of physical documents
- Staff training on privacy obligations
Data breach response: If a data breach is likely to result in serious harm, we will comply with the Notifiable Data Breaches (NDB) scheme and notify affected individuals and the OAIC as required.
10 Retention & disposal of records
We retain personal information only for as long as needed, or as required by law. Our general retention approach is:
| Record type | Minimum retention period |
|---|---|
| Participant service records | 7 years from last service (or until age 25 for minors, whichever is longer) |
| Incident reports | 7 years minimum, per NDIS Commission requirements |
| Worker employment records | 7 years from end of employment |
| Financial / invoicing records | 5 years (ATO requirement) |
| Website enquiry records | 2 years, or until resolved |
When personal information is no longer required, we take reasonable steps to destroy or de-identify it securely.
11 Cookies & website analytics
Our website may use cookies to improve your experience and understand how visitors use the site. We may use essential, analytics, and preference cookies.
- Essential cookies — required for the website to function correctly
- Analytics cookies — used to understand general patterns of website usage (e.g. Google Analytics). These do not identify you personally
- Preference cookies — remember your settings and preferences between visits
You can disable cookies through your browser settings at any time. Disabling cookies may affect some website functionality. We do not use cookies to serve targeted advertising. Analytics data is aggregated and anonymised and is not linked to individual identities.
12 Your privacy rights
Under the Australian Privacy Principles, you have rights in relation to your personal information, including:
Right to access
Request access to personal information we hold. We respond within 30 days.
Right to correction
Request correction if information is inaccurate or out of date.
Right to know
Know what we hold, why we hold it, and who we may share it with.
Right to withdraw consent
Withdraw consent where we rely on consent (may affect service delivery).
Right to complain
Lodge a privacy complaint with us or with the OAIC.
Right to anonymity
Where lawful and practicable, interact anonymously for general enquiries.
To exercise these rights, contact us in Section 14. We may require identity verification.
13 Privacy complaints
If you believe we have handled your personal information in a way that does not comply with this policy or the Privacy Act, we encourage you to contact us first so we can work to resolve the issue.
Our internal complaints process
- Submit your complaint in writing via email or post (see Section 14)
- We acknowledge receipt within 5 business days
- We investigate and provide a written response within 30 days
- If you are not satisfied, you may escalate externally
External complaints
- OAIC — 1300 363 992
- NDIS Quality and Safeguards Commission — 1800 035 544
- Queensland Human Rights Commission — 1300 130 670
14 Contact us — privacy enquiries
For privacy enquiries, access requests, corrections, or complaints, contact us using:
POST
Havenridge Care Pty Ltd
Queensland, Australia
This Privacy Policy was last reviewed in March 2026 and will be reviewed at minimum annually or when significant changes occur. The most current version is always available on our website.