Privacy Policy

Last Updated: January 2026 Effective Date: 02/01/2026

Sr no TABLE OF CONTENTS 
1 Introduction & Scope 
2 Definitions & Interpretation 
3 Legal Framework & Compliance 
4 Personal Information We Collect 
5 How We Collect Information 
6 Why We Collect Information (Purpose) 
7 Who We Disclose Information To 
8 Overseas Disclosure
9 Consent & Authority 
10 Use of Personal Information 
11 Security & Storage of Information 
Sr no TABLE OF CONTENTS 
12 Data Breach & Notifiable Data Breaches Scheme 
13 Sensitive Information Management 
14 Health Information 
15 Participant Access & Correction Rights 
16 Retention & Destruction of Information 
17 Cookies & Website Tracking 
18 Third-Party Links 
19 Children’s Privacy 
20 Complaints & Dispute Resolution 
21 Privacy Officer & Contact Details 
22 Governance & Updates 

1. INTRODUCTION & SCOPE

1.1 About This Policy

Lotus Care SA Pty Ltd (ABN 86692510473 ) (“Lotus Care SA”, “we”, “us”, “our”) is a registered National Disability Insurance Scheme (NDIS) provider delivering disability support services across Adelaide, South Australia.

This Privacy Policy explains how we collect, use, disclose, store, and manage personal information in accordance with Australian privacy laws and NDIS regulations. This policy applies to:

  • All participants receiving services from Lotus Care SA
  • Family members and guardians who provide information on behalf of participants
  • Support workers and contractors engaged by Lotus Care SA
  • Website visitors and enquirers
  • All personal information collected in any format (paper, electronic, verbal, video, audio)

1.2 Our Privacy Commitment

Lotus Care SA recognizes that privacy is a fundamental human right. We are committed to:

  • Respecting and protecting your privacy in all interactions
  • Collecting only information necessary for safe and effective service delivery
  • Handling your information with care, confidentiality, and security
  • Being transparent about how we use your information
  • Enabling you to access, correct, and control your personal information
  • Complying with all applicable privacy laws and NDIS standards

1.3 Accessibility

This Privacy Policy is available:

  • On our website: www.lotuscaresa.com.au
  • In print format (on request)
  • In alternative formats (large print, easy read, accessible formats)
  • In other languages upon request

Contact us for alternative format versions: 0481 851 121 or info@lotuscaresa.com.au

2. DEFINITIONS & INTERPRETATION

2.1 Key Terms

“Personal Information” means information or an opinion about an identified individual or reasonably identifiable individual, whether the information or opinion is true or not, and whether stored in material form or not.

“Sensitive Information” means personal information relating to:

  • Race, ethnicity, or national origin
  • Political opinions or beliefs
  • Religious or philosophical beliefs
  • Membership of professional or trade associations
  • Sexual orientation or gender identity
  • Criminal history or alleged offences
  • Health information
  • Genetic information
  • Biometric information used for identification
  • Disability information

“Health Information” means personal information about physical, mental, or psychological health or disability; expressed wishes about the provision of health services; or a health service provider’s assessment or notes.

“Participant” means any person receiving disability support services from Lotus Care SA.

“Guardian” or “Responsible Person” means a person with legal authority to make decisions on behalf of a participant (parent, court-appointed guardian, enduring power of attorney holder, etc.).

“Support Worker” means any staff member, volunteer, or contractor engaged by Lotus Care SA to deliver services.

“NDIS” means the National Disability Insurance Scheme established under the National Disability Insurance Scheme Act 2013 (Cth).

“NDIS Commission” means the NDIS Quality and Safeguards Commission.

“Privacy Act” means the Privacy Act 1988 (Cth).

“Australian Privacy Principles” or “APPs” means the 13 principles in the Privacy Act that regulate privacy obligations.

“Code of Conduct” means the NDIS Code of Conduct for Disability Service Providers.

“Website” means www.lotuscaresa.com.au and all associated pages and applications.

“Disclosure” means providing personal information to third parties.

“Processing” means collecting, using, storing, disclosing, or managing information.

3. LEGAL FRAMEWORK & COMPLIANCE

3.1 Privacy Laws We Comply With

Lotus Care SA complies with all applicable Australian privacy legislation:

Commonwealth Laws:

  • Privacy Act 1988 (Cth)
  • Australian Privacy Principles (APPs)
  • Health Records Act provisions
  • Notifiable Data Breaches (NDB) Scheme
  • National Disability Insurance Scheme Act 2013 (Cth)

South Australian Laws:

  • Health Complaints Act 2004 (SA)
  • Disability Services Act 1993 (SA)
  • Freedom of Information Act 1991 (SA)
  • Guardianship and Administration Act 1995 (SA)

NDIS Regulations:

  • NDIS Code of Conduct for Disability Service Providers
  • NDIS Practice Standards (particularly Standard 1: Rights and Responsibilities – Privacy and Dignity)
  • NDIS Rules 2013
  • NDIS Supports Rules

3.2 APP Principles We Follow

Lotus Care SA’s privacy practices are based on the 13 Australian Privacy Principles:

  1. APP 1 – Open and transparent management of personal information
  2. APP 2 – Collection of solicited personal information
  3. APP 3 – Collection of unsolicited personal information
  4. APP 4 – Dealing with personal information
  5. APP 5 – Notification about personal information management
  6. APP 6 – Use or disclosure of personal information
  7. APP 7 – Direct marketing
  8. APP 8 – Credit reporting information (where applicable)
  9. APP 9 – Overseas disclosure of personal information
  10. APP 10 – Quality of personal information
  11. APP 11 – Security of personal information
  12. APP 12 – Access to personal information
  13. APP 13 – Correction of personal information

4. PERSONAL INFORMATION WE COLLECT

4.1 Types of Information

Lotus Care SA collects personal information necessary to provide safe and effective disability support services. This includes:

Contact & Identification Information:

  • Full name(s) (including preferred name)
  • Date of birth
  • Gender identity
  • NDIS participant number
  • Contact phone number(s) (mobile, home, work)
  • Email address(es)
  • Residential address
  • Mailing address (if different)
  • Emergency contact details
  • Medicare number (where relevant)
  • Identification documents (driver’s license, passport)

Disability & Support Needs:

  • Type of disability(ies)
  • Disability description and impact on daily life
  • Support goals and aspirations
  • Current support arrangements
  • Existing support workers or providers
  • Reasonable adjustments required
  • Communication requirements
  • Accessibility needs
  • Behavioral support requirements

Health & Medical Information:

  • Diagnosed medical conditions
  • Medications and dosages
  • Allergies and adverse reactions
  • Medical history
  • Treatment plans
  • Health practitioner names and contacts
  • Immunization records
  • Mental health information
  • Substance use information
  • Hospital or specialist appointments

Functional & Capability Information:

  • Mobility and physical capabilities
  • Cognitive and communication abilities
  • Self-care capabilities
  • Behavioral patterns
  • Strengths and skills
  • Learning needs
  • Employment/education status
  • Independent living capabilities

Family & Guardian Information:

  • Guardian or representative name and contact details
  • Family members’ names and relationships
  • Family contact preferences
  • Guardianship documentation
  • Enduring power of attorney details
  • Legal custody information

Service-Related Information:

  • NDIS plan details (if applicable)
  • Funding information
  • Service preferences and schedule
  • Previous service providers
  • Service history with Lotus Care SA
  • Service agreements and modifications
  • Participant feedback and satisfaction
  • Incident reports
  • Accident and injury reports
  • Complaint and dispute records

Financial Information:

  • NDIS funding details
  • Payment method and banking information
  • Invoice and billing address
  • Medicare and DVA information
  • Centrelink details (if relevant)
  • Insurance information

Cultural & Personal Preferences:

  • Aboriginal or Torres Strait Islander status
  • Cultural background and language
  • Preferred language for communication
  • Religious or spiritual beliefs (where relevant)
  • Personal preferences and interests
  • Family and support network details
  • Community connections and participation

Digital Information:

  • Website usage data
  • IP addresses
  • Device information
  • Login credentials
  • Email correspondence
  • Audio/video recordings (with consent)
  • Photographs (with consent)

4.2 Information We Don’t Collect

Lotus Care SA does not collect personal information that is:

  • Not necessary for providing services
  • Excessive or intrusive
  • Beyond legal authorization
  • For purposes other than disability support delivery (except where required by law)

5. HOW WE COLLECT INFORMATION

5.1 Collection Methods

Lotus Care SA collects personal information through:

Direct Collection (From You or Your Representative):

  • Service intake forms and applications
  • Service agreement documentation
  • Consent forms and permissions
  • Written correspondence (letters, emails)
  • Phone conversations and enquiries
  • In-person meetings and consultations
  • Video consultations or interviews
  • Support worker observation and note-taking
  • Participant feedback forms
  • Complaint submissions

Indirect Collection (From Others):

  • Previous service providers (with consent)
  • Family members or guardians
  • Disability service coordinators
  • Local Area Coordinators
  • Support workers’ observations
  • Health professionals (doctors, specialists, therapists)
  • Educational institutions
  • Employer contacts
  • NDIS records (as authorized participant)
  • Government agencies (as required by law)
  • Other disability support organizations

Automated Collection (From Technology):

  • Website cookies and tracking pixels
  • Server logs and IP addresses
  • Device information from website visits
  • Digital file metadata
  • Email system information
  • Behavioral analytics

5.2 Collection Notification

When collecting personal information directly from you, Lotus Care SA will:

  • Explain that we are collecting information
  • Identify the type of information being collected
  • Explain the purpose of collection
  • Advise how the information will be used and disclosed
  • Outline your rights regarding the information
  • Provide details of our Privacy Officer
  • Advise of access and correction rights
  • Explain consequences of not providing information (if applicable)

This explanation is provided:

  • Before or at the time of collection
  • In clear, understandable language
  • In a format accessible to you
  • In writing (or alternative format if needed)

6. WHY WE COLLECT INFORMATION (PURPOSE)

6.1 Primary Purposes

Lotus Care SA collects and uses personal information for the primary purposes of:

Service Delivery:

  • Providing disability support services as outlined in your Service Agreement
  • Understanding your support needs and goals
  • Developing person-centered support plans
  • Scheduling and coordinating services
  • Training and instructing support workers
  • Monitoring service quality and effectiveness
  • Identifying appropriate support workers for you

Safety & Welfare:

  • Ensuring your safety during service delivery
  • Protecting support worker safety
  • Identifying and managing risks and hazards
  • Responding to medical emergencies
  • Mandatory reporting of harm or abuse
  • Incident investigation and response
  • Safeguarding against exploitation

Communication & Support:

  • Communicating with you about your services
  • Providing appointment reminders
  • Requesting feedback and addressing concerns
  • Processing complaints and disputes
  • Updating you on service changes
  • Seeking consents and permissions

Administrative & Business:

  • Maintaining participant records and files
  • Processing invoices and payments
  • Managing NDIS relationships and funding
  • Handling enquiries and intake
  • Scheduling and rostering support workers
  • Evaluating service effectiveness
  • Quality assurance and audits

Legal & Regulatory Compliance:

  • Complying with NDIS Code of Conduct
  • Meeting NDIS Practice Standards
  • Regulatory reporting to NDIS Commission
  • Compliance with mandatory reporting laws
  • Fulfilling duty of care obligations
  • Responding to legal inquiries or court orders

Continuous Improvement:

  • Identifying service gaps and improvements
  • Feedback collection and analysis
  • Service development and innovation
  • Training and professional development
  • Organizational learning and quality improvement

6.2 Secondary Purposes

Lotus Care SA may use information for secondary purposes including:

  • Research and evaluation (de-identified)
  • Program development and improvement
  • Staff training and development
  • Marketing and promotion (with consent)
  • Organizational planning
  • Network and partnership development

Secondary use of personal information requires:

  • Your explicit consent, or
  • A direct connection to the primary purpose, or
  • Legal authority or obligation

7. WHO WE DISCLOSE INFORMATION TO

7.1 Authorized Disclosures

Lotus Care SA discloses personal information to third parties only where:

  • You have provided consent
  • It is necessary to provide your services
  • It is required by law
  • It is in your best interests to prevent harm

We may disclose information to:

NDIS-Related Parties:

  • National Disability Insurance Agency (NDIA)
  • NDIS Quality and Safeguards Commission (for regulatory compliance)
  • NDIS planners (to coordinate your plan)
  • Local Area Coordinators
  • Plan managers (if you have a plan-managed arrangement)
  • Other registered NDIS providers (with your consent)

Support & Healthcare Providers:

  • Your GP or medical specialists
  • Allied health professionals (physiotherapists, psychologists, etc.)
  • Hospital or residential facilities
  • Mental health service providers
  • Community health services
  • Other disability support providers (with consent)
  • Emergency services (when necessary)

Family & Representatives:

  • Your nominated guardian or representative
  • Family members (with your authorization)
  • Enduring power of attorney holders
  • Authorized legal representatives

Government & Regulatory Bodies:

  • Australian authorities (NDIS Commission, Department of Social Services)
  • South Australian government agencies
  • Tax authorities (ATO)
  • Centrelink (where relevant to your support)
  • WorkCover or insurance bodies
  • Law enforcement (when legally required)
  • Child protection authorities (mandatory reporting)
  • Adult safeguarding authorities
  • Courts or legal tribunals (when legally required)

Professional Service Providers:

  • Our accountants and auditors
  • Legal advisors
  • Insurance providers
  • Recruitment and HR providers
  • IT service providers
  • Storage and records management companies
  • Quality assurance auditors

Workplace Safety:

  • Work health and safety regulators (if incident involves workplace safety)
  • Emergency services
  • Workplace incident investigators

Financial Parties:

  • NDIS (for billing and funding)
  • Your plan manager (if applicable)
  • Financial institutions (for payment processing)
  • Credit providers (if relevant)
  • Collection agencies (if payment is overdue)

7.2 Limitations on Disclosure

Lotus Care SA does not disclose personal information:

  • Without your consent (except as legally authorized)
  • For marketing or commercial purposes (without consent)
  • For research purposes that could identify you
  • To organizations without adequate security measures
  • Beyond what is necessary for the stated purpose
  • Unless the recipient has agreed to maintain confidentiality

8. OVERSEAS DISCLOSURE

8.1 Overseas Transfers

Lotus Care SA primarily stores information within Australia. However, in limited circumstances, information may be transferred overseas to:

Cloud Service Providers:

  • AWS (Amazon Web Services) based in Australia
  • Microsoft Azure (Australian data centers)
  • Google Cloud (Australian data centers)
  • Other third-party service providers (when necessary)

International Healthcare:

  • Overseas health practitioners (if you receive overseas medical services, with consent)
  • International specialist consultations
  • Overseas therapy or support (if agreed in your service plan)

8.2 Overseas Disclosure Protections

Before overseas transfer, Lotus Care SA ensures:

  • The overseas recipient has privacy protections equivalent to Australian law
  • Written agreement to maintain confidentiality
  • Limited transfer to information necessary for the stated purpose
  • Your explicit consent (where required)
  • Compliance with Australian Privacy Principles

Overseas disclosures are made to countries with privacy legislation equivalent to Australia’s, or with contractual privacy protections in place.

8.3 Your Rights Regarding Overseas Disclosure

You have the right to:

  • Request a list of countries to which your information may be disclosed
  • Opt-out of non-essential overseas disclosures
  • Request additional security measures for overseas transfers
  • Withdraw consent for overseas transfers (with service delivery implications)

9. CONSENT & AUTHORITY

9.1 Collection & Use Consent

Lotus Care SA obtains your consent before collecting personal information, except where:

  • Collection is required by law (mandatory reporting, court orders)
  • Collection is necessary to prevent harm to yourself or others
  • You are unable to consent and a guardian provides consent
  • Information is collected from a third party and consent is not practicable

9.2 Guardian Authority

If a guardian or representative is making decisions on your behalf:

  • They must provide legal evidence of their authority
  • They must confirm they have capacity and authority to consent
  • Guardianship documentation must be provided and retained
  • Lotus Care SA will verify guardianship arrangements with authorities if necessary

9.3 Capacity & Informed Consent

When assessing your capacity to provide consent:

  • Lotus Care SA assumes you have capacity unless demonstrated otherwise
  • Information is provided in accessible, understandable language
  • Time and support are provided for you to consider and decide
  • Consent is voluntary, not pressured
  • You can withdraw consent at any time

9.4 Consent Forms

Lotus Care SA maintains consent forms documenting:

  • What information is being collected
  • Why it is being collected
  • How it will be used and disclosed
  • Your agreement to collection and use
  • Your rights regarding the information
  • Date and signature of consent

Consent forms are:

  • Provided before service commencement
  • In plain language
  • Available in alternative formats
  • Stored securely
  • Updated when purposes change

9.5 Withdrawal of Consent

You may withdraw your consent to collection, use, or disclosure of information at any time by:

Withdrawal of consent does not apply to information already collected and used for the primary service purpose, but future use may be limited.

10. USE OF PERSONAL INFORMATION

10.1 Primary Use

Personal information is used only for the primary purpose it was collected for, unless:

  • You have provided additional consent
  • Use is directly related to the primary purpose
  • Use is authorized by law
  • Use is necessary to prevent harm

10.2 Secondary Use

If Lotus Care SA wishes to use information for a secondary purpose, we will:

  • Obtain your explicit consent, or
  • Assess whether use is directly related to primary purpose, or
  • Confirm legal authority

Secondary use includes:

  • Sharing with other support providers (with your consent)
  • Program evaluation or research (de-identified)
  • Staff training or case discussion (de-identified)
  • Regulatory reporting or investigations
  • Legal proceedings or disputes

10.3 Sensitive Information Use

Sensitive information is used only:

  • For the stated primary purpose
  • With your explicit consent for secondary use
  • As required by law (mandatory reporting)
  • To prevent serious harm

Sensitive information is:

  • Handled with heightened confidentiality
  • Accessed only by staff with legitimate need
  • Stored separately with additional security
  • De-identified when possible

10.4 Health Information Management

Health information is managed with particular care:

  • Stored separately from other personal information
  • Accessed only by health professionals or necessary support workers
  • Used only for health and safety purposes
  • Subject to additional privacy protections
  • Disclosed only with your consent (except mandatory reporting)

11. SECURITY & STORAGE OF INFORMATION

11.1 Security Obligations

Lotus Care SA takes information security seriously and implements:

Physical Security:

  • Locked filing cabinets and storage areas
  • Limited access to records (staff with need to know)
  • Secure office environment with access controls
  • CCTV in file storage areas (where relevant)
  • Supervised access to sensitive records

Digital Security:

  • Password-protected systems and devices
  • Multi-factor authentication for sensitive data
  • Data encryption for transmitted information
  • Firewall and antivirus protection
  • Regular security updates and patching
  • Intrusion detection systems
  • Secure server environments (AWS or equivalent)

Organizational Security:

  • Staff training on privacy and confidentiality
  • Privacy and security policies enforced
  • Access controls limiting staff access to necessary information
  • Confidentiality agreements with all staff
  • Regular audits of security practices
  • Incident response procedures

Third-Party Security:

  • Contractual requirements for service providers to maintain security
  • Due diligence assessment of providers’ security practices
  • Regular audits of third-party security
  • Privacy agreements with all third parties
  • Data processing agreements where required

11.2 Information Storage

Personal information is stored:

Paper Records:

  • In locked filing cabinets
  • In secure office areas
  • Organized by participant with access controls
  • Protected from damage, loss, or unauthorized access

Electronic Records:

  • In password-protected systems
  • On secure servers with regular backups
  • With encryption for sensitive information
  • With audit trails of access and modifications
  • Backed up daily to secure locations

Hybrid Storage:

  • Some information in both paper and electronic form
  • Both forms subject to equivalent security
  • Electronic records as primary storage where possible

11.3 Data Handling Standards

All staff handling personal information:

  • Receive privacy and confidentiality training
  • Understand their confidentiality obligations
  • Have written agreements to maintain confidentiality
  • Follow security procedures and protocols
  • Report security incidents immediately
  • Are subject to disciplinary action for breaches

12. DATA BREACH & NOTIFIABLE DATA BREACHES SCHEME

12.1 What Constitutes a Data Breach

A data breach occurs when:

  • Personal information is lost, stolen, or accessed without authorization
  • Information is accidentally disclosed to unauthorized parties
  • Information is compromised by malware, hacking, or human error
  • Unauthorized access to information occurs
  • Information is corrupted or destroyed

12.2 Breach Response Procedures

When a data breach is discovered, Lotus Care SA:

Immediate Response (Within hours):

  • Isolates the breach to prevent further unauthorized access
  • Stops any ongoing unauthorized access
  • Secures affected systems and information
  • Begins evidence collection and documentation
  • Notifies the Privacy Officer and management
  • Convenes the Incident Response Team

Investigation (Within 24-48 hours):

  • Investigates the scope and nature of the breach
  • Identifies information affected
  • Determines individuals impacted
  • Assesses likelihood of serious harm
  • Documents the breach thoroughly
  • Implements containment measures

Notification (Where required):

  • Assesses whether notification is legally required
  • Notifies affected individuals within 30 days
  • Notifies the Privacy Commissioner (if required)
  • Provides clear information about the breach
  • Recommends protective steps individuals can take
  • Provides contact details for inquiries

Remediation (Ongoing):

  • Fixes the vulnerability that caused the breach
  • Implements additional security measures
  • Reviews and updates policies
  • Provides affected individuals with support
  • Monitors for further unauthorized access

12.3 Notifiable Data Breaches Scheme (NDB)

Lotus Care SA complies with the Notifiable Data Breaches Scheme:

When Notification is Required: A data breach must be reported when:

  • There is a serious likelihood of serious harm to an affected individual
  • The serious harm includes identity theft, fraud, financial loss, physical harm, psychological harm, or reputational harm
  • The breach involves sensitive information (health, financial, or identity information)

Who We Notify:

  • Affected individuals (within 30 days of discovery)
  • Privacy Commissioner (if notification of individuals is given)
  • Other authorities (where required by law)

What We Include in Notification:

  • Nature of the breach
  • Information affected
  • Identity of our organization
  • Steps we are taking in response
  • Steps individuals can take to protect themselves
  • Contact details for inquiries
  • Privacy Commissioner contact details

12.4 Record Keeping

Lotus Care SA maintains records of:

  • All suspected breaches (even if not notifiable)
  • Investigation findings and conclusions
  • Individuals affected
  • Remedial actions taken
  • Breach notifications sent
  • Follow-up communications

Breach records are retained for minimum 7 years.

13. SENSITIVE INFORMATION MANAGEMENT

13.1 Sensitive Information Categories

Lotus Care SA handles sensitive information relating to:

  • Disability and support needs
  • Mental health and psychological wellbeing
  • Medical conditions and treatments
  • Cultural and spiritual beliefs
  • Sexual orientation or gender identity
  • Racial or ethnic background
  • Criminal history (where relevant)
  • Substance use or addiction
  • Abuse or exploitation history

13.2 Enhanced Protections

Sensitive information receives enhanced protections:

Collection:

  • Explicit consent required for collection
  • Minimum necessary collection only
  • Clear explanation of why information is needed
  • Assurance that provision is voluntary

Use:

  • Primary purpose only (without additional consent)
  • No secondary use without explicit consent
  • Strict confidentiality maintained
  • Limited staff access

Storage:

  • Separate secure storage where possible
  • Password-protected electronic access
  • Limited backup and duplication
  • Encrypted transmission

Disclosure:

  • Explicit consent required for disclosure
  • Disclosure to minimum necessary recipients
  • Confidentiality obligations on recipients
  • Regular audit of disclosures

Retention:

  • Retained only while necessary
  • Destroyed securely when no longer needed
  • No archival of sensitive information

13.3 Disability Information

Disability information is particularly sensitive and handled with:

  • Respect for your dignity and autonomy
  • Understanding of the impact of disclosure
  • Recognition of stigma and discrimination risks
  • Protection against unauthorized use
  • Your control over who knows about your disability

14. HEALTH INFORMATION

14.1 Health Information Protections

Health information is managed with heightened protections:

Collection:

  • Explicit consent required
  • Only information necessary for safe service delivery
  • Collection from health professionals (with consent)
  • Clear communication about purposes

Use:

  • Health and safety purposes only
  • Support worker briefing and training
  • Medical emergency response
  • Coordination with healthcare providers
  • No other use without consent

Storage:

  • Separate secure storage
  • Limited staff access (health professionals and necessary support workers)
  • Encrypted storage and transmission
  • Regular backup and recovery procedures

Disclosure:

  • Consent required before disclosure
  • Only to health professionals and support workers
  • Exceptions for mandatory reporting and emergencies
  • Record keeping of disclosures

14.2 Medication Information

Medication information is handled securely:

  • Stored with heightened security
  • Accessed only by staff authorized to administer or monitor
  • Updated regularly as medications change
  • Shared with healthcare providers as needed
  • Reviewed for interactions and appropriateness

14.3 Mental Health Information

Mental health information receives enhanced protections:

  • Recognized as sensitive and stigmatizing
  • Stored separately
  • Accessed only by mental health professionals and necessary support workers
  • Disclosed only with explicit consent
  • Protected from irrelevant access

15. PARTICIPANT ACCESS & CORRECTION RIGHTS

15.1 Right to Access Information

You have the right to access personal information Lotus Care SA holds about you by:

Request Content: Clearly specify:

  • What information you want to access
  • The format you want (electronic, paper, etc.)
  • Any accessibility requirements

Access Timelines:

  • Simple requests: 10 business days
  • Complex requests: up to 30 days
  • Extended timeline notified with reasons

Access Verification:

  • Identity verified before disclosure
  • Access limited to your information (not other participants’)
  • Information organized and clearly presented

Access Costs:

  • First access within 12 months: Free
  • Subsequent accesses: May be charged reasonable costs
  • Costs quoted before processing (if applicable)

15.2 Right to Correction

You have the right to correct inaccurate, incomplete, or out-of-date information:

Correction Process:

  1. Identify the information that needs correction
  2. Explain what is inaccurate or outdated
  3. Provide corrected information
  4. Provide supporting evidence (if applicable)

Correction Timelines:

  • Simple corrections: Within 10 business days
  • Complex corrections: Up to 30 days
  • Verification of information may be required

Correction Methods:

15.3 Statement of Disagreement

If Lotus Care SA refuses to correct information, you may request:

  • A written statement of why correction was refused
  • The right to add a statement of disagreement to your file
  • The disagreement to be disclosed with the information

15.4 Access by Guardians

If you have a guardian or representative:

  • They may request access on your behalf
  • Legal proof of authority is required
  • Access is provided to both you and your guardian
  • You may limit guardian access if you have capacity

16. RETENTION & DESTRUCTION OF INFORMATION

16.1 Retention Periods

Personal information is retained only for as long as:

  • Necessary to provide services
  • Required by law or regulation
  • Reasonably needed for legal purposes
  • You have requested information be retained

Typical Retention Periods:

Information Type  Retention Period  Reason 
Service participant records  7 years after service ends  NDIS standards, legal claims 
Health records  7 years minimum  Medical history, legal claims 
Financial records  7 years  Tax, audit, dispute resolution 
Incident/accident records  7 years  Liability, legal requirements 
Complaints/disputes  7 years  Dispute resolution, complaints 
NDIS documentation  Duration of NDIS eligibility + 7 years  NDIS requirements 
Website analytics  2 years  Service improvement 
Cookies  1-2 years  Website functionality 
Backup copies  1-3 months  Data recovery only 

16.2 Destruction Procedures

When information is no longer required:

Paper Records:

  • Shredded confidentially
  • Incinerated
  • Pulped
  • Not recycled without shredding

Electronic Records:

  • Permanently deleted
  • Overwritten multiple times
  • Securely wiped using data destruction software
  • Not just moved to recycle bin

Secure Destruction:

  • Witnessed destruction (where sensitive)
  • Certificate of destruction issued
  • Third-party destruction service certified
  • No recovery possible

16.3 De-identification

Where appropriate, information is de-identified rather than destroyed:

  • Removes identification details
  • Enables ongoing research or evaluation
  • Cannot be re-identified
  • De-identified information not subject to privacy laws

16.4 Retention Exceptions

Information is retained beyond normal periods if:

  • Required by law (mandatory reporting, legal hold)
  • Subject to legal dispute or proceeding
  • You have requested retention
  • Archival or research purposes (de-identified)

17. COOKIES & WEBSITE TRACKING

17.1 Cookies

Lotus Care SA’s website uses cookies:

Essential Cookies:

  • Remember login information
  • Maintain website security
  • Enable website functionality

Analytics Cookies:

  • Track website usage patterns
  • Understand which pages are visited
  • Improve website performance
  • Identify popular content

Third-Party Cookies:

  • From Google Analytics (website analytics)
  • From social media (if social media embedded)
  • Advertising cookies (if applicable)

17.2 Cookie Consent

Website visitors are notified of:

  • Use of cookies on the website
  • Types of information collected
  • How information is used
  • How to disable cookies

Consent is obtained before:

  • Non-essential cookies are set
  • Analytics cookies track behavior

17.3 Website Analytics

Lotus Care SA uses Google Analytics to:

  • Track website traffic
  • Understand user behavior
  • Identify popular pages
  • Improve website design
  • Measure effectiveness

Analytics data:

  • Is anonymized and aggregate
  • Does not identify individuals
  • Is retained for 2 years
  • Is used for service improvement only

17.4 Disabling Cookies

Website visitors may:

  • Disable cookies in browser settings
  • Opt-out of Google Analytics tracking
  • Limit data collection
  • Exercise privacy controls

Disabling cookies may:

  • Affect website functionality
  • Prevent access to certain features
  • Reduce personalization

18. THIRD-PARTY LINKS

18.1 External Links

The Lotus Care SA website contains links to third-party websites:

18.2 No Responsibility

Lotus Care SA is not responsible for:

  • Third-party website privacy practices
  • Third-party data collection
  • Third-party security measures
  • Information collected by third parties
  • Third-party policy changes

18.3 Third-Party Privacy

Third-party websites have their own privacy policies:

  • Review third-party privacy policies before visiting
  • Information collected is subject to their policies
  • Lotus Care SA has no control over their practices
  • Privacy concerns about third parties should be directed to them

18.4 Lotus Care SA Privacy Control

When you click a third-party link:

  • You are leaving the Lotus Care SA website
  • Lotus Care SA’s privacy protections no longer apply
  • You are subject to the third-party’s privacy policy
  • You should review their privacy policy

19. CHILDREN’S PRIVACY

19.1 Children Under 13

If a child under 13 years old is a participant:

  • Parental consent is required for collection
  • Parent/guardian controls information access
  • Child’s information is managed with heightened care
  • Child is informed about privacy practices (in age-appropriate language)

19.2 Young People 13-18

For young people aged 13-18:

  • They may provide consent with parent/guardian awareness
  • Parents retain some decision-making authority
  • Young person’s developing autonomy is respected
  • Information is explained in accessible language

19.3 Safe Support of Children

When providing services to children:

  • Child safety is paramount
  • Mandatory reporting obligations are met
  • Child protection laws are complied with
  • Children are empowered to report concerns
  • Privacy is respected while maintaining safety

20. COMPLAINTS & DISPUTE RESOLUTION

20.1 Privacy Complaint Procedure

If you have concerns about Lotus Care SA’s privacy practices:

Step 1: Informal Resolution (Within 7 Days)

  • Contact Privacy Officer directly
  • Explain your concern clearly
  • Provide relevant details and dates
  • Allow 5 business days for response

Step 2: Formal Complaint (If Not Resolved)

  • Submit written complaint to Privacy Officer
  • Include all relevant details and documentation
  • Specify desired outcome or resolution
  • Receive response within 10 business days

Step 3: Escalation (If Not Resolved)

  • Request escalation to management
  • Management reviews complaint independently
  • Response provided within 10 business days
  • Mediation offered if appropriate

20.2 Complaint Contacts

Privacy Officer:

20.3 External Privacy Complaint

If not satisfied with Lotus Care SA’s response, you may lodge a complaint with:

Office of the Australian Information Commissioner (OAIC):

NDIS Quality and Safeguards Commission:

Website: www.ndiscommission.gov.au

Phone: 1800 035 734

20.4 Privacy Complaint Timeline

  • You may lodge complaint within 12 months of discovering the issue
  • Complaints are investigated within 30 days
  • Extensions notified if investigation requires more time
  • You are kept informed of investigation progress
  • Final response provided within agreed timeline

20.5 Outcome Options

Privacy complaints may result in:

  • Confirmation that privacy practices comply with law
  • Apology and explanation
  • Correction of inaccurate information
  • Improvement of privacy processes
  • Compensation for loss or damage
  • Referral to regulatory authorities

21. PRIVACY OFFICER & CONTACT DETAILS

21.1 Privacy Officer

Lotus Care SA designates a Privacy Officer responsible for:

  • Implementing this privacy policy
  • Responding to privacy inquiries and complaints
  • Investigating privacy concerns
  • Recommending process improvements
  • Liaising with privacy regulators
  • Training staff on privacy obligations
  • Auditing privacy compliance

Privacy Officer Details:

21.2 Privacy Inquiries

For privacy-related inquiries, contact:

Email: privacy@lotuscaresa.com.au

Phone: 0481 851 121

Response Time: Within 5 business days for general inquiries; within specified timeframes for formal requests

21.3 Access Request Submissions

To request access to your personal information:

Email: privacy@lotuscaresa.com.au

Phone: 0481 851 121

In Person: Visit during office hours and request Privacy Officer

Include in your request:

  • Your full name
  • Service participant number
  • Type of information requested
  • Preferred format (electronic, paper, etc.)
  • Proof of identity

22. GOVERNANCE & UPDATES

22.1 Privacy Policy Governance

This Privacy Policy is:

  • Approved by Lotus Care SA management
  • Reviewed annually or when laws change
  • Updated to reflect regulatory changes
  • Communicated to all staff and participants
  • Accessible to all stakeholders

22.2 Staff Privacy Training

All Lotus Care SA staff:

  • Receive privacy and confidentiality training
  • Understand their privacy obligations
  • Know procedures for information handling
  • Understand consequences of breaches
  • Participate in annual refresher training

22.3 Changes to This Policy

Lotus Care SA may update this Privacy Policy:

  • When legislation changes
  • When NDIS standards change
  • When business practices change
  • To improve clarity or accessibility
  • To address compliance issues

Notice of Changes:

  • Updated policy posted on website
  • Email notification to participants
  • Physical copies available on request
  • Effective date specified
  • Key changes highlighted

22.4 Version Control

Version  Date  Changes  Approved By 
1.0  02/01/2026  Initial policy  Arman Bihari 

22.5 Related Policies

This Privacy Policy works with:

  • Lotus Care SA Terms and Conditions
  • Complaints Procedure
  • Information Security Policy
  • Data Retention Policy
  • NDIS Code of Conduct
  • NDIS Practice Standards

PRIVACY POLICY ACKNOWLEDGMENT

By accessing Lotus Care SA services, website, or providing personal information, you acknowledge:

  • You have read this Privacy Policy
  • You understand your privacy rights
  • You understand how your information is handled
  • You consent to collection, use, and disclosure as described
  • You understand how to lodge complaints or access information

Signed for and on behalf of Lotus Care SA Pty Ltd:

Name: Harsh Modi

Position: Director

Date: 02/01/2026

APPENDIX A: AUSTRALIAN PRIVACY PRINCIPLES SUMMARY

APP  Principle  Lotus Care SA Compliance
1 Open and transparent management  This policy, accessible information 
2 Collection of solicited personal information  Explained purpose, consent obtained 
3 Collection of unsolicited personal information  Assessed necessity, destroyed if not needed 
4 Dealing with personal information  Only for primary purpose without consent 
5 Notification about personal information management  This policy provided, explained 
6 Use or disclosure of personal information  Limited to primary purpose, consent for secondary 
7 Direct marketing  Not without consent 
8 Credit reporting information  Not applicable (not a credit provider) 
9 Overseas disclosure  Limited, adequate protections 
10 Quality of personal information  Accurate, up-to-date, complete 
11 Security of personal information  Encrypted, secured, protected 
12 Access to personal information  Free access, timely response 
13 Correction of personal information  Corrected or statement added 

APPENDIX B: NDIS CODE OF CONDUCT PRIVACY PRINCIPLE

Principle 2 – Respect the privacy of people with disability

Lotus Care SA complies with this principle by:

  • Not disclosing personal information without consent (except legally required)
  • Respecting privacy in service delivery
  • Maintaining confidentiality of all information
  • Securing information against unauthorized access
  • Responding to privacy concerns promptly
  • Training staff on privacy obligations
  • Maintaining clear policies and procedures

APPENDIX C: MANDATORY REPORTING

Lotus Care SA staff may disclose information without consent when:

Child Abuse or Neglect:

  • To child protection authorities
  • Where there is reasonable suspicion of harm to a child

Elder Abuse or Neglect:

  • To relevant authorities
  • Where vulnerable adult is at risk

Sexual Abuse or Exploitation:

  • To law enforcement
  • Where sexual abuse is suspected

Serious Risk of Harm:

  • To emergency services
  • Where imminent risk exists
  • To prevent loss of life or serious injury

Duty of Care:

  • Information disclosed in participant’s best interest
  • To protect safety and welfare
  • Minimal disclosure necessary

Participants are informed of:

  • What information will be disclosed
  • Why disclosure is occurring
  • Where information is being shared
  • Their rights in the process

This Privacy Policy is effective from 02/01/2026 and continues until revised or replaced.