Privacy Policy

Hermitage Care Pty Ltd (ABN 30 660 827 967) ('Hermitage Care', 'we', 'us', 'our') is a registered NDIS provider (Provider No. 4321 460 93) operating across metropolitan Melbourne, Victoria.

This Privacy Policy explains how we collect, use, disclose, and protect personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and our obligations under the National Disability Insurance Scheme Act 2013 (Cth).

By engaging our services or submitting a referral, you consent to the collection and use of information as described in this policy.

We collect personal information necessary to provide NDIS support services. This includes:

• Participant information: name, date of birth, NDIS number, address, contact details, plan management type, support needs, goals, health and disability information, and emergency contact details.

• Referrer and coordinator information: name, organisation, role, phone number, email address, and NDIS registration details.

• Support worker information: name, contact details, qualifications, Working with Children Check, NDIS Worker Screening Check, and employment records.

• Website visitors: we may collect non-identifiable data such as browser type, pages visited, and time on site via standard web analytics tools.

We collect information directly from you or your authorised representative through our online referral form, phone calls, emails, intake meetings, and service agreements.

We may also receive information from the NDIS Quality and Safeguards Commission, the National Disability Insurance Agency (NDIA), support coordinators, plan managers, healthcare providers, and other parties involved in a participant's care — where you have authorised this.

We will always tell you why we are collecting information and how we intend to use it.

We collect and use personal information to:

• Deliver, manage, and improve NDIS support services to participants.

• Communicate with participants, their families, support coordinators, and plan managers.

• Meet our obligations as a registered NDIS provider, including reporting to the NDIA and NDIS Quality and Safeguards Commission.

• Process invoices and manage funding claims through the NDIS portal.

• Ensure worker suitability and compliance with screening requirements.

• Respond to complaints, incidents, and quality reviews.

• Comply with legal and regulatory requirements.

We do not sell personal information. We may share information with third parties only where necessary, including:

• The NDIA and NDIS Quality and Safeguards Commission as required by law.

• Plan managers and support coordinators involved in your care.

• Healthcare providers, allied health professionals, or emergency services where required for safety.

• IT service providers who support our operations, under strict confidentiality agreements.

• Government agencies where required by law.

We will not disclose your information for any other purpose without your prior consent, except where required by law or where a permitted general situation applies under the Privacy Act.

As a registered NDIS provider, we are bound by additional privacy obligations under the NDIS Act and the NDIS Practice Standards. Participant information is treated with the highest level of confidentiality.

We maintain a participant-centred approach, which means we will always seek your informed consent before sharing your information, provide you with access to your own records on request, and explain how your information is being used in plain language.

Participant records are accessed only by staff directly involved in service delivery, on a need-to-know basis.

We take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, and disclosure.

Records are stored securely in password-protected digital systems with access controls. Physical documents are stored in locked facilities. We regularly review our security practices.

We retain personal information for as long as required to deliver services and meet legal obligations. Participant records are retained for a minimum of seven years from the date of last service, or seven years after a child participant turns 18 — whichever is later.

When information is no longer required, we dispose of it securely.

You have the right to access the personal information we hold about you, and to request corrections if it is inaccurate, out of date, or incomplete.

To make an access or correction request, contact us at info@hermitagecare.com.au or call 0426 710 210. We will respond within 30 days. In some limited circumstances we may decline access, and if so we will explain why in writing.

There is no charge for making an access request, though we may charge a reasonable fee to cover copying and administration costs.

If you believe we have breached your privacy or not complied with this policy, please contact us first so we can attempt to resolve your concern:

Email: info@hermitagecare.com.au Phone: 0426 710 210 Post: Hermitage Care Pty Ltd, Melbourne VIC

We will acknowledge your complaint within five business days and respond in full within 30 days. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or call 1300 363 992.

If your complaint relates to NDIS service delivery, you may also contact the NDIS Quality and Safeguards Commission at 1800 035 544.

We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. The current version will always be available on our website. We will notify participants of material changes.

This policy was last updated in 2025.