Privacy Policy

1. About this Privacy Policy

    1. This Privacy Policy describes how Cared Australia Pty Ltd manages personal information about Participants, NDIS Intermediaries, NDIS Intermediary Employees, and Services Providers, and how their data is processed by or on their behalf using Cared Connector (whether or not they have Cared, Connector users). It describes how we collect, hold, disclose, and otherwise process personal information and the steps that we take to protect such personal information.
    2. We are committed to complying with our privacy obligations in accordance with all applicable data protection laws, including the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (Cth).
    3. If we decide to change this Privacy Policy, we will post the updated version on this webpage. Our policy is to be transparent about our privacy practices.

2. Cared Connector and our online Tools

    1. Cared Australia owns and operates a platform called ‘Cared Connector’ that enables NDIS Intermediaries and NDIS Intermediary Employees to procure NDIS Services from Service Providers on behalf of Participants and for NDIS Intermediaries and NDIS Intermediary Employees to manage Participants’ NDIS Funding, care and treatment plans, health documentation and NDIS activities and appointments. Participants can approve the payment of invoices by NDIS Intermediaries and NDIS Intermediary Employees to Service Providers via the platform.
    2. Cared Australia makes available to users free tools that users of the Cared Website can use, namely the Cared MyPlan Assistance, the Cared Search Service Providers, Cared NDIS Price Guide, the Cared MyPlan Explainer, and the Cared MyPlan Parser. These tools are available to all persons who browse our website. The tools (among other things) help users identify what support NDIS may be able to provide participants, assists with searching and booking appointments with service providers provide a price list for specific NDIS services, and explains NDIS plans and NDIS budgets. Such functionality is dependant on the information that a user uploads and/or enters into the relevant tool. We will collect all such personal information uploaded and/or entered into all our online tools.

3. NDIS Intermediary responsibility for Participant privacy

    1. NDIS Intermediaries and their NDIS Intermediary Employees are required to comply with all applicable privacy laws.
    2. We rely on them to obtain all relevant privacy consents and authorizations from Participants required by law, in order for the personal information about them that is entered into Cared Connector to be collected, disclosed and otherwise processed by us.
    3. We rely on NDIS Intermediaries and their NDIS Intermediary Employees to ensure that all personal information of the Participants that they are engaged by, that is held by us is accurate, up to date, complete, relevant, and not misleading.
    4. We encourage NDIS Intermediaries and their NDIS Intermediary Employees to ensure that their Participants are familiar with their privacy policies so that their Participants understand how they will collect, use and otherwise process personal information about them, via Cared Connector or otherwise.

4. The types of personal information we collect and hold about individuals

  1. Cared Connector can be used to manage the following types of personal information:
    1. Content entered into Cared Connector about Participants: All information, including personal information, that is entered into Cared Connector is stored in systems managed by us on behalf of NDIS Intermediaries. The types of personal information collected may include health information such as the details of disabilities, illnesses, medical records, clinical treatments undertaken, names, date of births, contact details, gender, next of kin, NDIS Funding details, NDIS Number, email address, address, nominee details, bank accounts details, NDIS Service details and invoices, healthcare documentation and activities (such as appointments and treatment plans) as well as any other personal information entered into Cared Connector by, about or on behalf of a Participant.
    2. Information about NDIS Intermediary Employees: We collect personal information of NDIS Intermediary Employees when a NDIS Intermediary creates an account on the NDIS Intermediary Employee’s behalf or where the account is created by an NDIS Intermediary Employee. Such information includes names, contact information, gender, email address, residential address and language preference.
    3. Information about Service Providers: We collect information about Service Providers when we create a profile and list the Service Provider on Cared Connector on their behalf. Such information includes, names, contact information, gender, email address, residential address language preference, NDIS healthcare provider licence numbers, their NDIS Service details and any other information that is uploaded, entered into and/or stored on Cared Connector about Service Providers.
    4. Information entered and/or uploaded into any of our online tools: All information, including personal information, that is entered and/or uploaded into our online tools described in paragraph 2, is stored in systems managed by us. The types of personal information collected may include health information such as the type of disability a person has, the healthcare services that they require, NDIS funding allocation, NDIS number, any healthcare information contained within any NDIS Plans including family information, as well as any other personal information entered into by any person into any of our online tools.
    5. Information required for the support, maintenance and security of Cared Connector: In order to support and maintain Cared Connector for individuals, we collect and process user information including IP addresses, email addresses, user access logs, usernames, passwords, information included by NDIS Intermediaries and their NDIS Intermediary Employees in technical support tickets and error messages.

5. How we collect personal information

    1. We collect information about NDIS Intermediaries and their NDIS Intermediary Employees when they voluntarily disclose it to us or when we collect it about them when they use Cared Connector.
    2. After a NDIS Intermediaries and their NDIS Intermediary Employees enter into a contract with us for their use of Cared Connector, we collect personal information about them in one or more of the following ways:
      • when personal information is entered into Cared Connector when they create an account or otherwise enter their personal information into Cared Connector;
      • when it is voluntarily disclosed to us (such as via telephone, e-mail and online forms).
    3. We collect personal information about Participants in one or more of the following ways:
      • when personal information is entered into Cared Connector by NDIS Intermediaries or their NDIS Intermediary Employees;
      • when the Participants approves an invoice using functionality provided by Cared Connector.
      • when we access an invoice stored in Cared Connector issued by a Service Provider, in order for us to calculate the amount of any referral fees owing to us by the Service Provider.
    4. We also collect personal information about people whose personal information is uploaded into our online tools by third parties.

6. How we use personal information

    1. Information about how we use personal information about Participants, Service Providers, NDIS Intermediaries, and their NDIS Intermediary Employees is set out in the following table:
Category How we use and process that personal information Our reason for collecting the personal information
Personal information about Participants who have profiles on Cared Connector·         To provide functionality in Cared Connector that allows an NDIS Intermediary or NDIS Intermediary Employee to coordinate and manage a Participant’s NDIS Funding, NDIS healthcare activities and NDIS Services.

·         To provide functionality in Cared Connector that allows Participants to approve invoices payable to Service Providers.

·         To request a referral fee from a Service Provider, we may access personal information of Participants referred to in an invoice stored in Cared Connector issued by a Service Provider, in order for us to calculate the amount of any referral fees owing to us by the Service Provider and generate an invoice for the referral fee.

·         We store Participant personal information in databases and systems in our hosting environments at third party data centres.

·         To provide technical support services to NDIS Intermediary and their NDIS Intermediary Employees that require us to view and/or update Participant data held in Cared Connector.

·         Backing up and restoring data that includes Participant  personal information.

·         To carry  out security audits, investigate security incidents and implement security processes and procedures that require access to Participant personal information.

·         To disclose it where required if a permitted health situation exists under the Privacy Act 1988 (Cth) for the purposes permitted by that legislation.

·         To handle complaints.

·         Performance of our contractual obligations with an NDIS Intermediary and their NDIS Intermediary Employees.

·         Necessary for our legitimate interests (in order to operate our business including to allow NDIS Intermediaries and their NDIS Intermediary Employees to operate our platform, and to enable us to operate our  IT systems and networks, manage our hosting environments and ensure the successful delivery of our services).

·         To comply with our legal and statutory obligations.

Personal information about NDIS Intermediaries and NDIS Intermediary Employees who we have accounts on Cared Connector ·         To setup, configure, host or procure the hosting, of an account on Cared Connector on behalf of a NDIS Intermediary and/or their NDIS Intermediary Employees.

·         To communicate with NDIS Intermediaries about their current and prospective use of Cared Connector, including with respect to their NDIS Intermediary Employees’ current and anticipated usage of the platform, and to discuss and implement an NDIS Intermediary’s software development requirement.

·         To request a referral fee from a Service Provider, we may access an invoice stored in Cared Connector issued by a Service Provider that includes personal information of an NDIS Intermediary or their NDIS Intermediary Employees, in order for us to calculate the amount of any referral fees owing to us by the Service Provider and generate an invoice for the referral fee.

·         To provide NDIS Intermediaries and their NDIS Intermediary Employees with technical support and maintenance services including by responding to help desk tickets, scheduling upgrades and enhancing Cared Connector.

·         To provide professional services to NDIS Intermediaries and NDIS Intermediary Employees (including training and other services).

·         To send out billing information and notices to NDIS Intermediaries and process payments from them.

·         To discuss our security requirements.

·         To provide NDIS Intermediaries with information about promotional offers and new products and solutions that we make available.

·         In order to identify NDIS Intermediaries and NDIS Intermediary Employees when contacted with technical support questions.

·         To administer our contractual relationships with NDIS Intermediaries (and to enforce our contractual rights and their contractual obligations).

·         To handle complaints.

·         Necessary for our legitimate interests (in order to operate and grow our business).

·         Performance  and enforcement of contracts with NDIS Intermediaries and their NDIS Intermediary Employees.

·         Compliance with our legal obligations.

Service Providers·         In order to process an application by a Service Provider to be listed on Cared Connector.

·         When publishing the listing on Cared Connector.

·         We use personal information of service providers to issue invoices to them for referral fees payable by them to us with respect to NDIS Services provided by them to Participants and to send out billing information and notices to them and process associated payments.

·         To handle complaints.

·         Necessary for our legitimate interests (in order to operate and grow our business).

·         Performance  and enforcement of contracts with Service Providers.

·         Compliance with our legal obligations.

Users of free our online tools referred to in clause 2.2 of this Privacy Policy ·         To provide the functionality of the relevant online tool.

·         To provide users with information about promotional offers and new products and solutions that we make available.

·         To handle complaints.

·         Necessary for our legitimate interests (in order to operate and grow our business).

·         Compliance with our legal obligations.

7. Analytics data

    1. We also collect information about Cared Connector users known as analytics data such as user location, information about devices accessing the platform, the amount of time a user spends on the platform and in which parts of it, and the path navigated through it. However, all such information is de-identified data and not collected in a form that could reasonably be expected to identify an individual. In any event, we only use analytics data for the following purposes:
      1. to help us review, enhance, and improve Cared Connector (for statistical or research purposes); and
      2. to develop case studies and marketing material without identifying any individual.

8. How we hold and secure personal information

    1. We hold and store the personal information that we collect in our offices, computer systems, and third party owned and operated hosting facilities. In particular:
      1. we engage hosting facilities operated by reputable hosting providers;
      2. personal information that is provided to us via email is held on our servers or those of our cloud-based email providers;
      3. we use the third party owned cloud-based customer relationship management (CRM) and marketing platform providers to hold personal information about current and prospective NDIS Intermediaries who might subscribe to Cared Connector;
      4. personal information is held on computers and other electronic devices in our offices and at the premises of our personnel; and
      5. we hold personal information that is provided to us in hard copy in files and folders in secure locations.
    2. We take reasonable steps to protect the personal information that we hold using such security safeguards as are reasonable in the circumstances to take against loss, unauthorized access, modification and disclosure, and other misuse and to implement technical and organizational measures to ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal information transmitted, stored or otherwise processed by us.
    3. For example, we:
      1. only use reputable hosting providers to host personal information;
      2. implement passwords and access control procedures into our computer systems;
      3. perform security testing and maintain other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management, and firewalls;
      4. maintain physical security measures in our buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems, and alarms to ensure the security of information systems (electronic or otherwise);
      5. require all of our employees, agents, and contractors to comply with privacy and confidentiality provisions in their employment contracts and subcontractor agreements that we enter into with them;
      6. have a Data Breach Response Plan in place; and
      7. have a data backup, archiving, and disaster recovery processes in place.

9. Disclosure of personal information

    1. We only disclose Participant, Service Provider, NDIS Intermediary, and NDIS Intermediary Employee personal information that we collect as follows:
      1. in order to host databases that are integrated into Cared Connector, we engage reputable hosting providers who host those databases on our behalf;
      2. when performing contracts, we may outsource certain obligations to third party contractors in accordance with our contractual rights (such as hosting, software development, and other professional services). Professional services carried out by them may require access to an individual’s personal information. We ensure that all staff and contractors are aware of their information security responsibilities, are appropriately trained to meet those responsibilities and have entered into agreements which require them to comply with privacy and confidentiality obligations that apply to personal information that we provide to them;
      3. we disclose Service Provider information held in Service Provider listings on Cared Connector by publishing those listings on Cared Connector for any user to view;
      4. to request a referral fee from a Service Provider, we may access personal information of Participants, NDIS Intermediaries and their NDIS Intermediary Employees referred to in an invoice stored in Cared Connector issued by a Service Provider, in order for us to calculate the amount of any referral fees owing to us by the Service Provider and generate an invoice for the referral fee;
      5. when providing information to our legal, accounting or financial advisors/representatives or insurers, or to our debt collectors for debt collection purposes or when we need to obtain their advice, or where we require their representation in relation to a legal dispute;
      6. where a person provides written consent to the disclosure of their personal information;
      7. where it is brought to our attention that specific personal information needs to be disclosed to protect the safety or vital interests of any person;
      8. to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences;
      9. for the enforcement of a law imposing a pecuniary penalty;
      10. for the protection of public revenue;
      11. for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
      12. where required by law.
    2. NDIS Intermediary and their NDIS Intermediary Employees who use Cared Connector and disclose personal information about Participants to third parties are expected to only do so where permissible under applicable law.

10. Health Privacy Principles – NSW Health Records and Information Privacy Act

    1. We comply with the Health Privacy Principles set out in the NSW Health Records and Information Privacy Act 2002 (NSW) (HRAIPA) as follows:
 Health Privacy PrinciplesHow we comply with the HRAIPA
1Lawful

An agency or organization can only collect your health information for a lawful purpose. It must also be directly related to the agency’s or organization’s activities and necessary for that purpose.

We only collect participant personal information entered into Cared Connector by NDIS Intermediaries and their NDIS Intermediary Employees so that they can coordinate and manage a Participant’s NDIS Funding, NDIS healthcare activities, and NDIS Services using Cared Connector.

We only collect personal information about people that are entered into our free tools referred to in clause 2.2 to provide the functionality of the relevant online tool, to provide users with information about promotional offers and new products and solutions that we make available, and to handle complaints.

Our policy is to minimize the amount of personal information we collect and otherwise process. Accordingly, we only collect personal information that is adequate, relevant, and limited to what is necessary for the purpose for which it is to be processed and only where we are entitled by law to collect it. We may also use collected personal information for other related, directly related, or compatible lawful purposes (if and where permitted by applicable law).

2Relevant

An agency or organization must ensure that your health information is relevant, accurate, up-to-date, and not excessive. The collection should not unreasonably intrude into your personal affairs.

Personal information collected on Cared Connector or our website may include personal information such as names and addresses and health information such as disability records and other health information. We only collect that information to the extent it is entered into Cared Connector or our website by NDIS Intermediaries and their NDIS Intermediary Employees.
3Direct

An agency or organization must collect your health information directly from you unless it is unreasonable or impracticable to do so.

Health information about Participants is collected directly from NDIS Intermediaries and their NDIS Intermediary Employees who upload and/or enter such health information onto Cared Connector. We require  NDIS Intermediaries and their NDIS Intermediary Employees to obtain each applicable Participant’s consent to our collection of the information.

We require users of our free tools to obtain the consent of any person whose personal information, health information, or sensitive information they upload to our Website.

4Open

An agency or organization must inform you of why your health information is being collected, what will be done with it and who else might access it. You must also be told how you can access and correct your health information, and any consequences if you decide not to provide it.

In this Privacy Policy, we have addressed why participant health information is collected, what will be done with it and who else might access it. In this Privacy Policy, we also describe how you can access and correct your health information, and any consequences if you decide not to provide it.
5Secure

An agency or organization must store your personal information securely, keep it no longer than necessary and dispose of it appropriately. It should also be protected from unauthorized access, use, or disclosure.

Please see the section on “How we hold and secure personal information” for an overview of the organizational and security measures that we put in place in this Privacy Policy.
6Transparent

An agency or organization must provide you with details regarding the health information they are storing, why they are storing it, and what rights you have to access it.

Please see “How we use personal information” above for details on how we use and process personal information and our reasons for collecting personal information.
7Accessible

An agency or organization must allow you to access your health information without unreasonable delay or expense.

Please see “How to access and correct personal information held by us” above for an overview of how you may access and/or change your personal information.
8Correct

Allow a person to update, correct, or amend their personal information where necessary.

Please see “How to access and correct personal information held by us” above for an overview of how you may correct your personal information.
9Accurate

Ensure that health information is relevant and accurate before being used.

Please see “How to access and correct personal information held by us” above for an overview of how you may correct your personal information.
10Limited Use

An agency or organization can only use your health information for the purpose for which it was collected or a directly related purpose that you would expect (unless one of the exemptions in HPP 10 applies). Otherwise, separate consent is required.

Once the personal information and health information of a Participant is collected, it can be used by NDIS Intermediaries and NDIS Intermediary Employees on Cared Connector who uploaded it onto Cared Connector. NDIS Intermediaries may access it on Cared Connector when their NDIS Intermediary Employees have uploaded it onto Cared Connector. Details about who Participant’s health information are described above in this Privacy Policy. In certain circumstances, we may also disclose personal information and health information where required to comply with applicable law, including where a permitted health situation exists under the Privacy Act 1988 (Cth) but only for the purposes permitted by that legislation. Please see “How we use your personal information” above for more information.

We only collect personal information about people that are entered into our free tools referred to in clause 2.2 to provide the functionality of the relevant online tool, to provide users with information about promotional offers and new products and solutions that we make available, and to handle complaints.

11Limited Disclosure

An agency or organization can only disclose your health information for the purpose for which it was collected or a directly related purpose that you would expect (unless one of the exemptions in HPP 11 applies). Otherwise, separate consent is required.

Please see “Disclosure of personal information” for information on who we disclose personal information to. In certain circumstances, we may also disclose personal information and health information where required to comply with applicable law, including where a permitted health situation exists under the Privacy Act 1988 (Cth) but only for the purposes permitted by that legislation.
12Not identified

An agency or organization can only give you an identification number if it is reasonably necessary to carry out their functions efficiently.

We do not issue identification numbers to users of Cared Connector or our Website.
13Anonymous

Give the person the option of receiving services from you anonymously, where this is lawful and practicable.

It is not practicable for any person to operate Cared Connector anonymously.

Our free tools on our Website can be operated anonymously and without identifying the person whose information has been entered into them.

14Controlled

Only transfer health information outside New South Wales in accordance with HPP 14.

All information will be stored within Australia. If you are a user of Cared Connector you consent to us storing your health information in any data center in Australia at which we locate our computer servers.

We require users of our free tools to obtain the consent of any person whose personal information, health information, or sensitive information they upload into our Website, to our storage of theirs. personal information, health information, or sensitive information in any data center in Australia at which we locate our computer servers.

15Authorized

Only use health records linkage systems if the person has provided or expressed their consent or such use or disclosure is reasonably necessary for research in the public interest.

We do not use any linkage system in connection with Cared Connector.

11. Third party websites

    1. Cared Connector and our Website may include links to third-party websites. Our linking to those websites does not mean that we endorse or recommend them. We do not warrant or represent that any third party website operator complies with applicable data protection laws. You should consider the privacy policies of any relevant third-party website prior to sending personal information to them.

12. Interacting with us without disclosing personal information

    1. NDIS Intermediaries, NDIS Intermediary Employees, and Participants cannot use Cared Connector on an anonymous basis. Service Providers cannot have Listings on Cared Connector on an anonymous basis. Our free tools can be used anonymously.
    2. Any person has the option of not identifying themselves or using a pseudonym when contacting us to enquire about our services.

13. Offshore disclosure

    1. All personal information that we collect is held in Australia.

14. How to access and correct personal information held by us

    1. Participants who wish to access and correct the personal information held by them on Cared Connector or our Website should contact the NDIS Intermediary or NDIS Intermediary Employee who created their profile on Cared Connector, or who uploaded their personal information in the first instance.
    2. NDIS Intermediary and their NDIS Intermediary Employees who have accounts on Cared Connector can access and correct personal information contained in their account, or delete their accounts, at any time, by logging into their accounts where such functionality is available or by contacting the NDIS Intermediary and their NDIS Intermediary Employees who provided them with access to Cared Connector. Once an account is deleted, we may still be required to retain the data in accordance with our contract with the NDIS Intermediary and their NDIS Intermediary Employees or by law.
    3. Service Provider who wishes to access and correct the personal information held by them on Cared Connector should contact us.
    4. If we are contacted by any person who represents to us that they are a Participant, Service Provider, NDIS Intermediary, or NDIS Intermediary Employee, for security purposes, we will only discuss the personal information that we hold about them with them if they identify themselves accurately and truthfully.
    5. We will handle all requests for access to personal information in accordance with our statutory obligations. We may require payment of a reasonable fee by any person who requires access to their personal information that we hold, except where such a fee would be contrary to applicable law.

15. Our contact details

  1. Any person who wishes to contact us for any reason regarding our privacy practices or the personal information that we hold about them, or make a privacy complaint, may contact us using the following details:
    Privacy Representative and Data Protection Officer
    hello@cared.com.au
    501/ 10 Help Street, Chatswood, NSW 2067
  2. We will use our best endeavors to resolve any privacy complaint with the complainant within a reasonable time frame given the circumstances. This may include working with the complainant on a collaborative basis or otherwise resolving the complaint.
  3. If the complainant is not satisfied with the outcome of a complaint or they wish to make a complaint about a breach of the Australian Privacy Principles, they may refer the complaint to the Office of the Australian Information Commissioner who can be contacted using the following details:
    Telephone: 1300 363 992
    Email: enquiries@oaic.gov.au
    Address: GPO Box 5218, Sydney NSW 2001