Privacy Policy

Updated: May 2026.

PRIVACY POLICY

1. About This Policy

This Privacy Policy explains how McArthur collects, holds, uses, discloses, and protects personal information. It applies across all McArthur divisions and services, including our recruitment, staffing, community care and nursing services operations.

McArthur is a registered NDIS provider delivering disability support services, which include community care, nursing services, support coordination and allied health support to participants across Australia. This policy reflects the additional privacy obligations that apply when we collect, use, and manage information in connection with the delivery of those services.

We are committed to handling personal information transparently, securely, and in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Privacy Amendment (Notifiable Data Breaches) Act 2017, the National Disability Insurance Scheme Act 2013 (Cth), the NDIS Code of Conduct, NDIS Practice Standards, Section 93 of the Health Care Act 2008, Section 106 of the Mental Health Act 2009, and any other applicable privacy legislation.

This policy covers information we handle about work seekers, employees, clients, NDIS participants, support workers, referees, website visitors, and any other individuals whose information we collect in the course of our operations.

2. Our Privacy Commitments

McArthur is guided by the following principles in all its information-handling practices:

Need-to-know basis — We only collect information that is reasonably necessary for our functions. We do not collect personal information speculatively or “just in case.”
Do not retain unnecessarily — We destroy or de-identify personal information when it is no longer needed for any purpose for which it may lawfully be used or disclosed.
We do not sell personal data — Under no circumstances does McArthur sell, trade, or rent personal information to third parties.
Transparency — We are open about what information we hold, why we hold it, and how individuals can access or correct it.
Security — We implement appropriate technical and organisational measures to protect personal information from misuse, interference, loss, and unauthorised access.
Dignity and respect — In our community care operations, we recognise that privacy is a fundamental human right. We handle participant information in a way that upholds their dignity, autonomy, and personal preferences at all times.

3. Who We Are

McArthur operates as an APP Entity under the Australian Privacy Principles. As a contracted service provider to Commonwealth, State, and Territory government agencies, and as a registered NDIS provider, we may also be required to handle personal information under specific agency-level privacy arrangements and the confidentiality provisions of the NDIS Act 2013 (Cth).

References to “McArthur”, “we”, “our”, or “us” in this policy include McArthur and McArthur Community Care and their respective divisions.

4. Information We Collect

We collect personal information that is reasonably necessary for our functions as a recruitment, staffing, and community care provider. The type of information collected depends on your relationship with us.

4.1 Work Seekers and Employees

Identity and contact details, including name, address, phone and email
Payroll information, including bank details, superannuation, tax file number and date of birth
Right-to-work documentation, including residency or visa details
Employment history, qualifications and professional registrations
Industry-specific licences, certifications and clearances, such as Working with Children Checks and NDIS Worker Screening Checks
Skills assessments and competency testing results
Medical and immunisation records, where required for the role
Criminal history information, where permitted or required by law
Performance feedback and workplace incident information
Photos and identification images for compliance screening

4.2 Clients

Contact details, including name, role, work address, phone and email
Organisational structure and service requirements
Information disclosed for the purpose of McArthur providing recruitment or HR services
Photos and images provided for marketing, business cases or compliance materials, with consent

4.3 Referees

Contact details provided by work seekers
Information provided during reference checks

4.4 Participants, Community Care and Disability Services

McArthur collects personal, sensitive, and clinical information about NDIS participants and other individuals receiving community care services. This information is essential to deliver safe, effective, and person-centred support. We only collect what is reasonably necessary for these purposes.

Personal Information

Name, date of birth, gender and contact details
Emergency contact and next-of-kin details
NDIS participant number and plan details, including funding categories, plan dates and stated goals
Details of guardians, nominees or legal representatives
Cultural background, language preferences and communication needs

Sensitive and Health Information

Information about your disability, diagnosis, health conditions and medical history
Care plans, support plans and individual service agreements
Clinical notes, progress notes and support documentation recorded during the delivery of services
Medication management records
Behaviour support plans, including restrictive practices reporting where applicable
Incident reports and investigation reports, including reportable incidents under the NDIS Act and/or any other relevant legislative or regulatory obligations
Mental health assessments, psychological reports and risk assessments
Immunisation records and infection control information
Expressed wishes about future provision of health or care services

Care Network Information

To coordinate your care effectively, we may also collect and hold contact details and relevant correspondence from individuals and organisations involved in your broader care network, including:

Support coordinators and plan managers
Allied health professionals, including occupational therapists, speech pathologists, physiotherapists and psychologists
Nurse practitioners and general practitioners
The National Disability Insurance Agency and the NDIS Quality and Safeguards Commission
Local Area Coordinators
Other disability service providers involved in your supports
Family members, carers or advocates, with your consent or as authorised by law
Government agencies, including child protection and guardianship bodies where required

4.5 Support Workers, Community Care

NDIS Worker Screening Check clearance status and expiry dates
Working with Children Check or equivalent state/territory clearance
First aid, CPR and manual handling certifications
Specialist or participant-specific training records
Vehicle registration, insurance and driver’s licence details, where support involves transport
Availability, rostering and shift records linked to participant service delivery
Supervision and professional development records
Incident involvement records and performance observations specific to care delivery

4.6 Sensitive Information, General

Sensitive information, such as health information, criminal records, racial or ethnic origin, religious beliefs, or trade union membership, is only collected where required or authorised by law, or with your explicit consent. We handle sensitive information with additional care, restrict access on a need-to-know basis, and apply the heightened protections required under APP 3 and the NDIS Act.

5. How We Collect Information

We collect personal information primarily from you directly, including through application forms, interviews, intake and assessment processes, online registrations, email, phone, and our websites.

We may also collect information from third parties where reasonably necessary, including:

Former employers, referees and professional registration bodies
Government agencies and publicly available sources
Third-party recruitment platforms and job boards
Assessment and screening providers

Where practicable, we will notify you that we have collected information from a third-party source.

5.1 Collection in Community Care Settings

When providing disability support and community care services, we may also collect information:

During intake, onboarding and service agreement processes with participants
From support coordinators, plan managers or Local Area Coordinators acting on a participant’s behalf or with their consent
From medical practitioners, allied health professionals or hospitals involved in your care
Through clinical assessments, progress notes, risk assessments and incident records created during service delivery
From the NDIA or NDIS Commission in connection with plan management, reportable incidents or compliance activities
From family members, carers, advocates or legal representatives with your consent or as authorised by law

We will always tell you, or your representative, what information we are collecting, why we need it, and who it may be shared with, unless it is unreasonable or impracticable to do so.

5.2 Consent

Where we rely on consent to collect, use, or disclose personal or sensitive information, we will ensure that consent is informed, voluntary, current, and specific. Participants, or their legal representatives, can withdraw consent at any time, though this may affect our ability to provide certain services.

For participants who may have difficulty providing consent due to capacity, age, or communication needs, we will work with their nominee, guardian, or legal representative in accordance with applicable laws.

6. Why We Collect and Use Your Information

We use personal information for the purposes for which it was collected, including:

6.1 Recruitment and Staffing Operations

Assessing suitability for roles and managing placements
Conducting recruitment functions, reference checks and compliance screening
Managing payroll, superannuation, tax and employee benefits
Administering employee benefit programs through trusted third-party platforms, including Flare HR and Employee Assistance Program providers
Fulfilling workplace health and safety obligations
Managing client relationships and delivering contracted services
Meeting legal, regulatory and reporting obligations
Communicating about relevant opportunities, services or updates

6.2 Community Care and Disability Services

Assess, plan and deliver safe, person-centred disability supports and community care services
Develop and maintain care plans, support plans and individual service agreements that reflect participant goals and needs
Coordinate services with your broader care network
Manage rostering, scheduling and matching of support workers to participants
Record clinical notes, progress notes and support documentation
Report and manage incidents, risk assessments and complaints
Implement behaviour support plans and record restrictive practices, where applicable
Comply with NDIS Practice Standards, the NDIS Code of Conduct, and quality and safeguarding obligations
Facilitate NDIS plan reviews, audits and regulatory reporting
Support the safety and wellbeing of participants, support workers and the community
Conduct quality assurance, continuous improvement and internal training activities

If you do not provide requested information, our ability to place you in suitable roles, employ you, or deliver services safely and effectively may be limited.

7. Who We Share Information With

We may disclose personal information for the purposes outlined in this policy, or where otherwise required or authorised by law. We do not sell personal information. All sharing is limited to what is reasonably necessary and handled securely.

7.1 Internal Sharing

Personal information may be shared within McArthur and its related entities on a need-to-know basis for operational purposes. In community care, this means that only the support workers, coordinators, and managers directly involved in a participant’s care will have access to their information.

7.2 Third-Party Service Providers

Payroll and superannuation platforms
Employee benefits and assistance program providers, including Flare HR and Employee Assistance Program
IT service providers, cloud hosting and software platforms
Legal, insurance and professional advisors
Background screening and assessment providers
Government and regulatory bodies, including ATO, WorkCover and the NDIS Quality and Safeguards Commission

7.3 Sharing in Community Care Contexts

The National Disability Insurance Agency
The NDIS Quality and Safeguards Commission
Support coordinators and plan managers
Allied health professionals, nurse practitioners and general practitioners
Other disability service providers, where multiple providers are involved in a participant’s care
Guardians, nominees, family members or advocates
Government agencies, including child protection, guardianship and emergency services

Information shared in these contexts is limited to what is directly relevant to the care or regulatory purpose.

7.4 Clients and Referees

We share relevant work seeker information with prospective host employers/clients as part of the placement process. We may also contact referees to verify information provided.

7.5 Cross-Border Disclosures

Some third-party providers may be located overseas. Where personal information is disclosed to an overseas recipient, we take reasonable steps to ensure they handle it consistently with the APPs. Where we cannot ensure equivalent protections, we will seek your consent before disclosure.

7.6 Special Circumstances

To lessen or prevent a serious threat to life, health or safety
As required by Australian law or a court/tribunal order
To assist in locating a missing person
For the establishment, exercise or defence of a legal claim
Where there is reasonable suspicion of unlawful activity or serious misconduct
In connection with mandatory reporting obligations involving NDIS participants

8. Data Security

We take the security of your personal information seriously and implement a range of measures to protect it from misuse, interference, loss, and unauthorised access, modification, or disclosure.

Cloud-based storage with encryption at rest and in transit, firewalls and multi-factor authentication
Role-based access controls
Password protection and secure authentication protocols
Policies governing laptops, mobile devices and portable storage
Regular security reviews, vulnerability assessments and software updates
Ongoing staff training on privacy and information security obligations
Secure disposal and destruction of personal information no longer required

All personal and sensitive information is classified as Confidential within McArthur. All employees are required to sign confidentiality agreements as a condition of employment.

8.1 Additional Safeguards for Participant and Clinical Information

Restricted access to participant care records
Secure care management platforms with audit trails
Separation of participant clinical records from general corporate and recruitment data
Policies prohibiting storage of participant information on personal devices, unsecured drives or unencrypted media
Clear protocols for secure handover of participant information
Regular training for support workers and care staff on participant privacy, dignity and the NDIS Code of Conduct

9. Implementation and Monitoring

Adherence to this policy is essential to minimise the potential for the inappropriate access, use, or disclosure of personal information held by McArthur.

The inappropriate disclosure of personal information is an offence under the Health Care Act 2008 and the Mental Health Act 2009, along with the National Disability Insurance Scheme Act 2013. A breach of privacy may also lead to disciplinary action against an employee, including termination of employment, and could lead to civil proceedings being initiated by a complainant.

Auditing is an important tool to ensure adherence to this policy. Auditable events include regular monitoring of user access accounts and the review of audit trails for unauthorised access or activity.

In the event of a privacy complaint or incident, McArthur will be required to justify that its collection, use, or disclosure of personal information was within the legislative and policy requirements applicable to the organisation.

10. Data Retention

We retain personal information only for as long as it is reasonably necessary for the purposes described in this policy, or as required by law.

When personal information is no longer needed, we will take reasonable steps to destroy or permanently de-identify it, unless we are required by law to retain it.

10.1 Retention Periods

Payroll and employment records — retained for 7 years as required under the Fair Work Act 2009 and taxation legislation
Participant care and clinical records — retained in accordance with applicable health records legislation
Incident and complaint records — retained for the period required by the NDIS Commission and relevant workplace health and safety legislation
Recruitment records — retained for a reasonable period after last contact, then securely destroyed

We do not destroy or de-identify information contained in a Commonwealth record where prohibited by law.

11. Cookies and Digital Tracking

Our websites may use cookies and similar technologies to improve user experience, analyse website traffic, and support the functionality of our online services.

Essential cookies required for core website functionality
Analytics cookies that help us understand how visitors use our sites
Third-party cookies from platforms integrated with our sites

You can manage or disable cookies through your browser settings. Disabling certain cookies may affect your experience on our websites.

We do not use cookies or tracking technologies to build profiles for targeted advertising or to sell data to third parties.

12. Artificial Intelligence and Automated Tools

We may use artificial intelligence, automation, machine learning, analytics, transcription, summarisation, document generation, and other technology-enabled tools to support our business operations and improve the quality, efficiency, and consistency of our services.

Where these tools are used, they may assist us with tasks such as reviewing information, preparing documents, summarising notes, improving communications, supporting recruitment and workforce management processes, and improving internal workflows.

We will only use these tools where we consider it appropriate and lawful to do so, and in accordance with our obligations under the Privacy Act 1988 (Cth), the Australian Privacy Principles, and any other applicable privacy, confidentiality, or data protection obligations.

We do not permit personal information, sensitive information, client confidential information, or commercially sensitive information to be entered into publicly available AI tools unless appropriate safeguards are in place and the use has been authorised.

AI and automated tools are used to support, not replace, human decision-making. Where a decision may materially affect an individual, we will ensure appropriate human review and oversight is applied.

13. Direct Marketing

McArthur may use your non-sensitive personal information to send you communications about our services, job opportunities, or industry updates that are relevant to your relationship with us.

You can opt out of direct marketing at any time by:

Using the unsubscribe link included in any electronic communication
Contacting your nearest McArthur office
Contacting our Privacy Coordinator

We respect all opt-out requests promptly and at no cost to you. We comply with the Spam Act 2003 (Cth) and related anti-spam legislation.

We do not use participant health or clinical information for marketing purposes.

14. Accessing and Correcting Your Information

You have the right to request access to, and correction of, the personal information we hold about you, subject to certain exceptions under the APPs.

14.1 Access

To request access, submit a written request to our Privacy Coordinator including your name, contact details, and a description of the information you wish to access. You will need to verify your identity.

We will acknowledge your request within 10 business days and respond within 30 business days. If access is refused, we will provide a written explanation.

14.2 Access for Participants

NDIS participants, or their nominees, guardians, or legal representatives, may request access to their care records, support documentation, and other personal information we hold. We will facilitate access in a format and manner that is appropriate to the participant’s communication needs and preferences.

14.3 Correction

If you believe that personal information we hold about you is inaccurate, incomplete, out of date, or misleading, please contact us and we will take reasonable steps to correct it.

If we have disclosed incorrect information to a third party, you may request that we notify them of the correction, and we will take reasonable steps to do so.

If we are unable to agree on a correction, you may request that we attach a statement noting your claim that the information is inaccurate, incomplete, or out of date.

15. Notifiable Data Breaches

In the event of an eligible data breach, one that is likely to result in serious harm to affected individuals, we will comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988.

Take immediate steps to contain the breach and assess the risk of harm
Notify the Office of the Australian Information Commissioner as required
Notify affected individuals and provide recommendations on steps they can take to mitigate potential harm
Where the breach involves participant information, also notify the NDIS Quality and Safeguards Commission as required

We maintain a Data Breach Response Plan with assigned roles, escalation procedures, and template notifications.

16. Complaints

If you believe we have interfered with your privacy or mishandled your personal information, you have the right to make a complaint.

To lodge a complaint, please write to our Privacy Coordinator and include your name, contact details, and a description of your concern. You will need to verify your identity.

We will:

Acknowledge your complaint within 10 business days
Investigate and respond within 30 business days
Propose a resolution where possible

If you are not satisfied with our response, you may escalate your complaint to:

The Office of the Australian Information Commissioner at oaic.gov.au or by calling 1300 363 992
The NDIS Quality and Safeguards Commission at ndiscommission.gov.au or by calling 1800 035 544, for matters relating to disability services

McArthur is a corporate member of the Recruitment and Consulting Services Association, which administers a Code of Conduct for the professional and ethical conduct of its members.

Participants and their representatives are also encouraged to raise concerns directly with their support coordinator, McArthur Community Care manager, or through our feedback and complaints process at any time.

17. Contact Us

If you have any questions about this policy, wish to make an access or correction request, or need to lodge a complaint, please contact our Privacy Coordinator:

Phone: 08 8100 7000
Email: [email protected]
Post: Privacy Coordinator, McArthur, via your nearest McArthur office

Useful Links

Office of the Australian Information Commissioner: oaic.gov.au
Australian Privacy Principles: oaic.gov.au/privacy/australian-privacy-principles
NDIS Quality and Safeguards Commission: ndiscommission.gov.au
NDIS Code of Conduct: ndiscommission.gov.au/providers/ndis-code-conduct

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in legislation, technology, or our business practices. The current version will always be available on our websites. We encourage you to review this policy periodically.