Privacy Policy

1. About This Policy

Compass Care and Consultancy Pty Ltd (ABN 87 685 661 198) ("Compass", "we", "our", or "us") is committed to protecting the privacy of all individuals we interact with, including clients, referrers, visitors, and job applicants.

This Privacy Policy sets out how we collect, hold, use, and disclose personal information, including sensitive information and health information, in accordance with the:

• Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
• My Health Records Act 2012 (Cth) (where applicable)
• Health Records & Information Privacy Act 2002 (NSW) (where applicable)
• DVA, NDIS, and Aged Care sector-specific privacy obligations

2. Who We Are

Compass Care and Consultancy Pty Ltd is a registered healthcare provider operating across South East Queensland, delivering:

• DVA-approved community nursing services
• Aged care clinical consulting and Home Care Package support
• NDIS-registered disability support services
• Workplace, in-home, and community vaccination services

Our services may involve the collection and use of sensitive personal and health information, and we take this responsibility very seriously.

3. Information We Collect

3.1 Personal Information

We may collect personal information including:

• Full name, date of birth, and contact details (phone, email, address)
• DVA card number (Gold or White Card) and veteran status
• NDIS participant number and plan details
• Medicare number and health fund information
• Emergency contact details
• Employment information (for job applicants and staff)

3.2 Health and Sensitive Information

As a healthcare provider, we collect health information including:

• Medical history, diagnoses, and current health conditions
• Medication lists, allergy information, and treatment records
• Vaccination records (recorded on the Australian Immunisation Register)
• Nursing assessment and care plan documentation
• Referral information from GPs, specialists, and hospitals

3.3 Website and Technical Information

When you visit our website, we may automatically collect non-identifiable technical data including browser type, pages visited, and IP address for analytics and security purposes.

4. Why We Collect Your Information

We collect, hold, and use personal information for the following primary purposes:

• Providing clinical nursing, disability, aged care, and vaccination services
• Processing referrals and eligibility verification (DVA, NDIS, My Aged Care)
• Maintaining accurate clinical and care documentation
• Billing, invoicing, and claiming from DVA, NDIA, and Medicare
• Communicating with clients, referrers, and healthcare providers
• Meeting our legal obligations under healthcare legislation
• Quality assurance, clinical governance, and complaint management
• Recruitment and employment administration

We will only use your information for secondary purposes (unrelated to the above) if you have given consent, or if permitted by the APPs and applicable legislation.

5. How We Collect Information

We collect personal information directly from you or, where necessary, from third parties including:

• Intake and referral forms submitted by GPs, hospitals, and support coordinators
• Direct communication via phone, email, or our website contact form
• Treating healthcare professionals and My Aged Care portals
• The Australian Immunisation Register (AIR) as authorised
• DVA's provider management systems
• NDIS provider portal and NDIA databases

6. Sensitive and Health Information

Health and sensitive information receives a higher level of protection under the Privacy Act 1988. We will only collect sensitive information where:

• You have provided explicit consent
• It is necessary to provide a health service to you
• It is required or authorised by law (e.g., DVA, NDIS, Medicare legislation)
• It is necessary to prevent a serious threat to life, health, or safety

All clinical records are maintained in accordance with applicable state and territory health records legislation and professional standards set by the Australian Health Practitioner Regulation Agency (AHPRA).

7. Disclosure of Your Information

We may disclose your personal information to:

• Your treating healthcare team — GPs, specialists, allied health professionals involved in your care
• DVA — for the purposes of service claims and eligibility verification
• NDIA / NDIS Commission — for service agreements, incident reporting, and compliance
• My Aged Care / ACQSC — for aged care administration and quality standards
• Australian Immunisation Register (AIR) — for vaccination records as required by law
• Our employees and contractors — who need access to deliver services, bound by confidentiality obligations
• Legal or regulatory bodies — where required by law, court order, or to prevent harm

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

8. Overseas Disclosure

We do not routinely disclose personal information to overseas recipients. In the unlikely event that overseas disclosure is required (e.g., for specialist clinical services or cloud storage systems), we will take reasonable steps to ensure the recipient provides equivalent privacy protections to those required by the Australian Privacy Principles, or we will seek your prior consent.

9. Security of Your Information

We take reasonable steps to protect the personal information we hold from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

• Encrypted digital storage and transmission of health records
• Password-protected clinical management systems
• Physical security controls for any paper-based records
• Staff training on privacy obligations and data handling
• Confidentiality agreements for all employees and contractors

When information is no longer required, we take reasonable steps to destroy or de-identify it securely, subject to applicable legal retention obligations (e.g., health records must generally be retained for 7 years under Australian law, or longer for children's records).

10. Access and Correction

Under the Australian Privacy Principle 12, you have the right to request access to personal information we hold about you. Under APP 13, you may request correction of any information that is inaccurate, out of date, incomplete, or misleading.

To make an access or correction request:

• Submit your request in writing to our Privacy Officer at the contact details below
• We will respond within 30 days, or notify you if more time is required
• We may require proof of identity before processing your request
• Access will be provided free of charge, except where a reasonable administrative fee may apply for large requests

We may decline access in limited circumstances permitted by APP 12, such as where access would pose an unreasonable impact on the privacy of others, or where we are legally restricted from disclosure.

11. Privacy Complaints

If you believe we have breached your privacy or the Australian Privacy Principles, please contact us in the first instance. We are committed to resolving complaints promptly and fairly.

Your complaint will be:

• Acknowledged within 5 business days
• Investigated thoroughly and impartially
• Responded to with our findings within 30 days

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):

• Website: www.oaic.gov.au
• Phone: 1300 363 992
• GPO Box 5218, Sydney NSW 2001

12. Contact Our Privacy Officer