All participants in the NDIS who are 18 or older have the right to make decisions about services and supports. To safely make these decisions, the NDIS and providers need your consent. Consent is a record of your permission for something.
As a participant in the NDIS, you are covered by Australian privacy law in the form of the Privacy Act 1988 (Cth) and the Privacy Amendment Act 2012. This requires that providers gain your consent before collecting, using or disclosing your personal information.
This can be a tricky area as there are different types of information and consent as well as multiple areas in which consent applies.
Types of Information
Types of consent
Express consent – Consent given openly and obviously either verbally or in writing. For example, when you sign your name physically or electronically. Express consent is required before a provider handles your sensitive information.
Implied consent – To handle non-sensitive information, a provider needs to reasonably believe they have implied consent. Implied consent cannot be assumed without an opt-out option.
Watch out for
Bundled consent – A single request for consent from a provider that contains several requests. This is not okay as you are not able to choose which you consent to and which you do not.
When you give a provider your consent, they must check that is:
- Informed: you have been provided information to help you understand consent including the consequences of giving or not giving consent.
- Voluntary: you choose to give consent because you want to, not because you feel pressure.
- Current and specific: you choose how long you want it to last and what it gives your provider permission to do.
- Understood and communicated: you have the capacity to give consent and have let others know this through written verbal or other ways.
When negotiating consent, you have the right to have someone there to support you. This could be family, guardian or an independent advocate. The Provider must support you in accessing this support. For further guidance on negotiation check out the article Ideas for negotiating for non negotiators.
Can I withdraw my consent?
Yes, at any time. Just make sure it is in writing. The provider must make sure this process is easy and accessible and that you understand the possible consequences of withdrawing consent. Once this consent is withdrawn, the provider cannot use your past consent for any future use or disclosure of your personal information, which is why you want a written record of it.
Partial consent is also an option. For example, you may give consent for your provider to share personal information with pertinent others while also choosing to not share it with specific people or services. This is evident in the third consent listed in the image below.
What can I give consent for?
General consents
Depending on the provider these can be collected on separate form/s or included in your Service Agreement. We looked at negotiating Service Agreements in the article Service agreements and you: What do you need to know? Consent on a Service Agreement may look like the below example.
Specific consents
Specific consents such as Social Media Releases should be documented on a separate form providing information specific to the consent. For example:
Your personal information
Once consent is given, providers collect your personal information in a variety of formats and forms. There are a few things you should always check are in place:
- You have the right to request and access your personal information at any time.
- You have the right to redact information on shared documents.
- Your information is stored appropriately to protect your privacy and confidentiality.
- Your information is stored securely. To safeguard your information from misuse, interference, loss, unauthorised access, modification and disclosure.
This information should be available in the Provider’s Information Management Policy and Privacy and Confidentiality Policy. You should be provided with these policies when commencing with the Provider. If not, you should be provided with them on request.
How to make a Privacy Complaint
If at any time you are unhappy or concerned with the handling of your personal information, you have the right to raise a complaint. The complaints process should be clearly communicated through the Provider’s Feedback and Complaint Policy and documented in your Service Agreement. The article Effective Complaints, How to Raise Your Concerns has some great advice on effective complaints.
If you are unsatisfied with the outcome of your complaint you can request it be investigated by an independent person such as the NDIS Quality and Safeguards Commission or the Office of the Australian Privacy Commission.