New website upgrades! What’s new

Proposed Changes to Privacy Laws

Paula explores the proposed new Commonwealth Privacy Act and what it might change about how providers collect and handle personal information.

By Paula Spencer

Updated 15 Apr 202414 Nov 2023
Hands cupping a badge with a tick on it

NDIS providers have various legal and regulatory obligations to consider when developing or enhancing their privacy management systems.

This can be overwhelming, and changes are afoot.

The federal government is currently considering making some significant changes to the Commonwealth Privacy Act, with the aim to strengthen the protection of people’s personal information and the control they have of their own information.

This is very timely, as organisations, including NDIS providers, are collecting and storing significant amounts of personal information. Data breaches are a real concern. 

The Commonwealth Privacy Act already requires that the people whose information is being collected:

  • Are informed of why their personal information is being collected, how it will be used and who it will be disclosed to.
  • Can remain anonymous or use a pseudonym in certain circumstances.
  • Can ask for access to their personal information.
  • Can ask for their personal information to be updated or corrected.
  • Can request that they do not get sent direct marketing.
  • Can make a complaint if they believe their personal information has been mishandled.

So, what are the proposed changes?

The current Privacy Act applies to all businesses with a turnover of over $3 million dollars, or if they handle health information or provide health services.

One of the proposed changes is to require all businesses to comply, no matter how small.  This is being met with resistance from small businesses, who are concerned about the additional administrative burden, bureaucracy, and possibility of penalties for noncompliance.

However, small NDIS providers who handle participant’s health information will not be impacted by the change, as they are already required to comply.

The Office of the Australian Information Commission defines health information as information about a person’s health or disability. It includes information or opinion about a disability.

Some examples of health information include:

  • Diagnosis.
  • Information about received or planned health services.
  • Case notes containing information relating to health, such as details of what was discussed at appointments, treatment plans etc. 
  • Specialist reports and test results.
  • Prescriptions and other pharmaceutical purchases.

So you can see that many, if not most, NDIS providers are already required to comply with the Privacy Act.

Support to understand privacy rights

Another of the proposed changes is to require companies to provide individuals with reasonable assistance to understand and exercise their privacy rights.

It is also proposed that the Act includes the need for supported decision making in regard to capacity and consent. This will mean that, where required, people will have to be supported to understand their rights and what they are consenting to.

If you are a registered provider and audited to the Certification level of the standard, you are already required to ensure that participants are advised of confidentiality policies using the language, mode of communication and terms that they are most likely to understand. And to also ensure that they understand and agree to what personal information will be collected and why.

NDIS providers who already have an effective privacy management system in place which includes ways to ensure participants rights and wishes are sought, listened to, and respected, will likely be on the front foot.

Why are these changes happening?

The Attorney Generals Department has been tasked with completing the review and have tabled recommendations to the government. The government released a response to the review in September 2023. This response included a requirement for the Attorney Generals Department to develop legislation proposals, complete an impact analysis and consult further with small businesses and their associations.

Further details can be found at

Next steps

It is expected that the draft legislation will be finalised in 2024, with a transition period planned for compliance.

In the meantime, to assist you to comply with the current Commonwealth and State legislation and the NDIS standards, we have developed two courses on Privacy and Personal Information. One is targeted at support workers, and the other is for managers and people responsible for setting up and managing privacy systems.

This article has also been published at


Paula Spencer

Explore DSC

Subscribe to the newsletter you’ll actually want to read

Learn from the humans obsessed with Australia’s NDIS. 50,000 readers strong.

Explore DSC Learning