Privacy Policy

Good Company Disability Services Pty Ltd — ABN 58 676 459 484

Effective date: Thursday, 14th May 2026  |   Last updated: Thursday, 14th May 2026 

Good Company Disability Services Pty Ltd (“we”, “our”, or “us”) is committed to protecting your personal information and ensuring your privacy is respected in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the NDIS Code of Conduct, the NDIS Practice Standards, and any applicable State or Territory health records or privacy legislation.

This Privacy Policy explains what personal information we collect, how we use and share it, how we keep it secure, and the rights you have. By providing us with your personal information — whether through our website, forms, email, or other communication — you consent to our collection, use, and disclosure of that information as described in this Privacy Policy.

What information we collect

The personal information we collect depends on the nature of your dealings with us. It may include:

Personal Details

  • Full name, date of birth, and gender
  • Contact details (email address, postal address, phone number)
  • Emergency contact information
  • Information about your guardian, nominee, Representative, or family

Sensitive Information (with consent or where required by law)

  • Health and medical history
  • Disability and support needs
  • Cultural background, language preferences, and accessibility needs
  • NDIS participant and Plan details
  • Other categories of sensitive information protected under the Privacy Act, including racial or ethnic origin, religious beliefs, sexual orientation, criminal record, and genetic or biometric information — only where relevant to the Services and with your consent

Website and Technical Data

  • IP address, browser, and device type
  • Website interaction history
  • Cookies and analytics tracking data

How we collect information

We collect information directly from you wherever possible, through:

  • Website forms, registrations, and online enquiries
  • Direct communication (email, phone, in person)
  • Service agreements, intake forms, and feedback tools
  • Cookies and analytics platforms when you use our website
  • Photography, video, or audio recordings (with consent)

With your consent (or as otherwise permitted by law), we may also collect information about you from your Representative, treating practitioners, other NDIS providers, your Plan Manager or Support Coordinator, the NDIA and its contractors, schools or employers, and publicly available sources.

Why we collect information

We use your information to:

  • Provide and tailor NDIS support services to meet your goals and needs
  • Communicate with clients, carers, families, and other people involved in your care
  • Coordinate your services with other providers and the NDIA
  • Invoice for Services and process payments
  • Comply with legal, regulatory, funding, and reporting obligations
  • Improve our services, support staff training, and assure quality
  • Respond to complaints, feedback, and disputes
  • Enhance the user experience on our website
  • Promote our services (with your explicit consent where this involves media or identifiable information)

Use and disclosure of personal information

We only use or disclose your personal information for the purposes it was collected, or where otherwise permitted by law. We may share information with:

  • Our staff and contractors involved in delivering Services to you
  • Health professionals and allied service providers (with consent)
  • Government bodies, including the NDIA, the NDIS Quality and Safeguards Commission, Medicare, and the Department of Health and Aged Care
  • Auditors and quality assessors
  • IT, CRM, and other service providers we use to run the business, under appropriate privacy and confidentiality agreements
  • Financial institutions and debt recovery agencies for payment and invoicing purposes
  • Credit reporting bodies, where you have not paid amounts you owe and the requirements of the Privacy Act 1988 (Cth) and the Credit Reporting Privacy Code have been met (including the debt being at least $150 and at least 60 days overdue, and required written notices having been given)
  • Emergency services in the event of a medical or safety emergency
  • Law enforcement, courts, tribunals, and regulators where required or authorised by law
  • Anyone you specifically ask us to share your information with

We do not sell, rent, or trade your personal information.

Use of images, video and recordings

We may request consent to capture and use photos, video, or audio recordings of participants for specific purposes, such as supporting your goals, marketing, or service promotion. Before doing so, we will:

  • Explain how and where the media will be used
  • Seek your consent in writing or verbally
  • Respect your right to refuse or withdraw consent at any time

Recordings made as part of incident records or as legally required do not require separate consent, but are still kept securely and used only for the purpose they were taken.

Website cookies and analytics

We use cookies and analytics tools to:

  • Monitor website traffic and user behaviour
  • Improve website content and navigation
  • Support digital marketing activities

You may opt out or disable cookies through your browser settings. Some website features may be limited as a result.

Use of artificial intelligence (AI) tools

We may use artificial intelligence (AI) tools to assist with internal administrative tasks, such as:

  • Drafting internal documentation and correspondence
  • Improving service templates, forms, and processes
  • Supporting team learning, training, and compliance
  • Analysis of de-identified service data to improve quality and outcomes

We apply the following protections when using AI tools:

  • We do not knowingly input personal, health, or identifying information about clients into AI tools, unless the client has specifically consented to that use.
  • Where material processed by AI tools includes any reference to clients, that material is de-identified or anonymised wherever practicable.
  • We use AI tools provided by reputable vendors and select vendor arrangements that, where contractually available, prohibit the use of our business data for training the vendor’s general AI models.
  • Access to AI tools that may contain business information is restricted to authorised, trained staff.
  • Access is protected through multi-factor authentication and appropriate cyber-security safeguards.
  • Where AI is used to assist with a decision that affects a client, a human staff member reviews the matter and makes the final decision. We do not use AI for automated decision-making about client Services.

Our use of AI tools is consistent with the Privacy Act 1988 (Cth), the Australian Privacy Principles, and the NDIS Practice Standards. We review our AI practices regularly as the technology and applicable guidance evolve.

Data security

We safeguard your personal information through:

  • Secure, encrypted cloud storage systems
  • Role-based access controls and password protection
  • Multi-factor authentication for systems holding personal information
  • Encryption of information in transit and at rest where appropriate
  • Cyber-security protocols and regular audits
  • Staff training in data privacy and breach response

Despite these measures, no system is completely secure. If you become aware of any breach or potential breach of your information, please tell us immediately using the contact details below.

Data retention and disposal

We retain personal information only as long as necessary for our business, regulatory, and legal obligations. NDIS record-keeping requirements typically require records to be kept for at least 7 years. When information is no longer needed and is not required to be retained, it is securely deleted or de-identified using industry best practices.

Staff training and responsibilities

All staff receive training on privacy, data handling, and confidentiality as part of their onboarding and through ongoing development. Only authorised staff may access personal information relevant to their roles. Staff are required to comply with our privacy obligations under their employment terms and our internal policies.

Participant rights and choices

You have the right to:

  • Request access to the personal information we hold about you
  • Ask for corrections to any information that is inaccurate, out of date, incomplete, or misleading
  • Withdraw your consent to our handling of your information at any time
  • Lodge a complaint about how we handle your privacy (see below)

We will respond to access and correction requests within a reasonable time (usually within 30 days). We may charge a reasonable fee for retrieval of extensive records, limited to the cost of retrieval and copying. If we refuse access or correction, we will explain why in writing and tell you how to make a complaint.

Data breach notification

In the event of an eligible data breach that is likely to result in serious harm, we will:

  • Act promptly to contain and assess the breach
  • Notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in accordance with the Notifiable Data Breaches scheme under the Privacy Act 1988 (Cth)
  • Comply with any additional notification requirements under State or Territory law
  • Implement measures to reduce the risk of future breaches

Overseas disclosure

Some of the third-party IT and software services we use (for example, cloud storage, email, CRM systems, and other software-as-a-service tools) may store or process information on servers located outside Australia. Common locations include the United States and the European Union. Before allowing your information to be handled overseas, we take reasonable steps to ensure that the recipient handles your information in accordance with the Australian Privacy Principles, or that the recipient is subject to a law or scheme that protects the information in a substantially similar way.

Third-party websites

Links to third-party sites may appear on our website. We are not responsible for the content or privacy practices of those sites, and we recommend reviewing their privacy policies before sharing any information.

Children and young people

Where a participant is under 18, this Privacy Policy applies, but consent for collection, use, and disclosure of personal information is provided by their parent or legal guardian. As children and young people become capable of making their own decisions about their personal information, we will respect their developing autonomy and give them an increasing role in decisions about their information, in a way that is appropriate to their age and circumstances.

Making a privacy complaint

If you believe your privacy has been breached, or you are concerned about how we handle your personal information:

  1. Contact us directly using the details below. We will acknowledge your contact within 7 days and respond fully within 30 days wherever possible.
  2. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
  • Phone: 1300 363 992
  • Online: www.oaic.gov.au/privacy/privacy-complaints
  • Post: GPO Box 5288, Sydney NSW 2001

Depending on where you live, you may also be able to make a complaint to your State or Territory privacy commissioner or health complaints commissioner. For complaints about the quality or safety of NDIS services, you can also contact the NDIS Quality and Safeguards Commission on 1800 035 544.

Contact us

For privacy-related enquiries or complaints:

Good Company Disability Services Pty Ltd

Email: he***@***************om.au

Website: www.goodcompanyds.com.au

Adelaide: (08) 7081 6501

Canberra: (02) 6189 3400

Perth: (08) 9334 6995

Melbourne: (03) 9069 7866

Updates to this policy

We may review and update this Privacy Policy periodically to reflect changes in our practices, the technology we use, or applicable laws. The most current version will always be available on our website, with the effective and last-updated dates clearly noted above.

More Than JUST GOOD COMPANY