Privacy and the NDIS

The recent discovery of a security flaw in the NDIS portal which allowed “fraudulent operators” to guess the nine digit plan number of participants and to steal money from their plans, is a very serious flaw. The NDIA now requires in addition to the NDIS number the participants date of birth and surname when accessing plans. This isn’t really much of a solution as obtaining an NDIS number along with other personal information is not that difficult. NDIS clients have even been posting their personal information to social media including scanned copies of letters from the NDIS.

If you are an NDIS client there are a number of ways to protect your personal information. Most importantly do not post scanned copies of documents from the NDIS on social media, this gives any potential bad operator enough information to steal from your plan.

Your date of birth is one of the most important pieces of identifying information about you. Everyone seems to ask for it yet there is very little need for it. Sure it's nice to have on facebook so your friends know when your birthday is. It is often seen on resumes when just your age would do. Try to limit where you share your birthdate if possible.

While the NDIS is burdening providers with expensive compliance procedures such as third party verification that have questionable value, it seems the NDIA is having difficulty providing a basic level of privacy for NDIS participants. Unfortunately laws in Australia regarding the privacy of health information are dated, and far behind many other countries. The NDIS Quality and Safeguarding Framework say very little about the protection of client information. In the US the Health Insurance Portability and Accountability Act, also known as HIPAA, was passed in 1996. It provided rules and regulations regarding the privacy of health information, that many Australian organisations today would have trouble adhering to.

The NDIS affects the lives of many vulnerable people who may not understand the best ways to protect themselves from breaches of their privacy. Therefore the onus is on government and disability services to protect the privacy of NDIS participants. This will require better standards for the storage and accessing of personal  information.