Privacy and Confidentiality


Karakan acknowledges every individual’s right to privacy.  This policy sets out how Karakan protects privacy and ensures confidentiality in compliance with: 

  • Privacy Act 1988  
  • Australian Privacy Principles  
  • Privacy Amendment (Notifiable Data Breaches) as required by organisations providing disability services 
  • the information privacy protections and consent requirements of the NDIS Quality and Safeguards Commission 
  • all associated federal and Queensland standards, guidelines and codes of practice. 



  • applies to all employee and service information  
  • applies to all company information that is not publicly available. 


  • applies to key management personnel, directors, employees, contractors and volunteers. 




Data breach 

A data breach is type of security incident where personal, sensitive or confidential data normally protected, is deliberately or mistakenly copied, sent, viewed, stolen or used by an unauthorised person or parties. 

A data breach where people are at risk of serious harm as a result, is reportable to the Office of the Australian Information Commissioner. 

Personal information 

Personal information includes (regardless of its accuracy): 

  • name 
  • address 
  • phone number 
  • email address 
  • date of birth 
  • recorded opinions or notes about someone 
  • any other information that could be used to identify someone. 

Sensitive personal information 

Sensitive personal information can include personal information that is normally private such as: 

  • health information 
  • ethnicity 
  • political opinions 
  • membership of a political association, professional or trade association or trade union 
  • religious beliefs or affiliations 
  • philosophical beliefs 
  • sexuality 
  • criminal record 
  • biometric information (such as fingerprints). 

Related documents that underpin implementation of this policy 

  • Code of conduct and ethics & NDIS code of conduct 
  • Information security policy 
  • Maintenance, records and audit policy 
  • Acceptable use of computers, internet and email policy 
  • Whistle blower policy. 

Privacy protection practices 


Karakan ensures that all relevant parties are aware of this policy and its purpose making sure this policy and related resources are publicly available and in easy read formats. 

Anonymity and pseudonymity 

  • People who contact Karakan are able to remain anonymous or utilise a pseudonym for some enquiries 
  • People who wish to receive services from Karakan are required to identify themselves 
  • People have the option to remain anonymous when making a complaint or when being asked for input during collection of program evaluation data or opinion based feedback surveys. 

Collecting information 

  • Only information reasonably necessary to the activities of the organisation is collected   
  • Information held will only be used to provide services, conduct business activities to support those services such as to initiate or consider referrals, and to meet duty of care obligations 
  • Karakan endeavours to ensure collected information is accurate, up-to-date and complete 
  • Information is only collected with the consent of the person (or their formal representative, where applicable). This includes information about and from customers, their family, people in their support network including health and other service partners, and our employees including contractors. 

Unsolicited personal information 

If Karakan receives personal information that we have not solicited and is not reasonably necessary for the functions or activities of Karakan, that information will be destroyed in a secure manner. 

Keeping collected information secure 

Karakan takes all reasonable steps to protect the personal information we hold against misuse, interference, loss, unauthorised access, modification and disclosure by: 

  • storing personal information securely and accessible only by relevant workers 
  • maintaining security measures such as IT accounts password protection, cyber security currency and penetration monitoring, locked filing cabinets and other physical access restrictions.  

Use and disclosure 

Only authorised persons are permitted access to use and disclose information held by Karakan.  Karakan ensures this by: 

  • providing employees with training, instruction and supervision in the requirements of person-centred, recovery-oriented practice, and privacy protections including what and how they must do, and not do to safeguard information, protect privacy and ensure confidentiality  
  • regular monitoring and review of processes and procedures to ensure they are strengthened by system controls and continuous improvement 
  • only using or disclosing information for the purpose for which it was collected 
  • never disclosing information held without consent, subject to exceptions allowed by law 
  • never recording audio and/or video without consent 
  • never using audio recordings, video footage and/or images without consent 
  • notifying people about why and how their information is administered 
  • notifying people that their information is accessible to them and how they can access it 
  • responding to requests for access to information in accordance with this policy 
  • ensuring data is de-identified before being provided to funding bodies  
  • communicating with impacted people about instances where their personal information may have been accessed by or disclosed to unauthorised parties 
  • ensuring NDIS customers are given the option to be involved in or opt-out of external audit. 

Retention and destruction 

Karakan retains, and when no longer required will destroy or will de-identify personal information in accordance with legal and funding body requirements. 

Direct marketing 

Karakan will not collect or disclose any personal information it holds for the purpose of direct marketing. 

Social media 

When people interact with Karakan’s social media accounts, Karakan may collect publicly available information from those interactions, such as your name and content relevant to the interaction.  

The information Karakan collects from public social media profiles may be used for the purpose of responding to comments, questions, and messages, as well as for engaging in discussions related to our services, products, or relevant topics.  

While Karakan aim to engage with the social media audience, we encourage people to avoid sharing details about private matters in public comments or direct messages. We recommend that discussions about private matters be communicated via the contact options on our website. 

Karakan social media posts may contain links to third-party websites, articles, or content. Please note that Karakan is not responsible for the privacy practices or content on external platforms or websites. 

People have the option to interact with our social media content and accounts in a way that is comfortable for them. People can choose to follow, like, share, comment, or send direct messages to our official accounts. People also have the right to unfollow or unfriend us at any time. 

Breach of privacy 

  • A breach of privacy will be responded to in accordance with our incident management policy 
  • An intentional breach of privacy by a Karakan employee will be investigated and managed in line with codes of conduct and ethics and other human resource policies and processes. 

Access to personal information 

Karakan will respond to requests for access information in a manner consistent with the Australian Privacy Principles to requests for access to personal information.  Karakan will ensure that the information accessed does not have an unreasonable impact on the privacy of other individuals or is in conflict with any other legislative requirements or legal proceedings. 

People have a right to seek access to information held about them subject to exceptions allowed by law. 

Access would usually be provided by arranging the sighting of the information in the company of Karakan office staff.  

To request access personal information, a statement detailing the requested information should be provided in one of the following ways: 

  • By phone 07 3299 1898 – ask to speak to a team leader or a manager about accessing your personal information.  They will ask you what specific information you would like to access and capture your request in writing 
  • By email to qualityandsafety@karakan.com.au listing the specific information to which access is requested  
  • By letter to Karakan Ltd, Unit 14a, 10 Old Chatswood Road, Daisy Hill, QLD 4127 listing the specific information to which access is requested.  

If Karakan are unable to provide access to the requested information, a written reply that includes the reason/s will be provided. 

Privacy complaints 

Concerns or complaints about privacy should be directed to a team leader. Concerns or complaints about Karakan’s handling of a request for access to information should be directed to a manager or the Chief Executive Officer.    

If you have concerns about Karakan’s handling of your request for access to information or Karakan’s handling of a privacy complaint, please contact the Quality & Risk Manager or Chief Executive Officer, depending on who handled your matter, or email qualityandsafety@karakan.com.au  

At any time, any person can raise a complaint with the NDIS Quality and Safeguards Commission.   

Karakan encourages people to seek external assistance as appropriate to the circumstances.  A list of relevant contacts is available on the Karakan website. 

Data breach management 


To prevent data breaches, Karakan will: 

  • ensure that all methods of data collection, both online and offline, have robust security measures in place 
  • verify the security measures of all third-party information management systems/digital platforms that we are using 
  • data collection and handling 
  • data access and editing 
  • data deletion and disposal 
  • common data security, risks and scams (e.g. phishing emails, fake websites, technical support scams.) 
  • key data protection practices (e.g. log in credentials, multi-factor authentication, system updates, anti-virus software, data-backups) 
  • steps to take during a data breach incident 
  • data breach reporting obligations. 
  • comply with this policy 
  • comply with all relevant legislation  
  • incorporate data safety and cyber security into the governance of our organisation. 


Under the Notifiable Data Breach (NDB) Scheme, all notifiable data breaches must be reported to the Office of the Australian Information Commissioner (OAIC). A notifiable data breach is any breach of data that is likely to cause any person or organisation serious harm. Examples of serious harm include: 

  • identity theft 
  • risk of physical harm 
  • serious psychological harm 
  • harm of an individual’s reputation 
  • loss of trust in our organisation 
  • financial loss 
  • legal and regulatory consequences. 

In addition to the above, if NDIA participant information was compromised during a data breach we will inform that NDIA by emailing privacy@ndis.gov.au   Notification will include participant ID, name and any other identifying information about a participant or their plan. 

If a data breach significantly impacts Karakan’s ability to comply with the requirements of our NDIS registration, we will notify the NDIS Quality and Safeguards Commission. 

Notifiable Data Breaches 

Should the information held by Karakan be subject to a notifiable data breach then Karakan will comply with the requirements of the Notifiable Data Breaches (NDB) Scheme.  Information about the NDB Scheme can be sourced from the Office of the Australian Information Commissioner. 

Managing Data Breaches 

Karakan will take each data breach or suspected data breach seriously and respond immediately to contain, assess and remediate every incident on a case-by-case basis. When responding to a data breach or suspected data breach, we will: 

  • contain the breach to prevent any compromise of personal information 
  • assess the breach to gather facts and evaluate risks including potential harm to individuals and whether the breach requires reporting 
  • act where required to remediate any risk of harm 
  • notify individuals and (where required) the Office of the Australian Information Commissioner per the requirements of the NDB 
  • review the incident and consider continuous improvement actions to avoid future data breach incidents. 



Privacy and confidentiality policy  

Approved by: Karakan board 

Date of Initial Approval: 31/01/2008 

Revision Number: 9   

Date: 16th August 2023