Privacy Policy

Privacy Policy



Prag Consulting is committed to protecting the privacy and dignity of all participants and ensuring that every participant can access supports in the knowledge that their personal and private information will remain confidential.

The purpose of this policy is to outline the obligations of Prag Consulting directors, managers, employees and contractors, and the measures in place to ensure that participants are treated with dignity and their privacy maintained.


This policy applies to directors, managers, employees and contractors.


Personal information – includes a broad range of information, or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances

 Sensitive information – personal information that includes information or an opinion about an individual’s: racial or ethnic origin; political opinions or associations; religious or philosophical beliefs; trade union membership or associations; sexual orientation or practices; criminal record; health or genetic information; some aspects of biometric information. Generally, sensitive information has a higher level of privacy protection than other personal information.


People with a disability, consistent with everyone else in the community, have a fundamental right to privacy and confidentiality. The process of accessing supports necessarily means personal and private information that is relevant to service provision is collected, stored, related or shared with other relevant parties as and when necessary (according to strict legal and ethical requirements).

All Prag Consulting practices will comply with:

  • The Privacy and Data Protection Act 2014 (Vic)
  • The Health Records Act 2001 (Vic)
  • The Privacy Act 1988 (Cth)


Prag Consulting will only collect information that can be uses to support the provision of effective services.

Prag Consulting collects, and will hold and use personal information only for the primary purposes for which it was collected, or as set out below, including:

  • To provide services and supports in accordance with the participant’s service agreement
  • To comply with the requirements of the NDIS
  • To facilitate proper governance processes such as risk management, incident management, internal and external audits
  • To satisfy legal obligations, comply with applicable laws and meet the requirements of bodies which regulate the services Prag Consulting provide
  • To gather feedback about the services provided and undertake continuous quality improvement activities


Prag Consulting is committed to ensuring that there are clear and transparent processes in place to support every participant to understand the information that is being requested and to formally consent to the collection, usage and sharing of this information.

Consent is sought from participants following an agreement to engage Prag Consulting, and as part of the on-boarding process using the Consent to Seek and Share Information Form. Where, throughout the period of support, information needs to be sought from, or shared with a party not listed on the original consent form, the consent form must be amended.

A new Consent to Seek and Share Information Form should be obtained from participants with each new Service Agreement, or once in every 12 months.

For adults with a disability supported by Prag Consulting, the participation or involvement of family or significant others, including advocates and guardians, in information sharing and decision making is dependent on:

  • The relevant decision-making rights of family and significant others, including advocates and guardians, as determined by their legal status in relation to the person receiving support and
  • The expressed wishes of the person receiving support.

The Prag Consulting Participant Information Pack provides clear information for all participants regarding the collection, use, sharing and storage of personal and private information.


Prag Consulting will only collect information that is reasonably necessary for the delivery of services. This may include:

  • Name, address and contact details
  • Information relevant to the provision of services including family and living circumstances, guardianship arrangements
  • Sensitive information such as: gender, age, date of birth, health, disability and mental health information, racial or ethnic origin, or sexual preferences
  • Previous reports, assessments and plans


In most instances, information is collected directly from the participant or their family & supporters at the time of engagement with Prag Consulting. In some circumstances, personal information is received from third parties where participants have transferred to Prag Consulting or been referred for services.

Personal and private information may be collected in hard copy or electronic form.


Prag Consulting is committed to providing quality services that respect the privacy, dignity and confidentiality of all participants. The following information management processes are in place:

  • Hard copy information is stored in a locked filing cabinet at the Prag Consulting office
  • Electronic information is stored securely on the Prag Consulting cloud-based server. Participant level information is available only to Prag Consulting directors, and administration staff, the participant’s allocated Practitioner, and their direct supervisor. Practitioners have no access to participant information for participants they are not working with
  • All Prag Consulting directors, managers, employees and contractors are trained in the requirements of this policy.


Prag Consulting directors, managers, employees and contractors with access to confidential information must ensure it remains confidential, and at all times, act in accordance with legislation and the Australian Privacy Principles. This means confidential information is:

  • Never discussed with, or released to, any person within Prag Consulting or to any external agency or individual except:
    • For the purpose for which it was collected and on a need to know basis
    • Where authorised by the participant, or their authorised representative
    • Where required by law
  • Never be used for any purpose other than for the purpose which governed the collection of the information.


Prag Consulting will retain personal information in accordance with all applicable laws and or requirements of any government or other funding body’s record keeping requirements.

Prag Consulting will destroy personal information no longer needed and/or after legal requirements for retaining documents have expired. Information may be retained for seven (7) years after service has ceased.


Where a participant or their representative believes their privacy has been breached, a complaint should be made to the Director – Operations, who will oversee a thorough investigation. This will be lodged as an incident through the Prag Consulting 7.2 Incident Management Policy.

 Where personal information held by Prag Consulting is inadvertently lost or disclosed or improperly accessed, Prag Consulting will immediately notify the participant and/or their representative as soon as the breach has been identified.

Where a privacy breach has been found to have occurred, as per Prag Consulting’s 5.1 Quality & Continuous Improvement Policy¸ this will be logged on the Risk Register and reviewed on a regular basis to determine practice or policy improvements. An incident report will also be completed.


Where a participant or their representative wishes to complain about any aspect of how their information is collected, used, stored, managed, retained or destroyed, they should follow the Prag Consulting 5.2 Complaints Policy or make direct contact with the Director – Operations, who will act as the Prag Consulting Privacy Officer.

The Participant Information Pack also contains further information on how to make a complaint to the Office of the Australian Information Commission and the NDIS Quality and Safeguards Commission.