This Privacy and Confidentiality Policy (the “Policy”) outlines the legal obligations and practices of XYSTON PTY LTD (ACN 641 527 433) (the “Organisation”) concerning the collection, use, storage, and disclosure of personal and sensitive information.

This Policy is drafted in strict accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the National Disability Insurance Scheme Act 2013 (Cth) (NDIS Act), and relevant Western Australian legislation including the Health Services (Quality Improvement) Act 1994 (WA) where applicable.

The purpose of this Policy is to protect the Organisation from legal liability, ensure the safety and privacy of NDIS Participants, and demonstrate compliance with the NDIS Quality and Safeguards Commission requirements.

This Policy applies to all personal information collected, stored, used, and disclosed by the Organisation, including information related to:

• NDIS Participants and their nominees/guardians;
• Employees, contractors, and volunteers;
• Business partners and donors; and
• Online users of www.xyston.com.au.

All employees, contractors, volunteers, and agents of XYSTON PTY LTD are legally required to adhere to this Policy. Failure to comply may result in disciplinary action, up to and including termination of employment or contract.

• Personal Information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.
• Sensitive Information: A subset of Personal Information which requires higher protection, including information about an individual’s racial or ethnic origin, political opinions, religious beliefs, sexual orientation, criminal record, health information, genetic information, and biometric data.
• Health Information: Information or an opinion about the health or a disability (at any time) of an individual, or an individual’s expressed wishes about the future provision of health services.
• NDIS Participant: A person who meets the access requirements for the National Disability Insurance Scheme and is a client of the Organisation.
• Data Breach: When personal information held by the Organisation is lost or subjected to unauthorised access or disclosure.

The Organisation is committed to full compliance with:

• Privacy Act 1988 (Cth);
• Australian Privacy Principles (APPs);
• National Disability Insurance Scheme Act 2013 (Cth);
• Spam Act 2003 (Cth); and
• Notifiable Data Breaches (NDB) scheme.

The Organisation recognises its dual duty to uphold the privacy rights of individuals while meeting mandatory reporting obligations under Australian Law.

5.1. Lawful and Fair Collection

The Organisation will only collect personal and sensitive information that is reasonably necessary for its functions (specifically Support Coordination and NDIS services). Information will be collected directly from the individual, their legal guardian, or their appointed NDIS nominee wherever possible.

5.2. Third-Party Collection

We may collect information from third parties (such as Allied Health professionals, the NDIA, or other service providers) where the individual has consented, or it is unreasonable or impractical to collect the information directly from the individual.

5.3. Consent and Capacity

Where a participant has a legal guardian or nominee, the Organisation will obtain consent from that authorised representative. We presume capacity unless legally determined otherwise, supporting the NDIS principle of Choice and Control.

5.4. Unsolicited Information

If the Organisation receives personal information that it did not solicit, it will determine within a reasonable period whether it could have collected the information lawfully. If not, the information will be destroyed or de-identified immediately.

6.1. Primary and Secondary Purpose

Personal information will be used for the primary purpose for which it was collected (provision of NDIS supports). It may be used for a secondary purpose if the individual consents or would reasonably expect such use (e.g., auditing, invoicing the NDIA).

6.2. Mandatory Disclosure (The Legal Shield)

Notwithstanding any other clause in this Policy, the Organisation may disclose Personal or Sensitive Information without consent if:

• Required by Law: We are compelled by a court order, warrant, or subpoena.
• Serious Threat: We reasonably believe the disclosure is necessary to lessen or prevent a serious threat to the life, health, or safety of any individual (including the participant) or to public health or safety.
• NDIS Commission: Disclosure is required to the NDIS Quality and Safeguards Commission regarding a Reportable Incident.
• Child Protection: Disclosure is mandated under Western Australian mandatory reporting laws regarding child abuse or neglect.

6.3. Disclosure to Third Parties

We may disclose information to:

• The National Disability Insurance Agency (NDIA);
• Other NDIS providers (for the purpose of referrals and coordination);
• Cloud-based software providers (e.g., CRM or Accounting systems) required for business operation; and
• Professional advisors (lawyers, accountants).

7.1. Security Measures

The Organisation protects information via:

• Digital Security: Firewalls, encryption, complex password protocols, and Two-Factor Authentication (2FA) on cloud systems.
• Physical Security: Locked storage for physical files and clean-desk policies.
• Staff Training: Regular training on privacy and cyber-security.

7.2. Cross-Border Data Transfer (Cloud Computing)

The Organisation may use cloud-based storage providers (e.g., Microsoft 365, Xero) that host data on servers outside Australia. By providing your personal information, you consent to this storage. The Organisation takes all reasonable steps to ensure these providers adhere to security standards equivalent to the APPs.

7.3. Retention of NDIS Records

In strict accordance with the National Disability Insurance Scheme (Provider Registration and Practice Standards) Rules 2018, all records relating to NDIS participants will be retained for a minimum of seven (7) years from the day the record is made.

8.1. Cookies

The website www.xyston.com.au uses “cookies” to improve user experience. These are small data files stored on your browser. They do not identify you personally but may track website usage statistics. Users may disable cookies in their browser settings, though this may limit website functionality.

8.2. Analytics

We may use Google Analytics or similar tools to track website traffic. This data is aggregated and de-identified.

9.1. Access Rights

Individuals have a right to request access to their personal information. The Organisation will respond within 30 days.

9.2. Refusal of Access

The Organisation reserves the right to refuse access under the Privacy Act if:

• Granting access would pose a serious threat to the life, health, or safety of any individual;
• Access would have an unreasonable impact on the privacy of others; or
• The request is frivolous or vexatious.

9.3. Correction

If information is inaccurate, out-of-date, or incomplete, the Organisation will take reasonable steps to correct it. If we refuse to correct information, we will provide a written reason.

In the event of a data breach (unauthorised access, disclosure, or loss) that is likely to result in serious harm to any individual, the Organisation will:

1. Contain the breach immediately;
2. Assess the risk of harm; and
3. Where required, notify the affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the NDB scheme.

11.1. Internal Procedure

Complaints regarding privacy should be directed in writing to the Privacy Officer. We will acknowledge receipt within 2 business days and aim to resolve the matter within 30 calendar days.

11.2. External Escalation

If the complainant is unsatisfied with the internal response, they may lodge a complaint with:

• The Office of the Australian Information Commissioner (OAIC): www.oaic.gov.au
• The NDIS Quality and Safeguards Commission: 1800 035 544

For access requests, corrections, or privacy complaints, please contact:

Privacy Officer
XYSTON PTY LTD
Post: PO Box 48, Kingsway WA 6065
Email: admin@xyston.com.au
Phone: 08 9468 1502

This Policy is effective as of [Current Date] and will be reviewed annually or upon legislative changes. The current version is always available at www.xyston.com.au.