Privacy Policy
Last Updated: January 2026 Effective Date: 02/01/2026
| Sr no | TABLE OF CONTENTS |
|---|---|
| 1 | Introduction & Scope |
| 2 | Definitions & Interpretation |
| 3 | Legal Framework & Compliance |
| 4 | Personal Information We Collect |
| 5 | How We Collect Information |
| 6 | Why We Collect Information (Purpose) |
| 7 | Who We Disclose Information To |
| 8 | Overseas Disclosure |
| 9 | Consent & Authority |
| 10 | Use of Personal Information |
| 11 | Security & Storage of Information |
| Sr no | TABLE OF CONTENTS |
|---|---|
| 12 | Data Breach & Notifiable Data Breaches Scheme |
| 13 | Sensitive Information Management |
| 14 | Health Information |
| 15 | Participant Access & Correction Rights |
| 16 | Retention & Destruction of Information |
| 17 | Cookies & Website Tracking |
| 18 | Third-Party Links |
| 19 | Children’s Privacy |
| 20 | Complaints & Dispute Resolution |
| 21 | Privacy Officer & Contact Details |
| 22 | Governance & Updates |
1. INTRODUCTION & SCOPE
1.1 About This Policy
Lotus Care SA Pty Ltd (ABN 86692510473 ) (“Lotus Care SA”, “we”, “us”, “our”) is a registered National Disability Insurance Scheme (NDIS) provider delivering disability support services across Adelaide, South Australia.
This Privacy Policy explains how we collect, use, disclose, store, and manage personal information in accordance with Australian privacy laws and NDIS regulations. This policy applies to:
- All participants receiving services from Lotus Care SA
- Family members and guardians who provide information on behalf of participants
- Support workers and contractors engaged by Lotus Care SA
- Website visitors and enquirers
- All personal information collected in any format (paper, electronic, verbal, video, audio)
1.2 Our Privacy Commitment
Lotus Care SA recognizes that privacy is a fundamental human right. We are committed to:
- Respecting and protecting your privacy in all interactions
- Collecting only information necessary for safe and effective service delivery
- Handling your information with care, confidentiality, and security
- Being transparent about how we use your information
- Enabling you to access, correct, and control your personal information
- Complying with all applicable privacy laws and NDIS standards
1.3 Accessibility
This Privacy Policy is available:
- On our website: www.lotuscaresa.com.au
- In print format (on request)
- In alternative formats (large print, easy read, accessible formats)
- In other languages upon request
Contact us for alternative format versions: 0481 851 121 or info@lotuscaresa.com.au
2. DEFINITIONS & INTERPRETATION
2.1 Key Terms
“Personal Information” means information or an opinion about an identified individual or reasonably identifiable individual, whether the information or opinion is true or not, and whether stored in material form or not.
“Sensitive Information” means personal information relating to:
- Race, ethnicity, or national origin
- Political opinions or beliefs
- Religious or philosophical beliefs
- Membership of professional or trade associations
- Sexual orientation or gender identity
- Criminal history or alleged offences
- Health information
- Genetic information
- Biometric information used for identification
- Disability information
“Health Information” means personal information about physical, mental, or psychological health or disability; expressed wishes about the provision of health services; or a health service provider’s assessment or notes.
“Participant” means any person receiving disability support services from Lotus Care SA.
“Guardian” or “Responsible Person” means a person with legal authority to make decisions on behalf of a participant (parent, court-appointed guardian, enduring power of attorney holder, etc.).
“Support Worker” means any staff member, volunteer, or contractor engaged by Lotus Care SA to deliver services.
“NDIS” means the National Disability Insurance Scheme established under the National Disability Insurance Scheme Act 2013 (Cth).
“NDIS Commission” means the NDIS Quality and Safeguards Commission.
“Privacy Act” means the Privacy Act 1988 (Cth).
“Australian Privacy Principles” or “APPs” means the 13 principles in the Privacy Act that regulate privacy obligations.
“Code of Conduct” means the NDIS Code of Conduct for Disability Service Providers.
“Website” means www.lotuscaresa.com.au and all associated pages and applications.
“Disclosure” means providing personal information to third parties.
“Processing” means collecting, using, storing, disclosing, or managing information.
3. LEGAL FRAMEWORK & COMPLIANCE
3.1 Privacy Laws We Comply With
Lotus Care SA complies with all applicable Australian privacy legislation:
Commonwealth Laws:
- Privacy Act 1988 (Cth)
- Australian Privacy Principles (APPs)
- Health Records Act provisions
- Notifiable Data Breaches (NDB) Scheme
- National Disability Insurance Scheme Act 2013 (Cth)
South Australian Laws:
- Health Complaints Act 2004 (SA)
- Disability Services Act 1993 (SA)
- Freedom of Information Act 1991 (SA)
- Guardianship and Administration Act 1995 (SA)
NDIS Regulations:
- NDIS Code of Conduct for Disability Service Providers
- NDIS Practice Standards (particularly Standard 1: Rights and Responsibilities – Privacy and Dignity)
- NDIS Rules 2013
- NDIS Supports Rules
3.2 APP Principles We Follow
Lotus Care SA’s privacy practices are based on the 13 Australian Privacy Principles:
- APP 1 – Open and transparent management of personal information
- APP 2 – Collection of solicited personal information
- APP 3 – Collection of unsolicited personal information
- APP 4 – Dealing with personal information
- APP 5 – Notification about personal information management
- APP 6 – Use or disclosure of personal information
- APP 7 – Direct marketing
- APP 8 – Credit reporting information (where applicable)
- APP 9 – Overseas disclosure of personal information
- APP 10 – Quality of personal information
- APP 11 – Security of personal information
- APP 12 – Access to personal information
- APP 13 – Correction of personal information
4. PERSONAL INFORMATION WE COLLECT
4.1 Types of Information
Lotus Care SA collects personal information necessary to provide safe and effective disability support services. This includes:
Contact & Identification Information:
- Full name(s) (including preferred name)
- Date of birth
- Gender identity
- NDIS participant number
- Contact phone number(s) (mobile, home, work)
- Email address(es)
- Residential address
- Mailing address (if different)
- Emergency contact details
- Medicare number (where relevant)
- Identification documents (driver’s license, passport)
Disability & Support Needs:
- Type of disability(ies)
- Disability description and impact on daily life
- Support goals and aspirations
- Current support arrangements
- Existing support workers or providers
- Reasonable adjustments required
- Communication requirements
- Accessibility needs
- Behavioral support requirements
Health & Medical Information:
- Diagnosed medical conditions
- Medications and dosages
- Allergies and adverse reactions
- Medical history
- Treatment plans
- Health practitioner names and contacts
- Immunization records
- Mental health information
- Substance use information
- Hospital or specialist appointments
Functional & Capability Information:
- Mobility and physical capabilities
- Cognitive and communication abilities
- Self-care capabilities
- Behavioral patterns
- Strengths and skills
- Learning needs
- Employment/education status
- Independent living capabilities
Family & Guardian Information:
- Guardian or representative name and contact details
- Family members’ names and relationships
- Family contact preferences
- Guardianship documentation
- Enduring power of attorney details
- Legal custody information
Service-Related Information:
- NDIS plan details (if applicable)
- Funding information
- Service preferences and schedule
- Previous service providers
- Service history with Lotus Care SA
- Service agreements and modifications
- Participant feedback and satisfaction
- Incident reports
- Accident and injury reports
- Complaint and dispute records
Financial Information:
- NDIS funding details
- Payment method and banking information
- Invoice and billing address
- Medicare and DVA information
- Centrelink details (if relevant)
- Insurance information
Cultural & Personal Preferences:
- Aboriginal or Torres Strait Islander status
- Cultural background and language
- Preferred language for communication
- Religious or spiritual beliefs (where relevant)
- Personal preferences and interests
- Family and support network details
- Community connections and participation
Digital Information:
- Website usage data
- IP addresses
- Device information
- Login credentials
- Email correspondence
- Audio/video recordings (with consent)
- Photographs (with consent)
4.2 Information We Don’t Collect
Lotus Care SA does not collect personal information that is:
- Not necessary for providing services
- Excessive or intrusive
- Beyond legal authorization
- For purposes other than disability support delivery (except where required by law)
5. HOW WE COLLECT INFORMATION
5.1 Collection Methods
Lotus Care SA collects personal information through:
Direct Collection (From You or Your Representative):
- Service intake forms and applications
- Service agreement documentation
- Consent forms and permissions
- Written correspondence (letters, emails)
- Phone conversations and enquiries
- In-person meetings and consultations
- Video consultations or interviews
- Support worker observation and note-taking
- Participant feedback forms
- Complaint submissions
Indirect Collection (From Others):
- Previous service providers (with consent)
- Family members or guardians
- Disability service coordinators
- Local Area Coordinators
- Support workers’ observations
- Health professionals (doctors, specialists, therapists)
- Educational institutions
- Employer contacts
- NDIS records (as authorized participant)
- Government agencies (as required by law)
- Other disability support organizations
Automated Collection (From Technology):
- Website cookies and tracking pixels
- Server logs and IP addresses
- Device information from website visits
- Digital file metadata
- Email system information
- Behavioral analytics
5.2 Collection Notification
When collecting personal information directly from you, Lotus Care SA will:
- Explain that we are collecting information
- Identify the type of information being collected
- Explain the purpose of collection
- Advise how the information will be used and disclosed
- Outline your rights regarding the information
- Provide details of our Privacy Officer
- Advise of access and correction rights
- Explain consequences of not providing information (if applicable)
This explanation is provided:
- Before or at the time of collection
- In clear, understandable language
- In a format accessible to you
- In writing (or alternative format if needed)
6. WHY WE COLLECT INFORMATION (PURPOSE)
6.1 Primary Purposes
Lotus Care SA collects and uses personal information for the primary purposes of:
Service Delivery:
- Providing disability support services as outlined in your Service Agreement
- Understanding your support needs and goals
- Developing person-centered support plans
- Scheduling and coordinating services
- Training and instructing support workers
- Monitoring service quality and effectiveness
- Identifying appropriate support workers for you
Safety & Welfare:
- Ensuring your safety during service delivery
- Protecting support worker safety
- Identifying and managing risks and hazards
- Responding to medical emergencies
- Mandatory reporting of harm or abuse
- Incident investigation and response
- Safeguarding against exploitation
Communication & Support:
- Communicating with you about your services
- Providing appointment reminders
- Requesting feedback and addressing concerns
- Processing complaints and disputes
- Updating you on service changes
- Seeking consents and permissions
Administrative & Business:
- Maintaining participant records and files
- Processing invoices and payments
- Managing NDIS relationships and funding
- Handling enquiries and intake
- Scheduling and rostering support workers
- Evaluating service effectiveness
- Quality assurance and audits
Legal & Regulatory Compliance:
- Complying with NDIS Code of Conduct
- Meeting NDIS Practice Standards
- Regulatory reporting to NDIS Commission
- Compliance with mandatory reporting laws
- Fulfilling duty of care obligations
- Responding to legal inquiries or court orders
Continuous Improvement:
- Identifying service gaps and improvements
- Feedback collection and analysis
- Service development and innovation
- Training and professional development
- Organizational learning and quality improvement
6.2 Secondary Purposes
Lotus Care SA may use information for secondary purposes including:
- Research and evaluation (de-identified)
- Program development and improvement
- Staff training and development
- Marketing and promotion (with consent)
- Organizational planning
- Network and partnership development
Secondary use of personal information requires:
- Your explicit consent, or
- A direct connection to the primary purpose, or
- Legal authority or obligation
7. WHO WE DISCLOSE INFORMATION TO
7.1 Authorized Disclosures
Lotus Care SA discloses personal information to third parties only where:
- You have provided consent
- It is necessary to provide your services
- It is required by law
- It is in your best interests to prevent harm
We may disclose information to:
NDIS-Related Parties:
- National Disability Insurance Agency (NDIA)
- NDIS Quality and Safeguards Commission (for regulatory compliance)
- NDIS planners (to coordinate your plan)
- Local Area Coordinators
- Plan managers (if you have a plan-managed arrangement)
- Other registered NDIS providers (with your consent)
Support & Healthcare Providers:
- Your GP or medical specialists
- Allied health professionals (physiotherapists, psychologists, etc.)
- Hospital or residential facilities
- Mental health service providers
- Community health services
- Other disability support providers (with consent)
- Emergency services (when necessary)
Family & Representatives:
- Your nominated guardian or representative
- Family members (with your authorization)
- Enduring power of attorney holders
- Authorized legal representatives
Government & Regulatory Bodies:
- Australian authorities (NDIS Commission, Department of Social Services)
- South Australian government agencies
- Tax authorities (ATO)
- Centrelink (where relevant to your support)
- WorkCover or insurance bodies
- Law enforcement (when legally required)
- Child protection authorities (mandatory reporting)
- Adult safeguarding authorities
- Courts or legal tribunals (when legally required)
Professional Service Providers:
- Our accountants and auditors
- Legal advisors
- Insurance providers
- Recruitment and HR providers
- IT service providers
- Storage and records management companies
- Quality assurance auditors
Workplace Safety:
- Work health and safety regulators (if incident involves workplace safety)
- Emergency services
- Workplace incident investigators
Financial Parties:
- NDIS (for billing and funding)
- Your plan manager (if applicable)
- Financial institutions (for payment processing)
- Credit providers (if relevant)
- Collection agencies (if payment is overdue)
7.2 Limitations on Disclosure
Lotus Care SA does not disclose personal information:
- Without your consent (except as legally authorized)
- For marketing or commercial purposes (without consent)
- For research purposes that could identify you
- To organizations without adequate security measures
- Beyond what is necessary for the stated purpose
- Unless the recipient has agreed to maintain confidentiality
8. OVERSEAS DISCLOSURE
8.1 Overseas Transfers
Lotus Care SA primarily stores information within Australia. However, in limited circumstances, information may be transferred overseas to:
Cloud Service Providers:
- AWS (Amazon Web Services) based in Australia
- Microsoft Azure (Australian data centers)
- Google Cloud (Australian data centers)
- Other third-party service providers (when necessary)
International Healthcare:
- Overseas health practitioners (if you receive overseas medical services, with consent)
- International specialist consultations
- Overseas therapy or support (if agreed in your service plan)
8.2 Overseas Disclosure Protections
Before overseas transfer, Lotus Care SA ensures:
- The overseas recipient has privacy protections equivalent to Australian law
- Written agreement to maintain confidentiality
- Limited transfer to information necessary for the stated purpose
- Your explicit consent (where required)
- Compliance with Australian Privacy Principles
Overseas disclosures are made to countries with privacy legislation equivalent to Australia’s, or with contractual privacy protections in place.
8.3 Your Rights Regarding Overseas Disclosure
You have the right to:
- Request a list of countries to which your information may be disclosed
- Opt-out of non-essential overseas disclosures
- Request additional security measures for overseas transfers
- Withdraw consent for overseas transfers (with service delivery implications)
9. CONSENT & AUTHORITY
9.1 Collection & Use Consent
Lotus Care SA obtains your consent before collecting personal information, except where:
- Collection is required by law (mandatory reporting, court orders)
- Collection is necessary to prevent harm to yourself or others
- You are unable to consent and a guardian provides consent
- Information is collected from a third party and consent is not practicable
9.2 Guardian Authority
If a guardian or representative is making decisions on your behalf:
- They must provide legal evidence of their authority
- They must confirm they have capacity and authority to consent
- Guardianship documentation must be provided and retained
- Lotus Care SA will verify guardianship arrangements with authorities if necessary
9.3 Capacity & Informed Consent
When assessing your capacity to provide consent:
- Lotus Care SA assumes you have capacity unless demonstrated otherwise
- Information is provided in accessible, understandable language
- Time and support are provided for you to consider and decide
- Consent is voluntary, not pressured
- You can withdraw consent at any time
9.4 Consent Forms
Lotus Care SA maintains consent forms documenting:
- What information is being collected
- Why it is being collected
- How it will be used and disclosed
- Your agreement to collection and use
- Your rights regarding the information
- Date and signature of consent
Consent forms are:
- Provided before service commencement
- In plain language
- Available in alternative formats
- Stored securely
- Updated when purposes change
9.5 Withdrawal of Consent
You may withdraw your consent to collection, use, or disclosure of information at any time by:
- Written notice to Lotus Care SA
- Email to: privacy@lotuscaresa.com.au
- Phone: 0481 851 121
Withdrawal of consent does not apply to information already collected and used for the primary service purpose, but future use may be limited.
10. USE OF PERSONAL INFORMATION
10.1 Primary Use
Personal information is used only for the primary purpose it was collected for, unless:
- You have provided additional consent
- Use is directly related to the primary purpose
- Use is authorized by law
- Use is necessary to prevent harm
10.2 Secondary Use
If Lotus Care SA wishes to use information for a secondary purpose, we will:
- Obtain your explicit consent, or
- Assess whether use is directly related to primary purpose, or
- Confirm legal authority
Secondary use includes:
- Sharing with other support providers (with your consent)
- Program evaluation or research (de-identified)
- Staff training or case discussion (de-identified)
- Regulatory reporting or investigations
- Legal proceedings or disputes
10.3 Sensitive Information Use
Sensitive information is used only:
- For the stated primary purpose
- With your explicit consent for secondary use
- As required by law (mandatory reporting)
- To prevent serious harm
Sensitive information is:
- Handled with heightened confidentiality
- Accessed only by staff with legitimate need
- Stored separately with additional security
- De-identified when possible
10.4 Health Information Management
Health information is managed with particular care:
- Stored separately from other personal information
- Accessed only by health professionals or necessary support workers
- Used only for health and safety purposes
- Subject to additional privacy protections
- Disclosed only with your consent (except mandatory reporting)
11. SECURITY & STORAGE OF INFORMATION
11.1 Security Obligations
Lotus Care SA takes information security seriously and implements:
Physical Security:
- Locked filing cabinets and storage areas
- Limited access to records (staff with need to know)
- Secure office environment with access controls
- CCTV in file storage areas (where relevant)
- Supervised access to sensitive records
Digital Security:
- Password-protected systems and devices
- Multi-factor authentication for sensitive data
- Data encryption for transmitted information
- Firewall and antivirus protection
- Regular security updates and patching
- Intrusion detection systems
- Secure server environments (AWS or equivalent)
Organizational Security:
- Staff training on privacy and confidentiality
- Privacy and security policies enforced
- Access controls limiting staff access to necessary information
- Confidentiality agreements with all staff
- Regular audits of security practices
- Incident response procedures
Third-Party Security:
- Contractual requirements for service providers to maintain security
- Due diligence assessment of providers’ security practices
- Regular audits of third-party security
- Privacy agreements with all third parties
- Data processing agreements where required
11.2 Information Storage
Personal information is stored:
Paper Records:
- In locked filing cabinets
- In secure office areas
- Organized by participant with access controls
- Protected from damage, loss, or unauthorized access
Electronic Records:
- In password-protected systems
- On secure servers with regular backups
- With encryption for sensitive information
- With audit trails of access and modifications
- Backed up daily to secure locations
Hybrid Storage:
- Some information in both paper and electronic form
- Both forms subject to equivalent security
- Electronic records as primary storage where possible
11.3 Data Handling Standards
All staff handling personal information:
- Receive privacy and confidentiality training
- Understand their confidentiality obligations
- Have written agreements to maintain confidentiality
- Follow security procedures and protocols
- Report security incidents immediately
- Are subject to disciplinary action for breaches
12. DATA BREACH & NOTIFIABLE DATA BREACHES SCHEME
12.1 What Constitutes a Data Breach
A data breach occurs when:
- Personal information is lost, stolen, or accessed without authorization
- Information is accidentally disclosed to unauthorized parties
- Information is compromised by malware, hacking, or human error
- Unauthorized access to information occurs
- Information is corrupted or destroyed
12.2 Breach Response Procedures
When a data breach is discovered, Lotus Care SA:
Immediate Response (Within hours):
- Isolates the breach to prevent further unauthorized access
- Stops any ongoing unauthorized access
- Secures affected systems and information
- Begins evidence collection and documentation
- Notifies the Privacy Officer and management
- Convenes the Incident Response Team
Investigation (Within 24-48 hours):
- Investigates the scope and nature of the breach
- Identifies information affected
- Determines individuals impacted
- Assesses likelihood of serious harm
- Documents the breach thoroughly
- Implements containment measures
Notification (Where required):
- Assesses whether notification is legally required
- Notifies affected individuals within 30 days
- Notifies the Privacy Commissioner (if required)
- Provides clear information about the breach
- Recommends protective steps individuals can take
- Provides contact details for inquiries
Remediation (Ongoing):
- Fixes the vulnerability that caused the breach
- Implements additional security measures
- Reviews and updates policies
- Provides affected individuals with support
- Monitors for further unauthorized access
12.3 Notifiable Data Breaches Scheme (NDB)
Lotus Care SA complies with the Notifiable Data Breaches Scheme:
When Notification is Required: A data breach must be reported when:
- There is a serious likelihood of serious harm to an affected individual
- The serious harm includes identity theft, fraud, financial loss, physical harm, psychological harm, or reputational harm
- The breach involves sensitive information (health, financial, or identity information)
Who We Notify:
- Affected individuals (within 30 days of discovery)
- Privacy Commissioner (if notification of individuals is given)
- Other authorities (where required by law)
What We Include in Notification:
- Nature of the breach
- Information affected
- Identity of our organization
- Steps we are taking in response
- Steps individuals can take to protect themselves
- Contact details for inquiries
- Privacy Commissioner contact details
12.4 Record Keeping
Lotus Care SA maintains records of:
- All suspected breaches (even if not notifiable)
- Investigation findings and conclusions
- Individuals affected
- Remedial actions taken
- Breach notifications sent
- Follow-up communications
Breach records are retained for minimum 7 years.
13. SENSITIVE INFORMATION MANAGEMENT
13.1 Sensitive Information Categories
Lotus Care SA handles sensitive information relating to:
- Disability and support needs
- Mental health and psychological wellbeing
- Medical conditions and treatments
- Cultural and spiritual beliefs
- Sexual orientation or gender identity
- Racial or ethnic background
- Criminal history (where relevant)
- Substance use or addiction
- Abuse or exploitation history
13.2 Enhanced Protections
Sensitive information receives enhanced protections:
Collection:
- Explicit consent required for collection
- Minimum necessary collection only
- Clear explanation of why information is needed
- Assurance that provision is voluntary
Use:
- Primary purpose only (without additional consent)
- No secondary use without explicit consent
- Strict confidentiality maintained
- Limited staff access
Storage:
- Separate secure storage where possible
- Password-protected electronic access
- Limited backup and duplication
- Encrypted transmission
Disclosure:
- Explicit consent required for disclosure
- Disclosure to minimum necessary recipients
- Confidentiality obligations on recipients
- Regular audit of disclosures
Retention:
- Retained only while necessary
- Destroyed securely when no longer needed
- No archival of sensitive information
13.3 Disability Information
Disability information is particularly sensitive and handled with:
- Respect for your dignity and autonomy
- Understanding of the impact of disclosure
- Recognition of stigma and discrimination risks
- Protection against unauthorized use
- Your control over who knows about your disability
14. HEALTH INFORMATION
14.1 Health Information Protections
Health information is managed with heightened protections:
Collection:
- Explicit consent required
- Only information necessary for safe service delivery
- Collection from health professionals (with consent)
- Clear communication about purposes
Use:
- Health and safety purposes only
- Support worker briefing and training
- Medical emergency response
- Coordination with healthcare providers
- No other use without consent
Storage:
- Separate secure storage
- Limited staff access (health professionals and necessary support workers)
- Encrypted storage and transmission
- Regular backup and recovery procedures
Disclosure:
- Consent required before disclosure
- Only to health professionals and support workers
- Exceptions for mandatory reporting and emergencies
- Record keeping of disclosures
14.2 Medication Information
Medication information is handled securely:
- Stored with heightened security
- Accessed only by staff authorized to administer or monitor
- Updated regularly as medications change
- Shared with healthcare providers as needed
- Reviewed for interactions and appropriateness
14.3 Mental Health Information
Mental health information receives enhanced protections:
- Recognized as sensitive and stigmatizing
- Stored separately
- Accessed only by mental health professionals and necessary support workers
- Disclosed only with explicit consent
- Protected from irrelevant access
15. PARTICIPANT ACCESS & CORRECTION RIGHTS
15.1 Right to Access Information
You have the right to access personal information Lotus Care SA holds about you by:
- Submitting a written access request
- Emailing: privacy@lotuscaresa.com.au
- Phoning: 0481 851 121
- Visiting in person
Request Content: Clearly specify:
- What information you want to access
- The format you want (electronic, paper, etc.)
- Any accessibility requirements
Access Timelines:
- Simple requests: 10 business days
- Complex requests: up to 30 days
- Extended timeline notified with reasons
Access Verification:
- Identity verified before disclosure
- Access limited to your information (not other participants’)
- Information organized and clearly presented
Access Costs:
- First access within 12 months: Free
- Subsequent accesses: May be charged reasonable costs
- Costs quoted before processing (if applicable)
15.2 Right to Correction
You have the right to correct inaccurate, incomplete, or out-of-date information:
Correction Process:
- Identify the information that needs correction
- Explain what is inaccurate or outdated
- Provide corrected information
- Provide supporting evidence (if applicable)
Correction Timelines:
- Simple corrections: Within 10 business days
- Complex corrections: Up to 30 days
- Verification of information may be required
Correction Methods:
- In person at office
- By email: privacy@lotuscaresa.com.au
- By phone: 0481 851 121
- By mail to registered address
15.3 Statement of Disagreement
If Lotus Care SA refuses to correct information, you may request:
- A written statement of why correction was refused
- The right to add a statement of disagreement to your file
- The disagreement to be disclosed with the information
15.4 Access by Guardians
If you have a guardian or representative:
- They may request access on your behalf
- Legal proof of authority is required
- Access is provided to both you and your guardian
- You may limit guardian access if you have capacity
16. RETENTION & DESTRUCTION OF INFORMATION
16.1 Retention Periods
Personal information is retained only for as long as:
- Necessary to provide services
- Required by law or regulation
- Reasonably needed for legal purposes
- You have requested information be retained
Typical Retention Periods:
| Information Type | Retention Period | Reason |
|---|---|---|
| Service participant records | 7 years after service ends | NDIS standards, legal claims |
| Health records | 7 years minimum | Medical history, legal claims |
| Financial records | 7 years | Tax, audit, dispute resolution |
| Incident/accident records | 7 years | Liability, legal requirements |
| Complaints/disputes | 7 years | Dispute resolution, complaints |
| NDIS documentation | Duration of NDIS eligibility + 7 years | NDIS requirements |
| Website analytics | 2 years | Service improvement |
| Cookies | 1-2 years | Website functionality |
| Backup copies | 1-3 months | Data recovery only |
16.2 Destruction Procedures
When information is no longer required:
Paper Records:
- Shredded confidentially
- Incinerated
- Pulped
- Not recycled without shredding
Electronic Records:
- Permanently deleted
- Overwritten multiple times
- Securely wiped using data destruction software
- Not just moved to recycle bin
Secure Destruction:
- Witnessed destruction (where sensitive)
- Certificate of destruction issued
- Third-party destruction service certified
- No recovery possible
16.3 De-identification
Where appropriate, information is de-identified rather than destroyed:
- Removes identification details
- Enables ongoing research or evaluation
- Cannot be re-identified
- De-identified information not subject to privacy laws
16.4 Retention Exceptions
Information is retained beyond normal periods if:
- Required by law (mandatory reporting, legal hold)
- Subject to legal dispute or proceeding
- You have requested retention
- Archival or research purposes (de-identified)
17. COOKIES & WEBSITE TRACKING
17.1 Cookies
Lotus Care SA’s website uses cookies:
Essential Cookies:
- Remember login information
- Maintain website security
- Enable website functionality
Analytics Cookies:
- Track website usage patterns
- Understand which pages are visited
- Improve website performance
- Identify popular content
Third-Party Cookies:
- From Google Analytics (website analytics)
- From social media (if social media embedded)
- Advertising cookies (if applicable)
17.2 Cookie Consent
Website visitors are notified of:
- Use of cookies on the website
- Types of information collected
- How information is used
- How to disable cookies
Consent is obtained before:
- Non-essential cookies are set
- Analytics cookies track behavior
17.3 Website Analytics
Lotus Care SA uses Google Analytics to:
- Track website traffic
- Understand user behavior
- Identify popular pages
- Improve website design
- Measure effectiveness
Analytics data:
- Is anonymized and aggregate
- Does not identify individuals
- Is retained for 2 years
- Is used for service improvement only
17.4 Disabling Cookies
Website visitors may:
- Disable cookies in browser settings
- Opt-out of Google Analytics tracking
- Limit data collection
- Exercise privacy controls
Disabling cookies may:
- Affect website functionality
- Prevent access to certain features
- Reduce personalization
18. THIRD-PARTY LINKS
18.1 External Links
The Lotus Care SA website contains links to third-party websites:
- NDIS (www.ndis.gov.au)
- NDIS Commission (www.ndiscommission.gov.au)
- Government health services
- Disability service organizations
- Community resources
18.2 No Responsibility
Lotus Care SA is not responsible for:
- Third-party website privacy practices
- Third-party data collection
- Third-party security measures
- Information collected by third parties
- Third-party policy changes
18.3 Third-Party Privacy
Third-party websites have their own privacy policies:
- Review third-party privacy policies before visiting
- Information collected is subject to their policies
- Lotus Care SA has no control over their practices
- Privacy concerns about third parties should be directed to them
18.4 Lotus Care SA Privacy Control
When you click a third-party link:
- You are leaving the Lotus Care SA website
- Lotus Care SA’s privacy protections no longer apply
- You are subject to the third-party’s privacy policy
- You should review their privacy policy
19. CHILDREN’S PRIVACY
19.1 Children Under 13
If a child under 13 years old is a participant:
- Parental consent is required for collection
- Parent/guardian controls information access
- Child’s information is managed with heightened care
- Child is informed about privacy practices (in age-appropriate language)
19.2 Young People 13-18
For young people aged 13-18:
- They may provide consent with parent/guardian awareness
- Parents retain some decision-making authority
- Young person’s developing autonomy is respected
- Information is explained in accessible language
19.3 Safe Support of Children
When providing services to children:
- Child safety is paramount
- Mandatory reporting obligations are met
- Child protection laws are complied with
- Children are empowered to report concerns
- Privacy is respected while maintaining safety
20. COMPLAINTS & DISPUTE RESOLUTION
20.1 Privacy Complaint Procedure
If you have concerns about Lotus Care SA’s privacy practices:
Step 1: Informal Resolution (Within 7 Days)
- Contact Privacy Officer directly
- Explain your concern clearly
- Provide relevant details and dates
- Allow 5 business days for response
Step 2: Formal Complaint (If Not Resolved)
- Submit written complaint to Privacy Officer
- Include all relevant details and documentation
- Specify desired outcome or resolution
- Receive response within 10 business days
Step 3: Escalation (If Not Resolved)
- Request escalation to management
- Management reviews complaint independently
- Response provided within 10 business days
- Mediation offered if appropriate
20.2 Complaint Contacts
Privacy Officer:
- Name: Junaid Qureshi
- Phone: 0481 851 121
- Email: privacy@lotuscaresa.com.au
20.3 External Privacy Complaint
If not satisfied with Lotus Care SA’s response, you may lodge a complaint with:
Office of the Australian Information Commissioner (OAIC):
- Website: www.oaic.gov.au
- Phone: 1300 363 992
- Address: GPO Box 5218, Sydney NSW 2001
NDIS Quality and Safeguards Commission:
Website: www.ndiscommission.gov.au
Phone: 1800 035 734
20.4 Privacy Complaint Timeline
- You may lodge complaint within 12 months of discovering the issue
- Complaints are investigated within 30 days
- Extensions notified if investigation requires more time
- You are kept informed of investigation progress
- Final response provided within agreed timeline
20.5 Outcome Options
Privacy complaints may result in:
- Confirmation that privacy practices comply with law
- Apology and explanation
- Correction of inaccurate information
- Improvement of privacy processes
- Compensation for loss or damage
- Referral to regulatory authorities
21. PRIVACY OFFICER & CONTACT DETAILS
21.1 Privacy Officer
Lotus Care SA designates a Privacy Officer responsible for:
- Implementing this privacy policy
- Responding to privacy inquiries and complaints
- Investigating privacy concerns
- Recommending process improvements
- Liaising with privacy regulators
- Training staff on privacy obligations
- Auditing privacy compliance
Privacy Officer Details:
- Name:Junaid Qureshi
- Phone: 0481 851 121
- Email: privacy@lotuscaresa.com.au
21.2 Privacy Inquiries
For privacy-related inquiries, contact:
Email: privacy@lotuscaresa.com.au
Phone: 0481 851 121
Response Time: Within 5 business days for general inquiries; within specified timeframes for formal requests
21.3 Access Request Submissions
To request access to your personal information:
Email: privacy@lotuscaresa.com.au
Phone: 0481 851 121
In Person: Visit during office hours and request Privacy Officer
Include in your request:
- Your full name
- Service participant number
- Type of information requested
- Preferred format (electronic, paper, etc.)
- Proof of identity
22. GOVERNANCE & UPDATES
22.1 Privacy Policy Governance
This Privacy Policy is:
- Approved by Lotus Care SA management
- Reviewed annually or when laws change
- Updated to reflect regulatory changes
- Communicated to all staff and participants
- Accessible to all stakeholders
22.2 Staff Privacy Training
All Lotus Care SA staff:
- Receive privacy and confidentiality training
- Understand their privacy obligations
- Know procedures for information handling
- Understand consequences of breaches
- Participate in annual refresher training
22.3 Changes to This Policy
Lotus Care SA may update this Privacy Policy:
- When legislation changes
- When NDIS standards change
- When business practices change
- To improve clarity or accessibility
- To address compliance issues
Notice of Changes:
- Updated policy posted on website
- Email notification to participants
- Physical copies available on request
- Effective date specified
- Key changes highlighted
22.4 Version Control
| Version | Date | Changes | Approved By |
|---|---|---|---|
| 1.0 | 02/01/2026 | Initial policy | Arman Bihari |
22.5 Related Policies
This Privacy Policy works with:
- Lotus Care SA Terms and Conditions
- Complaints Procedure
- Information Security Policy
- Data Retention Policy
- NDIS Code of Conduct
- NDIS Practice Standards
PRIVACY POLICY ACKNOWLEDGMENT
By accessing Lotus Care SA services, website, or providing personal information, you acknowledge:
- You have read this Privacy Policy
- You understand your privacy rights
- You understand how your information is handled
- You consent to collection, use, and disclosure as described
- You understand how to lodge complaints or access information
Signed for and on behalf of Lotus Care SA Pty Ltd:
Name: Harsh Modi
Position: Director
Date: 02/01/2026
APPENDIX A: AUSTRALIAN PRIVACY PRINCIPLES SUMMARY
| APP | Principle | Lotus Care SA Compliance |
|---|---|---|
| 1 | Open and transparent management | This policy, accessible information |
| 2 | Collection of solicited personal information | Explained purpose, consent obtained |
| 3 | Collection of unsolicited personal information | Assessed necessity, destroyed if not needed |
| 4 | Dealing with personal information | Only for primary purpose without consent |
| 5 | Notification about personal information management | This policy provided, explained |
| 6 | Use or disclosure of personal information | Limited to primary purpose, consent for secondary |
| 7 | Direct marketing | Not without consent |
| 8 | Credit reporting information | Not applicable (not a credit provider) |
| 9 | Overseas disclosure | Limited, adequate protections |
| 10 | Quality of personal information | Accurate, up-to-date, complete |
| 11 | Security of personal information | Encrypted, secured, protected |
| 12 | Access to personal information | Free access, timely response |
| 13 | Correction of personal information | Corrected or statement added |
APPENDIX B: NDIS CODE OF CONDUCT PRIVACY PRINCIPLE
Principle 2 – Respect the privacy of people with disability
Lotus Care SA complies with this principle by:
- Not disclosing personal information without consent (except legally required)
- Respecting privacy in service delivery
- Maintaining confidentiality of all information
- Securing information against unauthorized access
- Responding to privacy concerns promptly
- Training staff on privacy obligations
- Maintaining clear policies and procedures
APPENDIX C: MANDATORY REPORTING
Lotus Care SA staff may disclose information without consent when:
Child Abuse or Neglect:
- To child protection authorities
- Where there is reasonable suspicion of harm to a child
Elder Abuse or Neglect:
- To relevant authorities
- Where vulnerable adult is at risk
Sexual Abuse or Exploitation:
- To law enforcement
- Where sexual abuse is suspected
Serious Risk of Harm:
- To emergency services
- Where imminent risk exists
- To prevent loss of life or serious injury
Duty of Care:
- Information disclosed in participant’s best interest
- To protect safety and welfare
- Minimal disclosure necessary
Participants are informed of:
- What information will be disclosed
- Why disclosure is occurring
- Where information is being shared
- Their rights in the process
This Privacy Policy is effective from 02/01/2026 and continues until revised or replaced.



