This document sets out the privacy policy of CAREVICINITY PTY LTD ACN 656 800 690 (referred to in this privacy policy as 'we', 'us', or 'our').
We take our privacy obligations seriously and we’ve created this privacy policy to explain how we store, maintain, use and disclose personal information to ensure we comply with the Privacy Act 1988 (Cth) (Privacy Act), the 13 Australian Privacy Principles (APP), and all applicable state and territory privacy legislation.
This Privacy Policy applies to all personal information collected by us, including sensitive information such as health information.
By providing personal information (including sensitive information) to us, you consent to our storage, maintenance, use and disclosing of personal information in accordance with this privacy policy.
We may change this privacy policy from time to time by posting an updated copy on our website and we encourage you to check our website regularly to ensure that you are aware of our most current privacy policy. Material changes to this Privacy Policy will be notified to affected individuals where practicable.
We are committed to:
collecting personal information only when reasonably necessary for our functions or activities;
collecting information lawfully and fairly, without undue intrusion;
providing transparency about our privacy practices;
protecting personal information from misuse, loss, unauthorised access, modification, and disclosure;
allowing individuals to access and correct their personal information;
providing accountability for our privacy management;
respecting the privacy of children and vulnerable people;
treating health information with the highest level of care and confidentiality;
respecting the rights of individuals to interact with us anonymously or under a pseudonym where practicable;
not adopting government identifiers as our own, and only using such identifiers where authorised by law; and
managing unsolicited information responsibly and securely.
The personal information we collect may include the following:
We collect information about individuals of all ages, including children and people with cognitive or communication difficulties. If you are providing information on behalf of a minor or person without capacity, you must have appropriate authority to do so.
We will collect your personal information in a lawful and fair way. We will only collect your personal information where you have consented to it, or otherwise in accordance with the law. Where information is collected for secondary purposes, we will take reasonable steps to ensure you are aware of those purposes.
DIRECT COLLECTION
We may collect personal information where you:
contact us through our website;
receive services from us;
submit any of our online enquiry forms or service applications;
communicate with us via email, telephone, SMS, social applications (such as LinkedIn or Facebook) or otherwise;
interact with our website, social applications, services, content and advertising;
invest in our business or enquire as to a potential purchase in our business; and
provide feedback, complaints or suggestions.
ANONYMITY AND PSEUDONYMITY
You may interact with us anonymously (without providing identifying information) or under a pseudonym in the following circumstances:
making general enquiries about our services;
accessing information on our website;
providing feedback or suggestions;
However, anonymity and pseudonymity are not practicable where:
you are receiving funded services (NDIS, DVA, or other government-funded care);
we need to verify your eligibility or authorisation;
we must comply with regulatory or legal obligations;
we need to coordinate care with other service providers;
payment or billing is involved;
in these circumstances, we will clearly explain why identifying information is required before collection.
COLLECTION FROM THIRD PARTIES
Where practicable, we collect personal information directly from you. However, we may collect information about you from:
your parent or guardian (if you are under 18 years or lack legal capacity);
your nominated representative, support coordinator, or plan manager;
referring healthcare providers;
NDIA assessors or planners;
DVA or DVA-approved assessment agencies;
family members or carers (with appropriate consent); and
other service providers with whom you have authorised information sharing;
When collecting any information from third parties, we will:
take reasonable steps to verify the accuracy of the information;
confirm that the third party has authority to provide that information;
notify you (or your representative) that we have collected information about you from another source; and
comply with the requirements outlined in section 4.5 below if information is collected without your direct knowledge.
PROVIDING INFORMATION FOR SOMEONE ELSE
If you are providing personal or sensitive information on behalf of someone else you must, and you represent to us that you:
have the express consent of that person (or their legal representative) to provide that information;
have authority to represent that person; and
acknowledge that we will collect, use, and disclose that information in accordance with this Privacy Policy.
This clause will apply where you are:
a parent or legal guardian providing information for a child;
an NDIS participant's nominee, support coordinator, or plan manager;
a carer providing information on behalf of a service user; or
an attorney or guardian acting under power of attorney or guardianship;
We reserve the right to request evidence of your consent or authority before proceeding with service delivery.
Where information is provided for a minor (under 18 years), the parent or legal guardian must provide consent. If we determine the minor has capacity to understand privacy matters, we may require direct consent from the minor as well.
UNSOLICITED PERSONAL INFORMATION
We may receive personal information that we did not solicit (e.g., misdirected emails, over-shared documents, information sent without authorisation, incorrect referrals).
When we receive unsolicited information, we will:
assess whether we could have collected the information under APP 3 (Collection of solicited personal information);
if we could collect it lawfully, we may retain it and treat it as solicited; and
if we could not collect it lawfully, or we do not need it, we will:
securely destroy or delete it without unreasonable delay;
de-identify it where retention is necessary for legitimate purposes; and
maintain a record of the unsolicited information and the action taken.
We will not use unsolicited information for purposes beyond what we would have been authorised to collect it for.
WEBSITE AND COOKIES
We may also collect personal information from you when you use or access our website or our social media pages. This may be done through use of web analytics tools, ‘cookies’ or other similar tracking technologies that allow us to track and analyse your website usage. Cookies are small files that store information on your computer, mobile phone or other device and enable and allow the creator of the cookie to identify when you visit different websites. If you do not wish information to be stored as a cookie, you can disable cookies in your web browser.
PRIMARY PURPOSES
We collect and use personal information for the following primary purposes:
to provide goods, services or information to you including:
to assess your eligibility for services;
to plan and deliver services tailored to your needs;
to coordinate with other service providers; and
to monitor service quality and effectiveness;
for record keeping and administrative purposes including:
to comply with legal obligations;
to manage contractual arrangements;
to manage claims and billing; and
to respond to government audits and investigations;
to coordinate care including:
to communicate with healthcare providers, carers, family members, and support networks;
to obtain information necessary to provide appropriate services;
to share information with other service providers for coordinated care; and
to facilitate transitions between services;
for safety and wellbeing, including:
to identify and respond to safety risks;
to respond to mental health or wellbeing concerns;
to provide emergency assistance if required; and
to investigate complaints or incidents;
for government reporting, including:
to provide required reports to NDIA, DVA, or other government agencies;
to respond to freedom of information requests; and
to comply with information-gathering obligations;
for communication, including:
to send you administrative messages, reminders, appointment notifications, updates, security alerts, and other information requested by you;
to respond to your enquiries and requests; and
to notify you of changes to our services or this Privacy Policy;
relating to employment, including:
to consider applications for employment;
to conduct background checks and reference checks; and
to manage personnel and payroll;
for service improvement, including:
to improve and optimise our service offering, customer experience, and website functionality;
to conduct quality reviews and performance analysis;
to develop new services; and
to analyse feedback and complaints; and
for research and evaluation (de-identified), including:
to conduct service evaluation (with consent);
to improve evidence-based practice; and
to contribute to research approved by appropriate ethics committees.
SECONDARY PURPOSES
We may also use your personal information for:
secondary purposes closely related to the primary purpose, in circumstances where you would reasonably expect such use;
such purposes where we reasonably believe that use of your personal information is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and it is unreasonable or impracticable to obtain your consent;
any other purpose for which we receive consent from you; or
any other purpose which is permitted or required under applicable privacy laws.
If we intend to use or disclose personal information for a purpose that is not directly related to our primary purpose and that you would not reasonably expect, we will (where practicable):
take reasonable steps to inform you of the new purpose before collection;
obtain your consent before using or disclosing the information for that purpose; and
if you do not consent, use or disclose the information only if permitted by law.
The following secondary purposes are purposes we expect a likelihood of occurring:
de-identified statistical or research purposes;
service improvement and evaluation;
disclosure to peak bodies, industry organisations, or government agencies for regulatory compliance;
historical or archival purposes;
legal proceedings or dispute resolution.
SENSITIVE INFORMATION RESTRICTED USES
Sensitive information is used only for the primary purposes listed below in the clause 8.
We do not use sensitive information for direct marketing or commercial purposes.
We do not use sensitive information to make automated decisions that significantly affect you (such as eligibility decisions) without appropriate human review.
We may disclose your personal information to:
We may also disclose personal information to third party contractors as required for us to provide our goods and services to you, such as cloud-service providers, IT professionals, marketing agencies and debt collection agencies.
We take care to work with such third parties who we believe maintain an acceptable standard of data security and require them not to use your personal information for any purpose except for those activities we have asked them to perform on our behalf. Before we disclose your personal information to any third-party service providers we:
assess their privacy and security practices;
require contractual commitments to handle information securely and confidentially;
limit their access to information only for purposes we have specified;
require them not to use our information for their own purposes; and
ensure they comply with the Privacy Act and applicable privacy legislation.
We may provide personal information to government agencies (NDIA, DVA, and other regulatory bodies) where:
required by legislation;
necessary for funding or service allocation purposes;
required for program evaluation or performance monitoring; and
in response to statutory inquiries or investigations.
We may disclose personal information without your consent:
as needed in an emergency or in investigation suspected criminal activity;
we are required to disclose under a subpoena, court order or other mandatory reporting requirements;
we reasonably believe that disclosure of your information is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and it is unreasonable or impracticable to obtain your consent;
it is reasonably necessary for the establishment, exercise or defence of a legal claim; or
it is otherwise authorised or required by law.
We do not sell, lease, or trade personal information to third parties or provide personal information to marketing companies, data brokers, or advertising networks.
Disclosures are made only where necessary for service delivery, legal compliance or with your express consent.
STORAGE
All personal information we collect is stored on servers located in Australia.
Where cloud service providers operate overseas disaster recovery sites, we have contractual safeguards to:
protect information stored in overseas systems;
ensure overseas storage complies with Australian privacy law;
limit access to authorised personnel only; and
maintain encryption and security standards.
SECURITY
We implement comprehensive security measures to protect personal information from:
unauthorised access;
misuse or interference;
loss or theft;
unauthorised modification or disclosure; or
damage.
DATA RETENTION
We retain personal information only for as long as it is needed for the purposes for which it was collected or as required by law, as follows:
health information:
a minimum of 7 years from the date of the last service provision;
longer periods for children (until age 25); and
extended periods for matters with ongoing legal implications;
NDIS-related information:
as specified by NDIA and in accordance with NDIS legislation; or
the minimum period determined by funding agreements;
VHC program information:
as specified by DVA and in accordance with Veterans legislation; or
the minimum period as defined in VHC contracts and agreements;
financial records:
a minimum of 7 years; or
longer for superannuation or tax-related matters;
employment records:
a minimum of 7 years after employment ceases; or
longer where legal claims exist;
complaint and incident records:
a minimum of 7 years; or
permanently for serious incidents;
website and analytics data:
typically 12-24 months unless longer retention is required;
after the retention period expires, we will:
securely destroy or permanently delete the information;
de-identify the information where it will be retained for research or statistical purposes; and
maintain a record of destruction including what was destroyed and when.
DESTRUCTION AND DE-IDENTIFICATION
We implement secure destruction procedures for personal information that is no longer required including:
for paper records:
shredding or incineration;
secure disposal contractors; and
documented destruction records; and
for electronic records:
permanent deletion with forensic verification;
secure disposal of hardware;
data wiping to industry standards; and
destruction certification.
We recognise that health information, including disability information, mental health information, and information about medical conditions, is sensitive information under the Privacy Act and requires special protection.
COLLECTION OF SENSITIVE INFORMATION
We may collect sensitive information about you during the course of providing you our goods and services. We will only collect this sensitive information where you consent to such collection and either directly provide us with this information or it is provided by a referring health care provider.
We collect sensitive information either directly from you or from authorised referral sources (such as health professionals, NDIS coordinators, or DVA-approved assessors) with your consent;
We will not collect sensitive information from third parties without obtaining your consent first, except where required by law;
We maintain records of all consents to collect, use, and disclose sensitive information;
You may withdraw your consent to collection of sensitive information at any time by notifying us in writing;
If we receive sensitive information that we did not solicit, we will assess whether we could have lawfully collected it. If not, we will securely destroy it without unreasonable delay, unless retention is necessary for health and safety reasons.
TYPES OF SENSITIVE INFORMATION WE COLLECT
The sensitive information we collect may include the following:
health information including diagnoses, medical history, treatment records, hospitalisation details, disability assessments, mental health information, medication histories, and health reports;
referring health care provider and associated referral documents;
your NDIS or DVA participant details, plan goals and management of funding for goods and services;
private health fund and private health insurance cover details;
genetic information or biometric information (if applicable to your care needs);
information about alleged, suspected, or actual criminal activity (if relevant to your safety or service provision);
information relating to your sexual orientation, gender identity, or other sensitive personal characteristics (if relevant to ensuring culturally appropriate service delivery);
Medicare number, healthcare identifiers or concession card or other entitlement details; and
any other sensitive information provided by you or a third party to us via our website or platforms, or otherwise provided by you or a third party to us.
HOW WE USE YOUR SENSITIVE INFORMATION
Your sensitive information will only be used for our primary purposes listed in this privacy policy or for the purpose of:
providing you with our goods and services;
complying with our legal obligations, resolving disputes or enforcing our agreements with you;
sending you messages, reminders, notices, updates, security alerts, and other information requested by you; or
any other purpose which is permitted or required under applicable privacy laws.
HOW WE DISCLOSE YOUR SENSITIVE INFORMATION
Your sensitive information will only be disclosed for or to:
other healthcare providers involved in your care (with your consent);
NDIA or DVA for assessment or reporting purposes;
professional advisers (lawyers, accountants, auditors) on a need-to-know basis;
our related entities or associated organisations;
third-party service providers contractually bound to maintain confidentiality;
where required or authorised by law; and
where you have specifically consented.
We do not disclose sensitive information to marketing third parties or for commercial purposes.
If disclosure is necessary for health and safety reasons (e.g., to prevent serious harm), we may disclose without your consent but will document and notify you where reasonable.
All staff handling sensitive information must acknowledge their obligations under this Privacy Policy and the Privacy Act.
We take reasonable steps to ensure that personal information we hold is:
accurate, complete, and current;
relevant to our functions and activities;
not misleading;
up-to-date where necessary for our purposes.
We regularly review and update personal information in our possession.
We take reasonable steps to correct information that we become aware is inaccurate.
Where we receive updated information from you, other service providers, or government agencies, we will promptly update our records.
You are responsible for ensuring that information you provide to us is accurate and complete.
If you believe we hold inaccurate, incomplete, or misleading information about you, you should notify us immediately and we will investigate your concerns and take corrective action where appropriate.
RIGHT TO ACCESS
You have the right to request access to personal information we hold about you.
To request access, please contact us using the details provided in the Contact Us section, including:
your name and contact details;
a description of the information you are seeking; and
the purpose for which you are requesting access.
We may require you to:
complete an access request form;
verify your identity before providing access; and/or
pay a reasonable administrative fee.
We will respond to your access request within a reasonable timeframe (generally 30 days, or as required by law).
We will provide information in the form you request (electronic or hard copy) where practicable.
We will provide reasons in writing if we refuse access, including information about our complaint process.
LIMITATIONS ON ACCESS
We may refuse access where:
providing access would pose a serious threat to the life, health, or safety of any individual;
providing access would have an unreasonable impact on the privacy of other individuals;
the request is frivolous or vexatious;
the information is subject to legal professional privilege;
disclosure would breach a court order or injunction;
the information relates to ongoing legal proceedings and would not be accessible through normal legal discovery; or
disclosure would reveal investigative techniques or methods.
We will provide written reasons and complaint information if access is refused.
RIGHT TO CORRECTION
You have the right to request that we correct personal information that is inaccurate, incomplete, or misleading.
To request correction, please contact us with:
your name and contact details;
description of the information you believe is inaccurate;
the correction or updated information; and
reasons why you believe the information requires correction.
We will take reasonable steps to correct information within a reasonable timeframe (generally 30 days).
We will notify you when information has been corrected.
If we do not make the requested correction, we will provide written reasons.
RIGHT TO REQUEST ALTERNATIVE FORM OF ACCESS
You may request information be provided in alternative formats (large print, audio, electronic, etc.).
We will accommodate reasonable requests where practicable.
We may charge a reasonable fee for providing information in alternative formats.
REPRESENTATIVES
You may authorise a representative (family member, carer, advocate, lawyer) to request access to your information.
We may require written evidence of the representative's authority.
We will verify the representative's authority before providing information.
Where we de-identify information (by removing personal identifiers so that the person cannot be re-identified), we may:
process and analyse the information for statistical purposes;
use the information for research, service evaluation, and service improvement;
share the information with third parties for these purposes;
retain the information indefinitely; and
create aggregate reports and insights.
We will not seek to re-identify de-identified information without explicit consent.
We may release de-identified written documentation, case studies, or statistical reports, including:
with your consent where appropriate;
in fully de-identified form where you cannot be identified;
in aggregate form where individual identities are not apparent.
Any de-identified information will be kept separate from identified personal information to prevent re-identification.
DEFINITION OF AN ELIGIBLE DATA BREACH
An eligible data breach occurs when there is an unauthorised disclosure or loss of personal information where it is likely that serious harm could result to any individual.
OUR DATA BREACH RESPONSE
We will implement procedures to:
detect data breaches as soon as possible;
assess whether a breach is an eligible data breach;
notify affected individuals and the Privacy Commissioner immediately (without unreasonable delay); and
take immediate steps to contain and remediate the breach;
Our Eligible Data Breach Management Plan sets out our procedures in detail.
WHAT WE WILL DO IF A DATA BREACH OCCURS
Where an eligible data breach occurs, we will:
immediately secure all systems and prevent further unauthorised access;
conduct a forensic investigation to determine:
what information was accessed or lost;
how the breach occurred;
who may have been affected; and
the likelihood of serious harm;
notify affected individuals promptly:
by letter, email, or phone;
in clear language explaining what happened;
the information that was affected;
steps they should take; and
our contact information;
notify the Privacy Commissioner:
within 30 days of discovering the breach (if it is an eligible data breach); and
provide details of the breach and steps taken; and
conduct remediation including:
resetting passwords and access credentials;
offering identity monitoring services if appropriate;
reviewing and strengthening security measures; and
implementing improvements to prevent recurrence.
BREACH NOTIFICATION CONTENT
All breach notifications will include:
a description of what happened;
the date of the breach;
the information affected;
the steps the individual should take;
our contact information; and
information about complaints.
We will not delay notification to verify or investigate matters unless it is essential to do so.
RECORD OF BREACHES
We maintain a register of all data breaches (eligible and non-eligible).
The register documents include:
date of breach;
description of breach;
information affected;
number of individuals affected;
response steps taken; and
the outcome.
We may send you marketing communications and promotional materials to inform you about our services, events, and special offers.
COMPLIANCE WITH THE SPAM ACT
We comply with the Spam Act 2003 (Cth) in all marketing communications.
We will only send marketing communications via email, SMS, social media, phone, or mail where:
you have explicitly opted-in to receiving marketing communications;
you have given us consent when you initially signed up;
you did not opt-out when given the option; and
it is a subsequent communication to an existing customer.
We will not send marketing to individuals who have opted out.
All email marketing messages will include clear information about how to unsubscribe.
OPTING OUT OF MARKETING:
You can opt out of receiving marketing communications at any time:
by clicking the unsubscribe link in email messages;
by replying to SMS messages with "STOP";
by adjusting settings on our social media pages; or
by contacting us directly (see Contact Us section).
We will process unsubscribe requests as soon as possible, though there may be a brief delay as we update our systems.
Opting out of marketing does not affect our ability to send you administrative or transactional messages.
MARKETING TO VULNERABLE PEOPLE.
We take care not to engage in marketing or promotions that target vulnerable people or that could be misleading.
We do not engage in aggressive or deceptive marketing practices.
Any marketing materials will clearly identify them as such and include our contact information.
EXTERNAL LINKS
Our website may contain links to external websites and social media platforms.
We are not responsible for the privacy practices of linked websites.
When you follow external links, you leave our website and enter another organisation's privacy environment.
We recommend you review the privacy policies of external websites before providing information.
Links do not constitute endorsement of those websites or their privacy practices.
SOCIAL MEDIA
We maintain profiles on social media platforms (Facebook, LinkedIn, etc.).
When you interact with us through social media:
the social media provider's privacy policy applies in addition to this policy; and
the social media provider collects information about your interactions. We have limited control over what information the provider collects and retains.
We will not collect personal information from social media profiles except where you have made that information publicly available and you interact with our profile.
We recommend adjusting your social media privacy settings to control what information is visible.
MAKING A COMPLAINT.
If you have a concern about how we handle your personal information or believe we have breached the Privacy Act or an Australian Privacy Principle, you may lodge a complaint.
To lodge a complaint, please contact us using the details in the Contact Us section, including:
your name and contact details;
a description of the complaint;
the date the issue arose;
steps you have taken to resolve the issue; and
relevant supporting documents.
We will acknowledge receipt of your complaint within 2 business days.
OUR COMPLAINT PROCESS
We will investigate your complaint promptly and in a fair and impartial manner.
We will provide you with a response within 30 days of receiving your complaint.
If we cannot resolve the complaint within 30 days, we will notify you and provide a timeframe for resolution.
We will keep you informed of the progress.
Our response will include:
our findings;
actions we are taking;
reasons for our response; and
your rights to escalate the complaint.
We will not take adverse action or discriminate against you for lodging a complaint.
ESCALATION TO PRIVACY COMMISSIONER.
If you are not satisfied with our response, you may complain to the Office of the Australian Information Commissioner (OAIC) via the following details:
Office of the Australian Information Commissioner Phone: 1300 363 992
Email: enquiries@oaic.gov.au Website: www.oaic.gov.au
Mail: GPO Box 5218, Sydney NSW 2001
The OAIC will assess your complaint and may investigate our privacy practices.
The OAIC can compel us to take remedial action if they find we have breached privacy law.
COMPLAINT RECORD
We maintain a record of all privacy complaints, including:
date received;
nature of complaint;
investigation findings;
response provided; and
time taken to resolve.
We use complaints to identify systemic privacy issues and improve our practices.
INFORMATION ABOUT CHILDREN
We may collect personal information about children (under 18 years) where we provide services to them.
Before collecting sensitive information about a child, we obtain consent from:
The parent or legal guardian; and
The child (if they have demonstrated capacity).
We take age-appropriate steps to explain our privacy practices to children.
We do not engage in direct marketing to children.
CAPACITY AND CONSENT.
We assess whether a child has capacity to understand privacy and consent to collection.
Where a child has capacity, we may accept their consent in addition to parental consent.
Where a child lacks capacity, we rely on parental or guardian consent.
For further information about our privacy policy or practices, or to access or correct your personal information, or make a complaint, please contact us using the details set out below:
Our privacy policy was last updated on 5 December 2025