Privacy Policy

Capability Support provides support to people in the community with personalisation, flexibility and professionalism. 

Policy Number CAP002
Created By
Director - Operations
Approved By
Board of Directors
Review Date

1. Purpose of Policy/Procedure:

Capital Capability Support (Capability) is a provider of services to people living in the community. The nature of the services provided means that clients’ privacy must be a primary consideration of all employees and stakeholders. Capability is committed to protecting your privacy and the confidentiality of personal information we already hold, or will collect and hold, about you.

2. Scope of Policy/Procedure

This policy applies to:

  • All Capability Employees
  • All Stakeholders & Clients
  • All Directors of Cap Support Pty Ltd
  • All Children and Young People supported by Capability.

3. Overview of Policy

  • Capability is subject to the Privacy Act 1988 (Cth) (the Privacy Act) and applicable Australian Privacy Principles (APPs) in the Act when handling personal information.
  • This, and other laws and regulations impose duties on Capability to keep your identity and information about your affairs strictly confidential.
  • This Privacy Policy sets out how we manage personal information.
  • This Policy describes the sorts of information we collect and hold, and for what purpose.
  • The use of information is explained for both internal use and for external providers to whom we routinely provide it.
  • Stakeholders can make a complaint about the way in which Capability has handled personal information (or if you feel we have breached the Privacy Act) as well as your rights to access and correct the information we hold about you.
  • We only collect personal information which is necessary for the purposes of providing to you (or the organisation or persons you represent) disability services and other related services that you require or are likely to require in future.
  • If you do not consent to providing the information we request, Capability may not be able to supply you with all services you require.
  • Capability has systems and procedures in place to protect your privacy whenever we collect, store, use or disclose your personal information.
  • This policy applies to all personal information we collect about you, whenever collected.
  • More information is available by contacting the Privacy Officer on the numbers or at the addresses listed in the Complaints and Enquiries section of this Privacy Policy.

4. Relevant Definitions

  • Sensitive information means personal information about a person’s:

    • racial or ethnic origin,
    • political opinion or membership of a political association,
    • trade union or professional association membership,
    • religious beliefs or affiliations or philosophical beliefs,
    • sexual orientation or practices,
    • criminal record,
    • genetic information, or
    • biometric information or templates

  • Health information means actual information or opinion about:

    • the health (including an illness), disability or injury of an individual; or
    • an individual’s expressed wishes about the future provision of health services

Privacy Officer is the Capability employee whose role is to:

  • Deal with requests for access to and correction of personal information,
  • Answer any concerns, complaints or alleged breaches in relation to privacy issues; and
  • Be the contact for the Australian Information Commissioner in relation to privacy issues.

You and your refer to the individual whose information we collect and hold for operational purposes. This can include but is not limited to:

  • Clients,
  • Their guardians and other stakeholders,
  • Staff members,
  • Contractors,
  • Volunteers; and
  • Organisations with which we deal in order to provide services to clients.

5. Openness and Transparency (APP 1)

This Privacy Policy outlines how we manage, store, correct and share your personal information. It
provides a mechanism for affected parties to inquire or complain about how their personal
information is stored, used or shared with relevant organisations.
This policy is kept up to date to ensure its ongoing compliance with the APPs and is available for all
stakeholders at

6. Anonymity (APP 2)

Capability recognises that some people would prefer to keep their identity a secret or to deal with us under a pseudonym. We provide the opportunity to remain anonymous or operate under an assumed name, except where it is not practical to do so. 

Where you request anonymity or decline to consent to provide the information we request, Capability may not be able to supply you with all services you require. Complaints and feedback can always be left anonymously or pseudonymously; however, this may limit our ability to reply and the efficacy of our investigations into the complaint or feedback.

7. Collection of Information

The personal information that Capability requests from you will depend on the type of relationship you have with us. Common relationships include as a client, employee, contractor or carer. Capability aims to collect personal information directly from you. If you are unable to provide the requested information, we may collect the information from another person who has legal responsibility or advocates on your behalf.

Where you request anonymity or decline to consent to providing the information we request, Capability may not be able to supply you with all services you require. Complaints and feedback can always be left anonymously or pseudonymously; however this may limit our ability to reply and the efficacy of our investigations into the complaint or feedback.

Capability can also collect personal information from a third party or a publicly available source. We would only take this approach:

  • With your full and informed consent to do so,
  • Where you would expect us to collect your personal information in this way; or
  • If it is a necessary collection to enable
  • Capability to provide you a service.

Capability only collects personal information for the provision of services and supports, operating our business, responding to enquiries and administration of stakeholders’ accounts.

We may also collect personal information as part of our communications with you. Records of
emails, phone calls or business card information may be stored in our contact history.

The information we collect includes name, address, emergency contact details, cultural background, medical and disability information, behaviour management strategies, personal care information and other necessary information to ensure the health, safety and wellbeing of our employees and clients.

Capability will only collect sensitive information:

  • With your full and informed consent,
  • When the information directly relates to the services we are providing you; and
  • The information relates solely to people with a regular and ongoing relationship with Capability and its operations.


Capability will not sell or otherwise give away any information we collect.

There are some circumstances where we receive personal information that we have not asked for (unsolicited information). Upon receipt of such information, Capability will determine whether our Privacy Policy would allow us to have collected the information from the person if we had asked. 

Where unsolicited personal information is received, we will determine if the information is
necessary to the continuing relationship. If the information is deemed not necessary, it will be
destroyed or de-identified within a reasonable timeframe.

8. Notification (APP 5)

Before or at the time of the collection of personal information, we will take steps to make sure you are aware why the information is required, what it will be used for, and of how you can access our Privacy Policy. In the event this notification is impractical, we will inform you as soon as possible after collecting the information.

Forms or websites collecting personal information will include a footnote outlining Capability’s conformity with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Standard text for new collection forms is:

Capital Capability Support adheres to the Australian Privacy Principles (2012) and
has a Privacy Policy in place to keep your information safe. Personal information
collected or received will be used, stored and disposed of in compliance with the
Privacy Act 1988 (Cth) and associated Australian Privacy Principles. Our Privacy
Statement and up to date Privacy Policy is available online at

9. Use and Disclosure (APP 6)

Capability will only hold personal information for the primary purpose it was given to us. Use of
personal information will only occur within our standard operations and will not be used for a secondary purpose unless:

  • You have given full and informed consent (given consent – see below),
  • You would expect us to use or disclose the personal information for the secondary purpose, as it relates to the primary purpose (e.g. to the NDIA for NDIS plan reviews),
  • It is required or authorised by law,
  • A permitted general situation exists (see s.16A of the Privacy Act),
  • A permitted health situation exists (see s.16B of the Privacy Act), in which case steps must be taken to de-identify the information before it is disclosed; or
  • We believe that the use or disclosure of the information is necessary for enforcement (e.g. Police or enforcement authorities)

Personal information will only be shared on a needs-to-know basis. Capability has information

barriers in place which restrict staff from accessing information that is not relevant to their role or level of experience.

Requests for disclosure of personal information to a third party should be made to
[email protected].

We will only disclose personal information for a particular purpose provided your consent is first obtained or you would reasonably expect disclosure for that purpose. Consent received under this section should be express (i.e. written) and freely given with full information as to the intended purpose of the disclosure.

On receipt of request for third party disclosure of personal information, we will provide
acknowledgement of the request within 48 hours. Where possible, we will aim to provide an
expected timeframe for providing the requested information or explain why this request will not be approved.

Capability may impose a fee to cover costs of photocopying or file extraction dependent on the volume required and ease of access to the data. Any fees imposed will be done on a cost basis

10. Direct Marketing (APP 7)

This policy prohibits the disclosure of personal information in direct marketing, except with your
express consent.

You can unsubscribe from direct marketing at any time by emailing
[email protected] or contacting the Privacy Officer.

You can revoke your consent to be featured (your personal information or images) by contacting the Privacy Officer.

11. Cross Border Disclosures (APP 8)

If we disclose personal information to any overseas recipient, the overseas recipient must comply with the terms of the Australian Privacy Principles.

Capability has a strong focus on ensuring your data is kept in Australia and has strong data
sovereignty policies in place to ensure personal information is not inadvertently shared with
overseas recipients.

We will only share with overseas recipients where:

  • The overseas recipient demonstrates they comply with laws that are substantially similar to the APPs,
  • You give full and informed consent to the disclosure having been informed of APP 8 requirements; or
  • We are required by law to disclose the information.

12. Government Identifiers (APP 9)

Capability does not use your government identifiers (e.g. Medicare number, Tax File Number, NDIS number etc.) as its internal identifier. We will not disclose your government identifier unless:

  • It is necessary for us to identify you,
  • It is necessary for us to fulfil its obligations to an agency or State or Territory authority,
  • It is required by law or court/tribunal order,
  • A permitted general situation exists (see s.16A of the Privacy Act); or
  • We believe it is necessary for enforcement (e.g. Police or enforcement authorities).

13. Quality of Personal Information (APP 10)

Capability recognises that handling poor quality personal information can have significant privacy impacts for individuals. We take reasonable steps to ensure that the personal information that we collect, store and use is accurate, up-to-date and complete.

Capability takes maintenance of your personal data seriously and updates personal information within a reasonable timeframe of being advised details have changed, or are incorrect

14. Data Security (APP 11)

Personal information we hold is stored so that it cannot be misused, interfered with or lost. Access control is in place across all systems to ensure only authorised people can access, modify or disclose your personal information.

These steps include security access to our IT network with 2 Factor Authentication (2FA), including databases and digital file locations. Capability also secures paper-based files containing personal information in locked cabinets or locked offices with physical access restrictions. More detail on information security can be found in our policy documents:

  • Access, Security & Controls Policy.
  • Computer Usage Policy.
  • Use of Phones Policy.

15. Access to Personal Information (APP 12)

Capability we give you access to your personal information unless there is a reason under the Privacy Act or any other law not to give access to the information. Grounds for restricting access to your data are:

  • the organisation reasonably believes that giving access would pose a serious threat to the life, health or safety of any individual, or to public health or public safety,
  • giving access would have an unreasonable impact on the privacy of other individuals,
  • the request for access is frivolous or vexatious,
  • the information relates to existing or anticipated legal proceedings between the organisation and the individual, and would not be accessible by the process of discovery in those proceedings,
  • giving access would reveal the intentions of the organisation in relation to negotiations with the individual in such a way as to prejudice those negotiations,
  • giving access would be unlawful
  • denying access is required or authorised by or under an Australian law or a court/tribunal order,
  • the organisation has reason to suspect that unlawful activity, or misconduct of a serious nature, that relates to the organisation’s functions or activities has been, is being or may be engaged in and giving access would be likely to prejudice the taking of appropriate action in relation to the matter
  • giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
  • giving access would reveal evaluative information generated within the organisation in connection with a commercially sensitive decision‑making process.

Other than requests for disclosure to a third party, request for access should be referred by
employees to their manager. In the case of release to third parties, the Privacy Officer must approve any release. Responses to a request for access will be provided within a reasonable time frame, determined by the extent of information to be accessed, and will give access in a way that meets both its needs and those of the individual, including the use of a mutually agreed intermediary.

Documents may be provided to your representative(s), provided that the person’s authority to act as agent or authorised representative is verified, for example, where the representative is:

  • A family member, consent is provided by the individual for the said family member to act,
  • Power of Attorney – the document granting the power is provided/sighted,
  • A solicitor – the individual confirms the solicitor has authority to act on their behalf; and
  • the representatives’ identity is verified.

Prior to providing an individual or their representative with access to their personal information,
assessment should be made as to possible breach of privacy for any other individual, or all other names or alternative identifying information should be redacted from the data prior to access.

There is no fee for access to personal information but we may impose a costs-only fee for photocopying or file extraction. 

If we are unable to provide access to the information in the way requested by you, we will take steps to give access in a way that meets everyone’s needs.

Capability will advise you in writing of the reason/s why we have declined a request for access if this is the case.

Further advice or information can be obtained from the Australian Information Commissioner by calling 1300 363 992 or by email: [email protected]

16. Correction of Personal Information (APP 13)

Capability will correct personal information that we hold if:

  • We are satisfied your personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to a purpose for which it is held; or
  • You request we correct the personal information.

When asked to correct personal information, we will respond to the request in a reasonable time. There are no fees or charges for correcting personal information.

If we refuse or are unable to comply with a request to correct personal information, we will give you written notice advising why we are unable to comply with the request

17. Exemptions

The Privacy Act does not apply to employee records if they are used purely for employment-related purposes. This includes records of employee engagement, health, training, disciplining, termination, performance, conduct work hours, salary, trade union memberships and leave records.

The information gathered during recruitment processes are not covered by the employee record exemption and are covered by the principles of this policy.

Regardless of this exemption, we treat employee records in the same way as we deal with any other private information as covered by this document, except for access to confidential performance related records.

18. Children

The Privacy Act does not specify an age after which individuals can make their own privacy decisions. Capability will determine on a case-by-case basis whether an individual under the age of 18 has the capacity to consent.

We will assess a child’s capacity to consent based on whether they have sufficient understanding and maturity to understand what is being proposed. In some circumstances, it may be appropriate for a parent or guardian to consent on behalf of a young person, for example, if the child is young or lacks the maturity or understanding to do so themselves.

Notwithstanding the above, an individual aged under 15 is presumed not to have capacity to consent and we will take additional steps to confirm capacity.

19. Privacy Impact Assessments

Any project that involves the collection, handling, storage or sharing of information should be
subject to a privacy impact assessment before any substantive work is completed. Privacy impact assessments demonstrate to the Board of Directors:

  • The flow of personal information in a project,
  • The possible impacts on an individuals’ privacy,
  • Recommended options for mitigating or avoiding identified negative privacy impacts,
  • How build privacy considerations are built into the design of a project; and
  • How the project’s goals are achieved while considering the compliance with the Australian Privacy Principles and strengthening our privacy position

20. Complaints and Enquiries

If you have a complaint in relation to privacy, it should be made in writing, directed to, Privacy
Officer via [email protected].

You should expect an acknowledgement within 48 hours of the complaint or concern being received and you will be advised of how your complaint or concern will be dealt with.

Your complaint or concern will be investigated by the Privacy Officer in consultation with the senior management team. You will receive written advice within 28 days of our response to your concern or complaint, or advice if further information is required.
If the response is not acceptable to you, we may suggest conciliation or arbitration on the matter.

You may also make a formal complaint to the Australian Information Commissioner by calling 1300 363 992 or by email: [email protected].

21. Linked Documents

CAP029 – Computer Usage Policy
CAP022 – Use of Phones
CAP010 – Privacy, Confidentiality and Dignity


Capital Capability Support
[email protected]
ABN 63 668 733 220

Document Control

Date Version Revision Description
Created Policy/Procedure
Approved by Board of Directors

Get in touch

Need to ask a question, or just want to chat to a friendly Capability Support staff member? Fill in the contact sheet below!

How else can we help?​

Read more about our Supervision Framework

To ensure we have the best team and are constantly improving, we ensure staff meet specific pre-screening requirements such as appropriate qualifications, pass comprehensive background checks, and extensive training and supervision in their roles. Capability has a very firm Supervision Framework to empower and develop Staff Members to deliver high-quality support services. All Staff Members have customised supervision and individual development plans to ensure continuous improvement at Capability.

Every Capability Support staff member undertakes an extensive induction session with the Directors and Management, guiding the importance of our core values and missions and setting clear expectations.


Capability’s team have extensive industry experience in Community Services. Their collective experience inspired the beginning of Capability Support with the fundamental ethos that we can do better for the community.