1300 934 868
Perth, WA
Gratitude Support Services

Privacy Policy

How we collect, use and protect your personal information.

Effective Date: 1 January 2024 | Last Updated: June 2026

1. Introduction

Gratitude Support Services Pty Ltd (ABN 15 657 957 287), trading as Gratitude Support Services (“we”, “us”, “our”), is committed to protecting the privacy of all individuals who interact with our organisation. This Privacy Policy outlines how we collect, hold, use, disclose and manage personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the NDIS Practice Standards.

As a registered NDIS provider, we understand the importance of maintaining the confidentiality and security of your personal information. We are committed to transparency about our information handling practices and ensuring you have control over your personal information.

2. What Personal Information We Collect

We collect personal information that is reasonably necessary for, or directly related to, providing disability support services. The types of information we may collect include:

2.1 Identity and Contact Information

  • Full name, date of birth, gender and preferred pronouns
  • Residential and postal address
  • Phone numbers (mobile and landline)
  • Email address
  • Emergency contact details
  • Next of kin or nominated representative details
  • Photographs (for identification and service records)

2.2 NDIS and Service Information

  • NDIS participant number
  • NDIS plan details, including funding categories and budgets
  • Plan manager and support coordinator contact details
  • Service agreements and support schedules
  • Progress notes and service delivery records
  • Goals and outcomes documentation

2.3 Health and Sensitive Information

  • Disability type and support needs
  • Medical conditions, diagnoses and health history
  • Medication requirements and administration records
  • Allergies and dietary requirements
  • Mental health information
  • Behavioural support needs and strategies
  • Risk assessments and safety plans
  • Cultural and religious background (where relevant to service delivery)
  • Aboriginal and/or Torres Strait Islander status

2.4 Employment and Recruitment Information

For job applicants and employees, we also collect:

  • Employment history and qualifications
  • Professional references
  • Working With Children Check and National Police Clearance results
  • NDIS Worker Screening Check status
  • First Aid and CPR certifications
  • Driver licence details
  • Vaccination status (where required)
  • Bank account details (for payroll)
  • Tax file number and superannuation details

3. How We Collect Personal Information

We collect personal information through various means, including:

  • Directly from you when you enquire about or register for our services
  • Through referral forms submitted via our website or in person
  • From your nominated representatives, family members or carers (with your consent)
  • From other service providers, support coordinators or plan managers involved in your support
  • From the NDIA or My Aged Care
  • From healthcare professionals (with your consent)
  • Through our website, including contact forms and online enquiries
  • During the course of providing support services
  • Through phone calls, emails and other correspondence
  • From publicly available sources where appropriate

Where possible, we collect personal information directly from you. If we collect information from third parties, we will take reasonable steps to ensure you are aware of this collection.

4. Purpose of Collection and Use

We collect and use personal information for the following purposes:

4.1 Service Delivery

  • Assessing eligibility and suitability for our services
  • Developing and implementing individualised support plans
  • Providing disability support services in accordance with your NDIS plan
  • Coordinating services with other providers in your support network
  • Monitoring and reviewing your progress and outcomes
  • Ensuring your health, safety and wellbeing during service delivery
  • Managing incidents, complaints and feedback

4.2 Administrative Purposes

  • Processing referrals and service agreements
  • Scheduling and coordinating support services
  • Invoicing and processing payments through the NDIS portal
  • Communicating with you about your services
  • Maintaining accurate service records
  • Managing our waiting list

4.3 Legal and Compliance

  • Complying with NDIS Quality and Safeguards Commission requirements
  • Meeting our obligations under the NDIS Act 2013
  • Fulfilling mandatory reporting obligations
  • Responding to legal requests and court orders
  • Maintaining required records for audit purposes
  • Complying with workplace health and safety legislation

4.4 Employment and Recruitment

  • Assessing job applications and conducting interviews
  • Verifying qualifications, clearances and work history
  • Managing employment relationships
  • Processing payroll and superannuation
  • Providing training and professional development

4.5 Quality Improvement

  • Analysing service delivery data to improve our services
  • Conducting participant satisfaction surveys
  • Internal training and staff development
  • Research and service development (with de-identified data)

5. Disclosure of Personal Information

We may disclose your personal information to the following parties:

  • The National Disability Insurance Agency (NDIA) for the purpose of claiming payment for services provided under your NDIS plan
  • Plan managers for invoicing and payment purposes
  • Support coordinators to assist in coordinating your supports
  • Other service providers involved in your care (with your consent)
  • Healthcare professionals where necessary for your health and safety
  • The NDIS Quality and Safeguards Commission as required for compliance, auditing and reportable incident notification
  • Government agencies where required by law
  • Emergency services in the event of an emergency
  • Our professional advisors including lawyers, accountants and insurers
  • Third-party service providers who assist us with IT, data storage and administrative services (under strict confidentiality agreements)

We will not sell, rent or trade your personal information to any third party for marketing purposes. We will not disclose your personal information overseas without your consent, unless required by law.

6. Consent

We will obtain your consent before collecting sensitive information about you. Consent may be express (written or verbal) or implied through your conduct. You may withdraw your consent at any time by contacting us, although this may affect our ability to provide certain services to you.

For participants who have a guardian, nominee or administrator appointed, we will seek consent from the appropriate decision-maker in accordance with legal requirements.

7. Storage and Security

We take reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure. Our security measures include:

  • Secure electronic storage systems with encryption and access controls
  • Password protection and multi-factor authentication for staff access
  • Regular security updates and vulnerability assessments
  • Physical security measures for paper records (locked cabinets, restricted access areas)
  • Staff training on privacy and confidentiality obligations
  • Confidentiality agreements with all staff and contractors
  • Secure disposal of personal information when no longer required

Personal information is primarily stored within Australia. Where we use cloud-based services, we ensure appropriate security and privacy protections are in place.

8. Retention of Information

We retain personal information for as long as necessary to fulfil the purposes for which it was collected, and to comply with our legal obligations. As an NDIS provider, we are required to retain participant records for a minimum of seven (7) years after the last service was provided, or longer if required by law. Employment records are retained in accordance with taxation and workplace relations legislation.

When personal information is no longer required, we will take reasonable steps to destroy or de-identify it securely.

9. Your Rights

Under the Privacy Act, you have the following rights:

9.1 Right to Access

You have the right to request access to the personal information we hold about you. We will respond to access requests within 30 days. In some circumstances, we may refuse access (for example, where providing access would pose a serious threat to health or safety, or would unreasonably impact the privacy of others). If we refuse access, we will provide reasons in writing.

9.2 Right to Correction

You have the right to request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading. We will respond to correction requests within 30 days. If we refuse to make a correction, you may request that we associate a statement with your information noting your view that it is inaccurate.

9.3 Right to Withdraw Consent

You may withdraw your consent for certain uses or disclosures of your personal information at any time. Please note that withdrawing consent may affect our ability to provide services to you.

9.4 Right to Complain

You have the right to make a complaint if you believe we have breached your privacy. See Section 11 below for details on how to make a complaint.

10. Website and Cookies

When you visit our website, our server may collect certain information including your IP address, browser type, pages visited and time spent on the site. This information is used to improve our website and does not personally identify you.

Our website may use cookies to enhance your browsing experience. You can configure your browser to refuse cookies, although this may affect the functionality of our website. We may also use analytics tools (such as Google Analytics) to understand how visitors use our website.

Our website may contain links to third-party websites. We are not responsible for the privacy practices of these websites and encourage you to review their privacy policies.

11. Complaints

If you believe we have breached your privacy or mishandled your personal information, you may lodge a complaint by:

  • Contacting us using the details below
  • Submitting a complaint through our website
  • Speaking with your support worker or our management team

We will investigate all complaints and respond within 30 days. If you are not satisfied with our response, you may escalate your complaint to:

  • The Office of the Australian Information Commissioner (OAIC) - Phone: 1300 363 992 | Website: www.oaic.gov.au
  • The NDIS Quality and Safeguards Commission - Phone: 1800 035 544 | Website: www.ndiscommission.gov.au

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The updated policy will be posted on our website with a new effective date. We encourage you to review this policy periodically. Continued use of our services after any changes indicates your acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy, wish to access or correct your personal information, or want to make a complaint, please contact us:

Gratitude Support Services
Privacy Officer
14/28 Belmont Avenue, Rivervale WA 6103
Phone: 1300 934 868
Email: info@gratitude.org.au

CallRefer Now