Care Hub Australia

Carehub Website Privacy Policy

1. About this Policy

This Privacy Policy explains how Care Hub Australia Group Pty Ltd (ABN 82 649 235 843), trading as Care Hub Australia (“Care Hub”, “we”, “us” or “our”), handles personal information that we collect through this website — for example, when you submit a contact, enquiry, referral or careers form, or otherwise interact with the site.

Care Hub Australia is an NDIS disability support provider operating in North Melbourne and surrounding suburbs of Victoria, and in Parramatta and surrounding suburbs of Greater Western Sydney, New South Wales. We recognise the rights of people with disability to privacy, dignity, independence, choice and control, and we handle personal information in a way that supports those rights.

This Policy relates to information collected via the website. If you become a client, the additional information we collect and hold to deliver your supports is handled in accordance with the service agreement, consent forms and privacy information we provide to you directly at that time.

2. The laws that apply to us

We handle personal information in accordance with:

• the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs);
• the Notifiable Data Breaches (NDB) scheme under the Privacy Act;
• the Health Records Act 2001 (Vic) and its Health Privacy Principles, and the Health Records and Information Privacy Act 2002 (NSW) and its Health Privacy Principles, where information collected through the website includes health information;
• the NDIS Code of Conduct; and
• any other Commonwealth, State or Territory law that applies to our activities.

Where both Commonwealth and State privacy laws apply, we comply with both and apply the standard that gives you the greater level of protection.

3. Information we collect through this website

Information you give us through forms. When you complete a contact, enquiry, referral or careers form, we collect the information you choose to provide. Depending on the form, this may include:

• your name, email address, telephone number and the contents of your message or enquiry;
• where you make a referral, information about the person being referred — which may include their name and contact details, NDIS participant information, and details about their disability, health, support needs or circumstances. This is sensitive information (including health information) and is given a higher level of protection under the law; and
• where you contact us about a role, information relevant to your enquiry or application.

Referrals made on behalf of another person. If you submit a referral or enquiry about someone else, you confirm that you are that person, their parent or guardian, their nominee or authorised representative, or that you otherwise have their consent to provide their information to us. Referrals may concern children and young people; we collect and handle their information with their best interests in mind and deal with the parent, guardian or authorised representative as appropriate.

Technical information. As is standard for any website, our web hosting provider may keep basic server logs — such as IP addresses, browser and device type, and the date and time of access — for security and operational purposes. We do not use this information to identify or track individual visitors.

We only collect sensitive information and health information through the website where it is reasonably necessary for our activities and, except where the law otherwise permits, with consent.

4. Cookies and tracking

Our website uses the Google tag to support Google Ads conversion tracking. This technology uses cookies to help us measure the effectiveness of our advertising — for example, by recording when a visitor who clicked one of our ads later completes an action such as submitting a form. As part of this, Google may set or read cookies on your device and may collect information such as your IP address, the pages you view on our site, and details about your device and browser.

We use these tools only to understand and improve the performance of our advertising. We do not use cookies to sell your personal information or for the marketing purposes of unrelated third parties, and we do not use other analytics or tracking technologies. Google handles the information it collects in accordance with its own privacy policy (available at policies.google.com/privacy).

Cookies used for advertising are not essential to the operation of our website. Where we use them, we seek your consent and provide controls to manage your preferences. You can also refuse or delete cookies through your browser settings, and opt out of personalised advertising through Google’s Ads Settings, although some features of our website may not work as intended if you disable cookies.

5. Why we collect, use and disclose this information

We use the information collected through this website to:

• respond to your enquiry, contact request or feedback;
• receive, assess and follow up on referrals, and arrange suitable supports or services;
• communicate with you and with the people involved in a referral;
• consider and respond to careers enquiries and applications;
• operate, secure and improve our website; and
• comply with our legal obligations and respond to lawful requests.

We only use or disclose your personal information for the purpose for which it was collected (the primary purpose), for a related secondary purpose you would reasonably expect (and, for sensitive information, a directly related secondary purpose), where you have consented, or where the use or disclosure is otherwise required or authorised by law.

6. Who we may disclose information to

We may disclose information collected through this website to:

• our staff, contractors and clinicians involved in responding to your enquiry or actioning a referral, on a need-to-know basis;
• the National Disability Insurance Agency (NDIA), the NDIS Quality and Safeguards Commission, plan managers and support coordinators, where relevant to a referral or service;
• our third-party service providers, such as our website hosting, email and client-management providers, who are bound to handle information securely and only for the purposes we authorise;
• Google, in connection with the Google Ads conversion tracking described in section 4;
• our professional advisers, such as auditors, lawyers and insurers; and
• courts, tribunals, regulators, law enforcement and government agencies, where required or authorised by law, or to lessen or prevent a serious threat to the life, health or safety of any individual.

We do not sell personal information, and we do not disclose it for the marketing purposes of unrelated third parties.

7. Government identifiers

If you provide a government related identifier through the website — such as an NDIS participant number or Medicare number — we do not adopt it as our own identifier for you, and we use or disclose it only as reasonably necessary to provide our services or as required or authorised by law.

8. Disclosure of information overseas

We primarily store and process personal information within Australia. Some of our third-party providers may store, process or access information outside Australia — for example, information collected through Google Ads conversion tracking may be processed by Google in the United States, and our website hosting or email providers may also operate overseas.

Where we disclose personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles it consistently with the APPs, except where an exception under APP 8 applies. Health information is subject to additional restrictions on overseas disclosure under State health records laws, and we comply with those restrictions. Where practicable, we will identify the countries in which such recipients are likely to be located.

9. Direct marketing

We will not use the contact details you provide through this website to send you marketing communications unless you have agreed to receive them. Where we do send electronic marketing, it will comply with the Spam Act 2003 (Cth) and include a simple way to unsubscribe. You can opt out at any time by using the unsubscribe option or by contacting us using the details in section 14.

10. Security and retention

We take reasonable technical and organisational steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. These steps include access controls, staff confidentiality obligations, secure electronic storage and transmission, network security measures, secure disposal processes, and contractual protections with our service providers.

We retain information collected through the website only for as long as we need it for the purposes described in this Policy, or for as long as the law requires. Where a referral or enquiry leads to a service, the related information is held as part of our client records, which are subject to the minimum retention periods set under State health records legislation (generally at least 7 years from the last service date for adults, and until the age of 25 for a person who was a child when last seen) and applicable NDIS requirements. When information is no longer required and no retention obligation applies, we take reasonable steps to destroy it or permanently de-identify it.

11. Accessing and correcting your information

You may ask for access to the personal information we hold about you, and ask us to correct it if it is inaccurate, out of date, incomplete, irrelevant or misleading. To make a request, contact us using the details in section 14. We may need to verify your identity first, and we aim to respond within 30 days. We will tell you in advance about any reasonable cost for retrieving and copying records.

In limited circumstances permitted by law we may refuse access or correction; if we do, we will give you reasons in writing and explain how to complain. If we decline to correct information, you may ask us to attach a statement to the record noting that you consider it to be inaccurate, out of date, incomplete, irrelevant or misleading.

12. Data breaches

We maintain procedures for identifying, assessing and responding to data breaches. If an eligible data breach occurs and is likely to result in serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by the Notifiable Data Breaches scheme, and we will comply with any equivalent obligations under State health records laws.

13. Complaints

If you believe we have mishandled your personal information, please contact us first using the details below so we can try to resolve your concern. We will acknowledge and investigate your complaint and respond within a reasonable period.

If you are not satisfied with our response, you may complain to:

• the Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au; phone 1300 363 992;
• the Health Complaints Commissioner (Victoria) — www.hcc.vic.gov.au; phone 1300 582 113;
• the Information and Privacy Commission NSW — www.ipc.nsw.gov.au; phone 1800 472 679; and
• the NDIS Quality and Safeguards Commission — www.ndiscommission.gov.au; phone 1800 035 544.

14. Contact us

15. Changes to this Policy

We may update this Policy from time to time. The current version will always be available on our website, and the effective date will be updated accordingly. We review this Policy at least annually and whenever there is a significant change to our website, practices or legal obligations.