Privacy Policy

Privacy Policy — Racham Care
Racham Care Australia Pty Ltd | ABN 66 650 221 444
Policy: POL 3.4 — Privacy, Dignity and Confidentiality of Personal Information
Effective date: 1 July 2026 | Version 2.0 | Review due: July 2027
Registered NDIS Provider | Mango Hill, Queensland, Australia

Racham Care Australia Pty Ltd is a registered NDIS provider delivering person-centred disability support services across Queensland. We are committed to protecting the privacy, dignity and rights of every participant, family member, carer and stakeholder we work with.

Accessibility: Racham Care is committed to making this Privacy Policy available in accessible formats, including Easy Read, large print and with interpreter support on request at no cost.

1. Overview and Our Commitment

Racham Care Australia Pty Ltd, trading as Racham Care (ABN 66 650 221 444) ("Racham Care", "we", "us" or "our"), is a registered NDIS provider delivering disability support services from our base in Mango Hill, Queensland. We are committed to protecting the privacy, dignity and confidentiality of every person we support, their families, carers, guardians and nominees, our workers, and every person who contacts us or engages with our website, advertising or social media.

This Privacy Policy explains what personal information we collect, how and why we collect it, how we use, store, protect and disclose it, and the rights you have in relation to your information.

We manage personal information in accordance with the Privacy Act 1988 (Cth) ("Privacy Act"), including all 13 Australian Privacy Principles (APPs) and the amendments made by the Privacy and Other Legislation Amendment Act 2024 (Cth). As a provider of health services and a handler of health information, Racham Care is bound by the Privacy Act regardless of annual turnover. We also comply with the National Disability Insurance Scheme Act 2013 (Cth), the NDIS Practice Standards, the NDIS Code of Conduct, the Spam Act 2003 (Cth), the Do Not Call Register Act 2006 (Cth) and, where applicable, the Information Privacy Act 2009 (Qld).

2. Purpose and Scope

The purpose of this policy is to ensure that:

  • participants, prospective participants, their families, carers and decision-makers are fully informed about how their personal and sensitive information is handled, in a format they can understand, taking individual communication needs into account;
  • we collect only the information reasonably necessary to deliver safe, high-quality supports and to run our organisation, including our marketing and community outreach;
  • our workers, contractors and volunteers understand their legal and ethical obligations to maintain privacy and confidentiality; and
  • our digital marketing activities — including Facebook and Instagram advertising — are conducted lawfully, transparently and respectfully.

This policy applies to the Director, all workers (permanent, fixed-term and casual), contractors, volunteers and third-party service providers of Racham Care, and covers all personal information we hold, however collected — in person, on paper, by phone, by email, through our website, or through digital advertising platforms such as Facebook and Instagram (operated by Meta Platforms, Inc.).

3. Definitions

  • Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not, and whether recorded in material form or not (for example, your name, phone number, email address, date of birth or NDIS number).
  • Sensitive information is a special category of personal information that receives a higher level of protection. It includes health information, information about a disability, racial or ethnic origin, and information about supports and services a person receives.
  • Health information includes information about a person's health, disability, medical history, medications, assessments, therapies and support needs.
  • Participant means a person who receives, or is seeking to receive, supports or services from Racham Care, including NDIS participants.
  • Client means a client of Racham Care and includes participants and, where relevant, their families, carers, guardians and nominees.
  • Worker means a person employed or engaged by Racham Care on a permanent, fixed-term or casual basis, and includes contractors and volunteers.
  • APPs means the 13 Australian Privacy Principles set out in Schedule 1 of the Privacy Act 1988 (Cth).
  • OAIC means the Office of the Australian Information Commissioner.
  • Lead form means an enquiry form completed through a digital advertisement (for example, a Facebook or Instagram "Instant Form") or through a landing page linked from an advertisement.

4. What Personal Information We Collect

4.1 Information about participants and prospective participants

Depending on your relationship with us, we may collect:

  • identity and contact details — full name, date of birth, address, phone number and email address;
  • NDIS details — NDIS number, plan details, funding categories, plan management arrangements, plan dates and goals;
  • health and disability information (sensitive information) — diagnoses, assessments, medications, behaviour support plans, mobility and communication needs, allied health reports and progress notes;
  • guardian, nominee, family and carer details — names, contact details and their relationship to the participant, including any guardianship or decision-making arrangements;
  • cultural and linguistic information relevant to delivering culturally safe supports, including Aboriginal or Torres Strait Islander status where you choose to share it;
  • financial and billing information needed to claim and invoice for supports; and
  • incident, complaint and feedback records.

4.2 Information collected through marketing and our website

When you respond to our advertising or visit our website, we may collect:

  • your full name, contact phone number and email address submitted through Facebook or Instagram lead forms or landing pages;
  • the answers you give to any qualifying questions in a lead form (for example, whether you are enquiring for yourself or a family member, your suburb, or the type of support you are looking for);
  • records of our communications with you (emails, SMS, call notes); and
  • technical information such as device type, browser, IP address, pages visited and interactions with our advertisements, collected through cookies and similar technologies, including the Meta Pixel or equivalent tools where used on our website or landing pages.

Important — sensitive information and lead forms: Our advertising lead forms are designed to collect contact details and general enquiry information only. We do not ask for detailed health or disability information through an advertisement. If you volunteer sensitive information in a free-text field or a follow-up message, we will treat it as sensitive information under this policy and handle it with the higher level of protection the Privacy Act requires.

4.3 Anonymity and pseudonymity (APP 2)

Wherever it is lawful and practicable, you may deal with us anonymously or using a pseudonym — for example, when making a general enquiry about our services or providing feedback. However, we cannot deliver NDIS supports, respond to a specific service enquiry, or process an NDIS claim without identifying you.

5. How We Collect Personal Information

We collect personal information directly from you wherever it is reasonable and practicable to do so — in person, by phone, by email, through intake and consent forms, through our website, or through service delivery. We may also collect information:

  • from your family members, carers, guardians or nominees, with your consent or where permitted by law;
  • from your support coordinator, plan manager, the National Disability Insurance Agency (NDIA) or other providers involved in your supports, with your consent;
  • from health professionals and allied health providers, with your consent;
  • through Facebook and Instagram lead forms and landing pages, when you choose to submit an enquiry in response to one of our advertisements; and
  • from our third-party marketing agency, which manages our advertising campaigns and passes enquiries to us securely.

When we collect personal information, we take reasonable steps to notify you of the matters required by APP 5, including why we are collecting it, who we may share it with, and how you can access it, correct it or complain. For participants, this is supported by our Privacy Consent Form, which is provided in a format appropriate to your communication needs.

6. Why We Collect and How We Use Your Information

We collect, hold and use personal information for the following purposes:

  • assessing enquiries and referrals, and determining whether we can meet your support needs;
  • planning, delivering, reviewing and improving your supports, including preparing service agreements, rosters, progress notes and reports;
  • claiming payment for supports through the NDIS and issuing invoices;
  • meeting our legal and regulatory obligations, including under the NDIS Act 2013 (Cth), the NDIS Practice Standards, the NDIS Code of Conduct, and reporting obligations to the NDIS Quality and Safeguards Commission;
  • managing incidents, complaints and feedback;
  • responding to your enquiries, including enquiries submitted through Facebook or Instagram lead forms; and
  • direct marketing and service promotion, as described in section 7, where you would reasonably expect it or have consented.

We only use or disclose sensitive information (including health information) for the primary purpose for which it was collected, for a directly related secondary purpose you would reasonably expect, with your consent, or where otherwise required or authorised by law (for example, mandatory reporting or responding to a serious threat to life, health or safety).

7. Marketing and Digital Advertising

This section explains how we handle personal information in connection with our marketing activities, including advertising on Facebook and Instagram. It reflects our obligations under APP 7 (direct marketing), the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth).

7.1 Facebook and Instagram lead generation

Racham Care advertises its disability support services on Facebook and Instagram, which are operated by Meta Platforms, Inc. and its related entities ("Meta"). Our advertising campaigns may be managed on our behalf by a third-party marketing agency acting under our instructions.

If you respond to one of our advertisements by completing a lead form or a landing page enquiry form, we collect the information you submit — typically your full name, contact phone number and email address, together with your answers to any qualifying questions. By submitting a lead form, you are asking us to contact you about our services.

We use this information to:

  • contact you by phone, SMS or email to respond to your enquiry;
  • provide information about our supports, availability and how to get started; and
  • with your consent or where you would reasonably expect it, send you follow-up communications about our services, vacancies and relevant NDIS information.

Lead form submissions are enquiries only. Submitting a form does not create a service agreement, does not guarantee service availability, and does not require you to proceed with Racham Care.

7.2 How Meta handles your information

When you complete a lead form on Facebook or Instagram, your information is initially collected and processed by Meta on its platform before being made available to us (or to our marketing agency on our behalf) for download or secure transfer into our systems. Meta processes this information in accordance with its own Privacy Policy and terms, which we encourage you to read at www.facebook.com/privacy/policy. Meta stores data on servers located overseas, including in the United States.

Meta is an independent organisation. While we choose the questions asked in our lead forms and control how we use the responses, we do not control Meta's platform-level data practices. Our advertisements and lead forms include a link to this Privacy Policy as required by Meta's lead ads terms.

7.3 Retargeting, custom audiences and the Meta Pixel

We may use Meta's advertising tools to make our advertising more relevant and to avoid showing advertisements to people who are unlikely to be interested. This can include:

  • Website custom audiences: where the Meta Pixel or similar technology is installed on our website or landing pages, Meta may use hashed technical data about your visit to show you our advertisements later ("retargeting").
  • Custom audiences from our contact lists: we may upload hashed (encrypted) contact details to Meta to reach existing contacts, or to exclude existing participants and past enquirers from seeing our advertisements. Hashing means Meta cannot read the underlying contact details unless they match an existing Meta account.
  • Lookalike or similar audiences: Meta may use aggregated, de-identified characteristics of an audience to find other people with similar characteristics. This does not involve disclosing your identity to other advertisers.

You can control the advertisements you see on Meta platforms through your Facebook or Instagram settings (Settings → Accounts Centre → Ad preferences), including hiding our advertisements or adjusting how your activity is used for advertising. You can also ask us at any time to exclude your contact details from our custom audiences by contacting our Privacy Officer (section 17).

7.4 Electronic marketing — Spam Act 2003 (Cth)

We only send commercial electronic messages (email or SMS) where we have your express consent (for example, you ticked a box or submitted a lead form asking to hear from us) or your consent can be reasonably inferred from an existing relationship. Every marketing email or SMS we send will:

  • clearly identify Racham Care Australia Pty Ltd as the sender and include our contact details; and
  • contain a functional, free or low-cost unsubscribe facility (for example, an "unsubscribe" link or "reply STOP" option).

We action unsubscribe requests promptly, and in any event within 5 business days as required by the Spam Act 2003 (Cth). Unsubscribing from marketing does not stop essential service communications, such as roster changes, invoices or safety information, if you are a current participant.

7.5 Telephone contact — Do Not Call Register Act 2006 (Cth)

If you submit a lead form or otherwise ask us to contact you, you are consenting to us calling the number you provide about your enquiry, and that consent operates notwithstanding any listing of your number on the Do Not Call Register. We do not conduct cold-call telemarketing to numbers we have not been given. If we ever conduct outbound marketing calls to contacts who have not enquired with us, we will first wash the calling list against the Do Not Call Register as required by the Do Not Call Register Act 2006 (Cth). You may withdraw your consent to be called at any time by telling the caller or contacting our Privacy Officer, and we will record and honour that request.

7.6 Opting out of marketing

You may opt out of any or all marketing communications at any time, free of charge, by:

  • using the unsubscribe link in any marketing email;
  • replying STOP to any marketing SMS;
  • telling any Racham Care worker who contacts you; or
  • contacting our Privacy Officer using the details in section 17.

If you opt out, we will stop sending you marketing communications and, on request, remove your details from our marketing lists and custom audiences. Opting out does not affect any supports or services you receive from us.

7.7 Our marketing standards

All Racham Care marketing is conducted consistently with the NDIS Code of Conduct: we act with honesty, integrity and transparency, we do not use pressure tactics, and we take particular care in communications directed at people with disability, their families and carers. Our advertising complies with Meta's Special Ad Category requirements where applicable, and we never sell personal information to third parties.

8. Who We Disclose Personal Information To

We only disclose personal information for the purposes described in this policy, with your consent, or where required or authorised by law. Depending on the circumstances, we may disclose personal information to:

  • the NDIA, the NDIS Quality and Safeguards Commission and other government bodies, where required for claims, audits, reporting or compliance;
  • your support coordinator, plan manager, guardian, nominee or other providers involved in your supports, with your consent;
  • health professionals involved in your care, with your consent or in an emergency;
  • our professional advisers (lawyers, accountants, auditors) under obligations of confidentiality;
  • our contracted service providers who help us run our business — including IT and cloud hosting providers, customer relationship management (CRM) and email platforms, and our third-party marketing agency — strictly for the purpose of providing services to us and subject to confidentiality and privacy obligations; and
  • Meta Platforms, Inc., in the limited ways described in section 7 (lead forms, pixel data and hashed custom audiences).

We do not sell, rent or trade personal information.

9. Overseas Disclosure (APP 8)

Some of our service providers store or process information outside Australia. In particular:

  • United States: Meta Platforms, Inc. stores lead form data and advertising data on servers in the United States and other locations. Cloud software we use (for example, email, CRM and document storage platforms) may also store data in the United States or other regions.
  • Philippines: our marketing and administrative support providers may access limited contact and enquiry information from the Philippines for the purpose of managing our advertising campaigns and responding to enquiries on our behalf.

Before disclosing personal information overseas, we take reasonable steps to ensure the overseas recipient handles it consistently with the Australian Privacy Principles, including through contractual obligations, access controls and data minimisation. We do not send participant health records overseas for marketing purposes. Health and service delivery records are stored in systems configured to retain data in Australia wherever practicable.

10. Data Quality, Storage and Security (APPs 10 and 11)

We take reasonable steps to ensure the personal information we collect, use and disclose is accurate, up to date, complete and relevant. We review participant records at plan reviews and when you tell us your details have changed.

We protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure through technical and organisational measures, including:

  • secure, access-controlled electronic systems with unique logins and role-based access — workers can only access the information they need to perform their role;
  • password management, multi-factor authentication and encryption on key systems;
  • secure storage of any paper records in locked facilities;
  • confidentiality obligations for all workers, contractors and volunteers, which continue after their engagement ends;
  • worker training in privacy and confidentiality at induction and on an ongoing basis;
  • prompt removal of system access when a worker leaves; and
  • due diligence and contractual privacy obligations for third-party providers, including our marketing agency.

Lead form data downloaded from Meta is transferred into our secure systems promptly and is not retained in personal email accounts, personal devices or unsecured spreadsheets.

11. Data Retention and Destruction

We retain personal information only for as long as it is needed for the purposes described in this policy or as required by law:

  • Participant and service delivery records are retained for a minimum of 7 years from the date of the last service, consistent with NDIS Practice Standards record-keeping requirements. Records relating to children may be retained longer (until the person turns 25) where required.
  • Incident and complaint records are retained for a minimum of 7 years from the date the record was made.
  • Marketing enquiry records (lead form submissions that do not become participants) are retained only as long as reasonably necessary to respond to the enquiry and for follow-up you would reasonably expect, after which they are deleted or de-identified. If you ask us to delete your enquiry details, we will do so unless we are required to retain them by law.

When personal information is no longer required, we take reasonable steps to destroy it securely (for example, shredding paper records and securely deleting electronic records) or to de-identify it, in accordance with APP 11.2.

12. Government Identifiers (APP 9)

We do not adopt government-related identifiers (such as your NDIS number, Medicare number or Centrelink reference number) as our own identifier for you. We only use or disclose such identifiers where reasonably necessary to verify your identity or to fulfil our obligations to the relevant agency — for example, using your NDIS number to submit payment claims.

13. Notifiable Data Breaches

Racham Care maintains a data breach response plan. If we suspect a data breach involving personal information, we will contain it, assess it promptly (and in any event within 30 days), and take remedial action. If a breach is likely to result in serious harm to any individual, we will notify the OAIC and the affected individuals as soon as practicable, in accordance with the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act, including a description of the breach, the information involved, and the steps individuals should take in response.

14. Automated Decision-Making

Racham Care does not use computer programs to make decisions that could reasonably be expected to significantly affect your rights or interests without human involvement. Decisions about your supports, eligibility and services are always made by people. Advertising platforms such as Meta use automated systems to decide who is shown an advertisement; this affects only whether you see our advertising, and is described in section 7. We will update this section as required to meet the automated decision-making transparency obligations that apply to privacy policies from 10 December 2026 under the Privacy Act.

15. Your Rights: Access, Correction and Complaints

15.1 Access to your information (APP 12)

You may request access to the personal information we hold about you at any time by contacting our Privacy Officer. We will respond within a reasonable period (usually within 30 days) and provide access in the manner you request where reasonable and practicable, including in accessible formats appropriate to your communication needs. We do not charge for making a request, and any charge for providing access (for example, photocopying) will not be excessive. If we refuse access in whole or part (for example, where access would unreasonably impact another person's privacy), we will give you written reasons and information about how to complain.

15.2 Correction of your information (APP 13)

If you believe information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, you may ask us to correct it, free of charge. We will take reasonable steps to correct it and, if you ask, notify other organisations to which we previously disclosed the information. If we refuse to correct it, we will give you written reasons, and you may ask us to attach a statement to the record noting that you believe it is inaccurate.

15.3 Complaints

If you have a concern or complaint about how we have handled your personal information, please contact our Privacy Officer using the details in section 17. We take all privacy complaints seriously. We will acknowledge your complaint promptly, investigate it, and respond to you within 30 days. Making a complaint will never affect the supports you receive.

If you are not satisfied with our response, you may complain to:

  • Office of the Australian Information Commissioner (OAIC) — online at www.oaic.gov.au or by phone on 1300 363 992 (privacy complaints); and/or
  • NDIS Quality and Safeguards Commission — online at www.ndiscommission.gov.au or by phone on 1800 035 544 (complaints about NDIS providers, including how they handle participant information).

16. NDIS Practice Standards, Code of Conduct and Related Legislation

This policy supports Racham Care's compliance with the NDIS Practice Standards, in particular:

  • Standard 1 — Rights and Responsibilities, including the Privacy and Dignity outcome: each participant accesses supports that respect and protect their dignity and right to privacy;
  • Standard 2 — Provider Governance and Operational Management, including information management: each participant's information is identifiable, accurately recorded, current, confidential and easily accessible to the participant;
  • Standard 3 — Provision of Supports.

It is to be read in conjunction with the NDIS Code of Conduct, our Legislation Register, our Privacy Consent Form, our Complaints and Feedback Policy, our Incident Management Policy, our Data Breach Response Plan, and the following legislation:

  • Privacy Act 1988 (Cth) and the Australian Privacy Principles, as amended by the Privacy and Other Legislation Amendment Act 2024 (Cth);
  • National Disability Insurance Scheme Act 2013 (Cth) and the National Disability Insurance Scheme (Code of Conduct) Rules 2018;
  • Spam Act 2003 (Cth);
  • Do Not Call Register Act 2006 (Cth);
  • Information Privacy Act 2009 (Qld), where applicable; and
  • Competition and Consumer Act 2010 (Cth), including the Australian Consumer Law, in relation to advertising conduct.

17. Contact Us — Privacy Officer

Privacy Officer

Racham Care Australia Pty Ltd (trading as Racham Care)

ABN 66 650 221 444

Mango Hill, Queensland, Australia

+61 460 890 965

admin@rachamcare.com.au

www.rachamcare.com.au

If you need this policy in an alternative format — such as Easy Read, large print, or explained with the help of an interpreter or support person — please ask, and we will arrange it at no cost to you.

18. Policy Review and Version Control

Racham Care may update this policy from time to time to reflect changes in law, technology or our practices. The current version will always be available on our website and on request. This policy is reviewed at least annually in consultation with people using our services, their families and carers, and our workers. All service planning, delivery and evaluation activities incorporate stakeholder feedback.

Effective date of this version: 1 July 2026.

VersionEndorsedEndorseeReason / Section UpdateNext Review
1.0Grace MaswayaTafara NdovorwiInitial release01/2026
2.0Grace MaswayaNyasha MatandaFull revision: alignment with Privacy Act 1988 (Cth) as amended (2024 reforms); all 13 APPs addressed; new Marketing & Digital Advertising section (Facebook lead ads, Meta data sharing, retargeting, Spam Act 2003, Do Not Call Register Act 2006); retention, security, overseas disclosure, NDB scheme, access/correction/complaints expanded.07/2027