GuardRail
Sign inRequest access

Information Management Policy

Version 1.0 - Revised April 2026

Related NDIS Practice Standard Indicators

NDIS-CORE-2.4 - Information Management

1. Purpose

This policy describes how [Organisation Name] collects, stores, uses, discloses, and disposes of information about participants, workers, and the organisation. It supports NDIS Practice Standard 2.4 and the Privacy Act 1988 (Cth) including the December 2026 automated-decision-making transparency amendments.

2. Scope

Applies to all paper and digital records, all systems used by [Organisation Name], and all workers.

3. Principles

  • Information is collected only when needed for a defined purpose
  • The minimum information needed is collected
  • Information is accurate, up-to-date, and complete
  • Information is stored securely with access restricted to those who need it
  • Information is disclosed only with consent or as required by law
  • Information is disposed of securely once no longer needed

4. Practices

4.1 Collection and Consent

  • Participants are told why information is collected and how it will be used
  • Consent is documented for all collection of personal or sensitive information
  • The participant may withdraw consent at any time, with consequences for service delivery explained

4.2 Storage and Access

  • Paper records are stored in locked cabinets
  • Digital records are stored in systems with role-based access and audit logging
  • Workers access only records relevant to their role

4.3 Automated Decision-Making

  • Where an automated system materially affects a participant's rights or service, the organisation discloses this in its privacy notice, in line with Privacy Act APP 1.7
  • The participant may request a human review of an automated decision

4.4 Disclosure

  • Information is shared with third parties only with the participant's consent or as required by law
  • A register of disclosures is maintained

4.5 Retention and Disposal

  • Records are retained for the period required by NDIS rules, taxation law, and other applicable legislation
  • Once retention has expired, records are securely destroyed (cross-cut shredding for paper; certified deletion for digital)

5. Breach Response

  • Suspected breaches are reported to the [Privacy Officer] within 24 hours
  • Notifiable Data Breaches under the Privacy Act are notified to affected individuals and the OAIC within the statutory window

6. Related Policies

  • Privacy and Dignity Policy
  • Information Security Policy
  • Incident Management Policy

7. Review

Reviewed annually or when Privacy Act or NDIS information obligations change.

This template is provided by GuardRail as general guidance only. Organisations should customise it and have it reviewed by a legal professional before adoption.