Privacy Policy

This Part is written for participants, their families, referrers and visitors to our website. It explains, in plain English, how Lift Health Group collects, uses, stores and shares personal information, and what rights you have. It is the version of this policy published at www.lifthealthgroup.com.au/privacy.

A1. About Lift Health Group

Lift Health Group Pty Ltd (ABN to be inserted; ‘Lift’, ‘we’, ‘us’ or ‘our’) is a South Australian allied health provider registered with the NDIS Quality and Safeguards Commission. We deliver occupational therapy, speech pathology, physiotherapy and assistive technology services to participants across South Australia through a combination of in-clinic, telehealth and fly-in-fly-out (FIFO) services departing from Adelaide Airport.

Our head office is at 1/148 Greenhill Road, Parkside SA 5063. You can reach us on 1300 082 599 or at [email protected].

A2. Our commitment

We take your privacy seriously. As a health provider and NDIS-registered organisation, we hold information that is deeply personal. We are committed to handling it lawfully, carefully and only for the purposes you would reasonably expect.

We comply with the Privacy Act 1988 (Cth), including the thirteen Australian Privacy Principles (APPs), the Notifiable Data Breaches scheme, the My Health Records Act 2012 (Cth) to the extent we interact with it, the Spam Act 2003 (Cth), the Surveillance Devices Act 2016 (SA), the NDIS Code of Conduct and the NDIS Practice Standards. Where our common-law duty of confidence to you exceeds these statutory requirements, we apply the higher standard.

If you feel your privacy has not been respected, please tell us. You can contact our Privacy Officer at [email protected]. You also have the right to take your concern directly to the Office of the Australian Information Commissioner – see Section A17.

A3. What information we collect

The information we collect depends on how you interact with us. It may include:

A3.1 Personal information

Your full name, date of birth, address, phone number and email address.
Emergency contact information and, where applicable, the details of a parent, guardian, nominee or plan manager.
Cultural background and language preferences, where you choose to share these to help us provide culturally-appropriate supports.
Identifiers such as NDIS participant number and Medicare number, where relevant to your care.

A3.2 Health information

Health information is treated as sensitive information under the Privacy Act and receives the highest level of protection. We collect only what is necessary to provide safe, effective supports. This may include:

Clinical history, diagnoses, functional assessments and therapy goals.
Progress notes, assessment outcomes and reports prepared by Lift clinicians.
Information shared by your GP, treating specialists, previous or concurrent therapy providers, and support coordinators, with your consent.
Medication, allergy, incident and risk information relevant to your safe participation in services.

A3.3 NDIS and funding information

Details of your NDIS plan, plan manager and plan reviews relevant to funded supports.
Service agreements, quotes and service bookings.
Billing and claim records.

A3.4 Technical and website information

Device and browser information, IP address and usage data when you visit www.lifthealthgroup.com.au.
Enquiry information you submit through our website forms.
Cookie and analytics data – see Section A14.

A3.5 Information about workers and job applicants

If you apply for a role with Lift, we collect information necessary to assess your application: your resume, qualifications, references, work rights and – at the appropriate stage of recruitment – NDIS Worker Screening Check and Working with Children Check status. Section B5 explains how we handle worker information once you join us.

A4. How we collect your information

We collect information in the following ways:

Directly from you, when you speak with us, complete a consent form or service agreement, attend an appointment, fill in a form on our website, or email us.
From a parent, guardian, nominee, support coordinator or plan manager acting on your behalf, with your authority.
From your other health or community providers (GPs, specialists, schools, NDIS support workers, allied health colleagues), with your consent.
From the National Disability Insurance Agency (NDIA) and from NDIS plan managers, where relevant to billing and service delivery.
From publicly available sources, very occasionally, to verify information you have provided.

Wherever practicable, we collect information directly from you. If we need to collect from someone else, we will tell you, unless that would be unreasonable or impracticable in the circumstances.

A5. Why we collect, hold, use and disclose your information

We collect and use your information for clearly-defined purposes, known as the primary purpose and related secondary purposes. Our primary purpose is to provide you with safe, effective and appropriately-documented allied health supports. Secondary purposes, which we will use or disclose your information for only where permitted by law or with your consent, include:

Communicating with you and the people you have authorised (family, plan managers, support coordinators, referrers).
Managing your bookings, service agreements, invoices and records.
Coordinating care with other health and community providers involved in your supports.
Reporting to the NDIA or plan manager for funding or audit purposes.
Meeting our legal obligations, including mandatory reporting, reportable incident notification, complaints, and subpoenas or court orders.
Internal clinical governance – supervision, note audits, continuing professional development, and quality improvement – which is always performed within Lift and by staff bound by confidentiality.
Deidentified quality improvement, research and reporting, where your information is aggregated and cannot reasonably be used to identify you.
Responding to feedback and complaints you raise with us.

We will not use your information for unrelated secondary purposes without your consent, except where the Privacy Act expressly allows or requires.

A6. Who we share your information with

We share your information only with those who need it to deliver your supports, or where we are required to by law. The categories are:

Lift staff and contracted clinicians involved in your care, each bound by confidentiality and working to role-based access controls.
Other health and community providers involved in your care, with your consent and through a written Consent to Exchange Information.
Your plan manager or NDIA, for authorised billing and funding purposes.
Our secure technology providers (known as ‘subprocessors’) who host and help us operate our systems – see Appendix 2 for the current list.
Our professional advisers (legal, insurance, audit) where necessary and on a confidential basis.
Regulators or emergency services, where required by law or where we reasonably believe the disclosure is necessary to prevent a serious threat to life, health or safety.

We do not sell your information. We do not disclose your information to marketing companies or third parties unconnected with your care.

A7. Overseas disclosure

Some of our technology providers are based overseas, or store data on cloud infrastructure located outside Australia. Where this is the case we take reasonable steps to ensure those providers handle personal information to a standard consistent with the Australian Privacy Principles. The current list is set out in Appendix 2, noting where the data is stored.

We do not disclose personal information to overseas recipients other than through these contracted technology providers and their affiliates.

A8. How we store and secure your information

Your information is stored in encrypted form within Splose (our clinical practice management system), Microsoft 365 (SharePoint and Outlook), and Employment Hero (for employment-related records). Paper records, where they exist, are limited and stored in locked cabinets at our Parkside office.

Our technical and organisational safeguards include:

Multi-factor authentication on every LHG subscription account.
Role-based access – staff only see information they need to do their job.
Encryption at rest and in transit for electronic records.
Annual Cyber Wardens training for all staff, with Healthcare Foundations content.
Documented processes for starter, mover and leaver access changes.
Continuous monitoring for suspicious activity and regular access reviews.
Physical security of the Parkside office, including locked storage and a visitor sign-in protocol.

A9. How long we keep your information

We keep your information for as long as we need it to provide supports to you, and for as long as we are required to by law. Specific retention periods are set out in Appendix 3. In summary:

Clinical health records for adult participants are retained for a minimum of seven (7) years after the last occasion of service.
Clinical records for participants who were children when the record was created are retained until the participant reaches twenty-five (25) years of age, or seven (7) years after the last service, whichever is longer.
Employment records are retained for a minimum of seven (7) years after the worker’s departure, as required under the Fair Work Act 2009 (Cth).
Financial records are retained for seven (7) years.

When information is no longer needed and is not subject to a statutory retention period, it is securely destroyed or de-identified.

A10. Your rights and choices

Under the Privacy Act, and consistent with the NDIS Practice Standards, you have the following rights:

To know what personal information we hold about you and how it is used.
To ask for a copy of your information (Section A11).
To ask us to correct information that is inaccurate, out of date, incomplete or misleading.
To withdraw your consent to a specific use or disclosure, at any time, and we will explain what that means for your supports.
To ask for our communications to you to stop or to change how we contact you.
To raise a concern or complaint (Section A12), including anonymously if you wish.
To ask how your information is handled in any particular circumstance.

A11. Accessing and correcting your information

You can ask for a copy of the personal information we hold about you at any time by contacting our Privacy Officer at [email protected] or on 1300 082 599. We will:

Verify your identity (or the authority of the person making the request on your behalf).
Acknowledge your request within five (5) business days.
Provide the information within thirty (30) calendar days, or explain why we cannot do so in that time.
Provide the information in a form that suits you where reasonably practicable – for example, an electronic copy, or a printed copy in larger font.

There is no charge for making an access request. In limited circumstances – for example, where giving access would pose a serious threat to a person’s life or health, or would unreasonably affect the privacy of another person – we may decline to provide some or all of the information. If we do, we will explain why in writing and tell you how to challenge that decision.

If you think information we hold is incorrect, please tell us. We will correct it promptly, or, if we disagree, we will record your objection alongside the existing record.

A12. Making a complaint

If you have a concern about how we have handled your personal information:

Raise it with us first. Email [email protected] or call 1300 082 599 and ask for the Privacy Officer (Annie Hall, Governance Director). You may also raise it in writing to 1/148 Greenhill Road, Parkside SA 5063.
We will acknowledge your complaint within five (5) business days and aim to provide a substantive response within thirty (30) calendar days. Your complaint is also recorded in our Feedback & Complaints Register.
If you are not satisfied with our response, or you prefer to escalate externally from the outset, you can contact the Office of the Australian Information Commissioner (OAIC) – see Section A17. You can also contact the NDIS Quality and Safeguards Commission.

We will not treat you any differently because you have made a complaint. Raising a concern is your right and it helps us improve.

A13. Data breach response

If an eligible data breach occurs – meaning a breach that is likely to result in serious harm to you – we are required under the Notifiable Data Breaches scheme to tell you and to notify the OAIC. We have an internal Data Breach Response Procedure which sets out how we identify, contain, assess and notify. Section B14 explains how staff are expected to recognise and escalate potential breaches.

In the unlikely event of a data breach that affects you, we will contact you directly where it is practicable to do so, explain what happened, explain what information was involved, explain what we are doing about it, and tell you what steps you can take to protect yourself. Where direct notification is not practicable, we will publish a public statement.

A14. Our website and cookies

When you visit www.lifthealthgroup.com.au we collect limited technical information such as your IP address, the pages you view and the date and time of your visit. We use cookies to improve your experience and analytics tools to understand how the website is used. You can set your browser to refuse cookies; however, some parts of the website may not function as intended.

Any enquiry or contact form you complete on our website is transmitted over an encrypted connection and received through our standard clinical intake process.

A15. Direct marketing

From time to time, we may contact existing participants or referrers with information about our services, events or service updates. We comply with the Spam Act 2003 (Cth) and include a clear unsubscribe option in every marketing communication. You may opt out at any time by replying to a message, emailing [email protected], or calling 1300 082 599.

We do not send marketing messages to people who are not existing participants or contacts, and we never sell or rent marketing lists.

A16. Children and young people

We provide supports to children and young people under the NDIS. Consent arrangements are managed in line with the NDIS Practice Standards and South Australian law. For children and young people without capacity to consent, a parent, guardian or other authorised person consents on their behalf. Where a young person has capacity to consent, we engage them directly. We take additional care with records relating to children, both in how they are handled and how long they are retained (see Section A9 and Appendix 3).

A17. How to contact us

Contact	Detail
Privacy Officer	Annie Hall, Governance Director
Email	[email protected]
General email	[email protected]
Phone	1300 082 599
Postal address	1/148 Greenhill Road, Parkside SA 5063
Website	www.lifthealthgroup.com.au/privacy

If you are not satisfied with our response, you may contact:

External body	Contact
Office of the Australian Information Commissioner (OAIC)	1300 363 992 – www.oaic.gov.au – GPO Box 5288 Sydney NSW 2001
NDIS Quality and Safeguards Commission	1800 035 544 – www.ndiscommission.gov.au
Health and Community Services Complaints Commissioner (SA)	1800 232 007 – www.hcscc.sa.gov.au