How we handle
your information

What information we collect

The information we collect depends on your relationship with us. It may include:

• Identity and contact details: name, date of birth, address, phone, email.
• NDIS information: NDIS participant number, plan details, funding allocations, goals.
• Health information: disability and support needs, medical history relevant to your support, medications, allergies, treating practitioners.
• Support-delivery records: shift notes, incident reports, progress records, communication logs.
• Emergency contacts and representatives: next of kin, nominees, guardians, support coordinators.
• Cultural and language preferences: where relevant to matching you with appropriate workers.
• Financial information: invoicing and payment details for plan-managed or self-managed arrangements.
• Worker information: for our staff — employment, screening check, training and performance records.

How we collect it

Wherever possible, we collect information directly from you. In some cases we may collect information from:

• Your support coordinator, plan manager, or NDIS planner (with your knowledge)
• Your treating health practitioners (with your consent)
• Family members, carers, or authorised representatives where you’ve consented to their involvement
• Publicly available sources (e.g. ABN lookup for invoicing)

Why we collect it & how we use it

We only collect what we need to deliver your supports safely and effectively. Specifically, we use your information to:

• Assess whether we can meet your support needs
• Plan, deliver, and coordinate your NDIS supports
• Match you with appropriate support workers
• Communicate with you, your family, and your NDIS team
• Invoice plan managers, self-managed participants, or the NDIA as relevant
• Meet our record-keeping and reporting obligations under NDIS rules, safety standards, and Australian law
• Improve our services (using de-identified information only)
• Respond to complaints, feedback, and incidents

Who we may share it with

We do not sell or trade personal information. We may share relevant information with:

• Our support workers — only the information they need to deliver your supports safely
• Your NDIS team — support coordinator, plan manager, or NDIA as authorised by you
• Treating health practitioners — only where necessary and with your consent
• Emergency services or next of kin — in genuine emergencies
• Regulators — the NDIS Quality and Safeguards Commission, where required by law or under mandatory reporting obligations
• Our service providers — such as IT, rostering software, and accounting tools, under confidentiality agreements

We only share what is reasonably necessary for the purpose.

How we store & protect it

We store records electronically in access-controlled systems hosted in Australia. Physical records (where they exist) are kept in locked storage. Access is restricted to staff who need it for their role.

Our protections include:

• Password-protected systems with role-based access
• Multi-factor authentication on staff accounts
• Encrypted data transmission
• Regular backups and disaster-recovery procedures
• Staff training on privacy, confidentiality, and data handling
• Confidentiality clauses in all worker agreements

How long we keep it

We retain records for as long as required under NDIS rules and Australian law — generally seven years after the end of service delivery, or longer where required (for example, for minors, until age 25 or seven years after service, whichever is later). Incident and complaint records are kept for a minimum of seven years.

After the retention period, information is securely destroyed or permanently de-identified.

Your rights

Under the Privacy Act and NDIS standards, you have the right to:

• Access the personal information we hold about you
• Correct information that is inaccurate or out of date
• Request that we explain what we have, why, and who has access
• Withdraw consent for specific uses (though this may affect our ability to deliver supports)
• Complain to us, the Office of the Australian Information Commissioner, or the NDIS Commission if you believe your privacy has been breached

To make any of these requests, contact us at hello@anchoraim.com.au or 0411 727 133. We respond to requests within 30 days.

Data breaches

We take data security seriously. If a data breach occurs that is likely to cause you serious harm, we will:

• Notify you directly as soon as practicable
• Notify the Office of the Australian Information Commissioner where required under the Notifiable Data Breaches scheme
• Take steps to contain the breach and prevent recurrence

Changes to this policy

We review this policy annually. If we make material changes, we’ll notify current participants directly. The most current version is always available at anchoraim.com.au/privacy.html.

Complaints

If you believe we have mishandled your personal information, please contact us first — we want to hear and will investigate properly. See our Complaints & Feedback policy for how we handle concerns.

If we haven’t resolved your concern, you can escalate to:

• Office of the Australian Information Commissioner — 1300 363 992 · oaic.gov.au
• NDIS Quality and Safeguards Commission — 1800 035 544 · ndiscommission.gov.au