Acknowledgment of Privacy Policy

ABN: 84 641 527 433

Effective Date: Wednesday, 16 October 2024

This Privacy Policy governs the collection, use, disclosure, storage, and protection of personal and sensitive

information by Xyston Pty Ltd (referred to as “the Company,” “we,” or “us”). As a service provider registered

under the National Disability Insurance Scheme (NDIS) framework, the Company complies with the Privacy

Act 1988 (Cth) and the Australian Privacy Principles (APPs).

By accessing our services, platforms, or website, you agree to the terms of this Privacy Policy. If you do not

agree with these terms, please cease using our services. This Policy is binding on participants, authorised

representatives, employees, contractors, and any third parties engaged with the Company.

1. Collection of Personal and Sensitive Information

1.1 Types of Information Collected

We collect and process personal information relevant to the provision of NDIS services and for compliance with

legal, regulatory, and operational obligations. The following categories of personal information may be

collected:

• Identifying Data: Information necessary to establish identity and facilitate service delivery, including but

not limited to:

o Full name

o Contact information (e.g., phone number, email address, physical address)

o Date of birth

o NDIS number and other government-issued identifiers

• Health and Medical Information: Records essential for individual care planning, service provision, and

compliance with NDIS obligations, including:

o Health conditions, diagnoses, and disabilities

o Treatment history, medications, and therapy plans

o Medical and psychological assessments

• Behavioural and Incident Data: Information related to the management of participant behaviours and

safety, such as:

o Behaviour support plans and incident reports

o Risk assessments and safety management strategies

o Records of behavioural escalations and staff interventions

• Service History and Preferences: Data collected to monitor service quality and participant satisfaction,

including:

o Appointment history and interaction records

o Service preferences and specific participant requests

o Progress notes and feedback from support staff

All personal information collected is relevant, accurate, and limited to what is necessary for the delivery of

services, in accordance with the principle of data minimisation under the APPs.2

1.2 Sources of Information

The personal information we collect may be sourced from:

• The Participant or their Authorised Representative: This may include the participant themselves, a

legal guardian, family member, or another representative authorised to act on the participant’s behalf.

• Healthcare Professionals or Third-Party Service Providers: Information may be obtained from

medical professionals, allied health practitioners, or other service providers involved in the participant’s

care or service delivery.

• Regulatory or Government Authorities: Where required by law, information may be collected from

agencies such as the NDIS Commission, the Department of Health, or law enforcement bodies to

comply with statutory obligations.

The Company will always endeavour to collect information directly from the participant or their authorised

representative unless it is unreasonable or impractical to do so. Where information is collected from third parties,

we will take reasonable steps to notify the participant of the collection and purpose, unless otherwise required

by law.

1.3 Impact of Refusal to Provide Information

Participants are required to provide accurate and complete personal information to ensure the effective delivery

of services. Failure to provide the necessary information may impair the Company’s ability to provide services

and may result in:

• Service Limitations: The inability to offer certain services or deliver them effectively.

• Suspension or Termination of Services: Where essential information required to meet regulatory,

safety, or service obligations is withheld or incomplete, the Company may suspend or terminate the

provision of services, in accordance with our service agreements.

Participants acknowledge that withholding or refusing to provide information may compromise safety or

violate NDIS compliance requirements. In such cases, the Company shall not be liable for any adverse

consequences arising from the failure to provide requested information.

1.4 Accuracy, Updates, and Participant Responsibility

Participants or their authorised representatives are responsible for:

• Ensuring the accuracy and completeness of personal information provided to the Company.

• Notifying the Company promptly of any changes in their information, such as updated contact details,

health conditions, or service requirements.

The Company reserves the right to periodically verify the accuracy of information provided to maintain data

integrity and ensure the ongoing delivery of services. Failure to update information may result in service

disruptions for which the Company is not liable.

1.5 Legal Basis for Collection and Consent Requirements

Personal information is collected and processed under the following legal bases:

• Participant Consent: Where services require personal information for care plans, behavioural support,

or participant interactions, the participant or their authorised representative must provide informed

consent.3

• Legal Obligations: The Company may collect, use, or disclose personal information without consent

where required by law or to comply with regulatory obligations, including NDIS Commission reporting

requirements and mandatory reporting laws.

Where consent is required, participants may withdraw consent at any time by providing written notice. However,

participants acknowledge that withdrawal of consent may impact the Company’s ability to provide services, and

the Company reserves the right to terminate services where continued service provision is not feasible

without necessary information.

1.6 Indemnity and Liability for Non-Disclosure or Inaccurate Information

By engaging with the Company, participants or their authorised representatives agree to indemnify and hold

Xyston Pty Ltd harmless from any liabilities, claims, or damages arising from:

• Failure to disclose essential information necessary for the delivery of services.

• Provision of inaccurate or incomplete information, resulting in service disruptions, safety risks, or

regulatory non-compliance.

• Consequences arising from the lawful collection, use, or disclosure of personal information as

outlined in this policy.

The Company shall not be held responsible for any adverse outcomes resulting from the participant’s failure to

provide accurate and timely information necessary for service delivery or compliance with NDIS obligations.

1.7 Privacy Safeguards for Third-Party Data Sharing

The Company will take reasonable steps to ensure third-party providers comply with privacy obligations when

personal information is shared with healthcare professionals, allied health providers, or other service providers

involved in the participant’s care. However:

• The Company cannot guarantee the privacy practices or data security measures of third-party

providers.

• Participants acknowledge and agree that the Company shall not be liable for any breaches, misuse,

or unauthorised disclosures of personal information by third parties who lawfully receive such

information.

Participants are encouraged to review the privacy policies of any third-party providers engaged in their care to

understand how their personal information is managed.

1.8 Amendments and Updates to the Policy

This Collection of Personal and Sensitive Information Policy may be amended from time to time to reflect

changes in legal requirements, NDIS guidelines, or operational practices. Participants will be notified of

significant changes via email, website notice, or other appropriate channels. Continued use of services after

such amendments constitutes acceptance of the revised policy.

Participants may request a copy of the latest version of the policy at any time. Failure to seek clarification of

amendments does not invalidate the participant’s agreement to the terms of this policy.

2. Use and Disclosure of Information

2.1 Purpose of Use

We collect and use personal and sensitive information strictly for the purposes necessary to deliver services and

fulfil legal, regulatory, and operational obligations. The Company limits the use of personal data to what is

reasonably necessary, aligned with the principle of purpose limitation. Specifically, the personal information

collected will be used to:4

• Deliver and coordinate NDIS services:

o Develop and implement individualised care plans, behaviour management strategies, and

support services tailored to the participant’s needs.

o Monitor participant progress and ensure the effectiveness of provided services.

• Develop and maintain behaviour support plans and risk management strategies:

o Ensure participant safety and minimise the risk of harm to the participant, staff, and the

community.

• Meet legal and regulatory obligations, including:

o Incident reporting to the NDIS Quality and Safeguards Commission.

o Mandatory notifications to government agencies, law enforcement, or healthcare providers,

as required by law.

o Ensuring compliance with privacy laws, including the Privacy Act 1988 (Cth) and Australian

Privacy Principles (APPs).

• Improve service delivery and operational efficiency by:

o Conducting internal reviews, audits, and quality assessments.

o Analysing trends to improve participant outcomes and operational practices.

We do not use personal information for any purpose beyond what is reasonably necessary for service delivery

and legal compliance without obtaining informed consent from the participant or their authorised representative,

unless required or authorised by law.

2.2 Disclosure to Third Parties

We may disclose personal and sensitive information to authorised third parties as required to fulfil the purposes

outlined above. All disclosures are made with appropriate confidentiality measures and in compliance with

legal and contractual obligations. Specifically, the Company may disclose personal information to:

• Healthcare Providers, Support Coordinators, and NDIS Representatives:

o To coordinate and manage participant care and service delivery.

o To obtain assessments, recommendations, or reports essential for service planning.

• Third-Party Service Providers (e.g., IT providers, cloud storage services, or data processors):

o These providers assist with the secure management of personal data and operational

processes.

o All third-party providers are engaged under confidentiality agreements that require

compliance with the Company’s privacy and security obligations.

• Government Agencies, Law Enforcement, and Regulatory Authorities:

o Where required by law, personal information may be disclosed to the NDIS Commission,

Office of the Australian Information Commissioner (OAIC), or law enforcement agencies

for compliance or enforcement purposes.

o Disclosures to law enforcement are limited to situations where necessary to prevent harm,

investigate criminal activity, or fulfil mandatory reporting obligations.

• Legal Advisors and Insurers:

o In cases of dispute resolution or legal claims, personal information may be disclosed to the

Company’s legal advisors or insurers to ensure compliance and protection of Company

interests.5

2.3 Limitations on Disclosure

We are committed to protecting the privacy of personal information. Accordingly:

• Personal information will not be disclosed to unauthorised third parties without the express

consent of the participant or their authorised representative, unless required by law.

• Where disclosures are required by law, the Company will notify the participant or their authorised

representative, unless prohibited by law or operational necessity (e.g., criminal investigations).

• Disclosures for marketing or commercial purposes are strictly prohibited unless explicit, informed

consent is obtained from the participant.

2.4 Confidentiality Safeguards with Third Parties

The Company takes all reasonable steps to ensure that third-party providers comply with privacy and data

protection obligations. This includes:

• Due diligence checks on all external providers before engagement.

• Requiring third-party providers to adhere to strict confidentiality agreements aligned with the Privacy

Act 1988 (Cth) and APPs.

• Monitoring and auditing the data management practices of third-party providers to ensure continued

compliance.

While the Company takes reasonable steps to protect data, participants acknowledge that Xyston Pty Ltd is not

liable for privacy breaches or misuse of personal data by third parties acting outside the scope of their

agreements or legal obligations.

2.5 Disclosures without Consent

The Company may disclose personal information without obtaining prior consent in circumstances where:

• Disclosure is required by law, including compliance with NDIS Commission obligations or law

enforcement investigations.

• Immediate disclosure is necessary to prevent or mitigate a serious threat to the health, safety, or well-

being of the participant, staff, or the public.

• Disclosures are required under mandatory reporting laws (e.g., reporting abuse, neglect, or criminal

activities involving participants).

In such cases, the Company will act in accordance with relevant legal obligations and take all reasonable steps to

limit the scope of the disclosure to what is necessary.

2.6 Participant Rights Regarding Use and Disclosure

Participants or their authorised representatives have the right to:

• Request a record of all third parties to whom their personal information has been disclosed.

• Withdraw consent for non-essential disclosures by providing written notice, subject to the

Company’s ability to provide services effectively and comply with legal requirements.

• Challenge or restrict certain disclosures, where legally permissible, by submitting a written request to

the Company’s Privacy Officer.6

Participants acknowledge that withdrawal of consent or restriction on disclosures may limit the scope or

availability of services. In such cases, the Company will not be liable for any disruption to services or negative

outcomes resulting from the participant’s decision.

2.7 Indemnity for Disclosures Made in Good Faith

Participants agree to indemnify and hold harmless Xyston Pty Ltd, its employees, management, and affiliates

against any claims, damages, or liabilities arising from:

• Lawful disclosures made in good faith to comply with legal obligations or prevent harm.

• Disclosures made to third-party providers under the scope of service delivery agreements.

• Participant actions or requests that result in restricted disclosures affecting service delivery or

outcomes.

The Company’s liability for any unauthorised disclosures shall be limited to those resulting from gross

negligence or wilful misconduct on the part of the Company or its employees.

3. External Links and Third-Party Content

3.1 External Links and Limited Control

Our website, platforms, and communications may contain links to external websites or third-party platforms that

are not operated, maintained, or controlled by Xyston Pty Ltd (“the Company”). These links are provided for

convenience and informational purposes only and do not constitute an endorsement or recommendation of

the third-party content, services, or products.

The Company exercises no control over the availability, functionality, security, or content of external websites

or platforms linked through our services. Users access such third-party websites at their own discretion and

risk.

3.2 Disclaimer of Liability for Third-Party Content

We expressly disclaim all responsibility for:

• The content, accuracy, or relevance of information on external sites.

• Privacy practices employed by third parties, including their use of cookies, tracking technologies, or

data collection practices.

• Security measures implemented (or not implemented) by external websites, including potential data

breaches, malware, or other cyber risks.

The Company shall not be liable for any loss, damages, or disruptions (whether direct, indirect, or

consequential) arising from or related to the use of, reliance upon, or interactions with external links or third-party

platforms.

3.3 No Responsibility for Transactions with Third Parties

The Company is not involved in any transactions, agreements, or interactions conducted between users and

third-party websites accessed via our platforms. Any such arrangements are solely between the user and the

third party. Users are responsible for conducting their own due diligence before engaging with third parties and

are encouraged to read and understand the third parties’ privacy policies and terms of service.

3.4 Security and Privacy Risks of Third-Party Links7

Users are advised that third-party platforms may employ cookies, tracking pixels, or other technologies that

collect personal information. These practices are governed by the third party’s privacy policy and are beyond

the control of Xyston Pty Ltd.

• We encourage users to review the privacy policies and security practices of any third-party

website they visit before providing personal information.

• Xyston Pty Ltd does not warrant or guarantee the security, functionality, or reliability of any external

site accessed through our platforms.

3.5 Indemnity for Third-Party Risks

By accessing third-party websites or content through links provided on our platforms, users agree to:

• Release and indemnify Xyston Pty Ltd from any claims, liabilities, or damages arising from

interactions with third-party platforms, including but not limited to financial losses, security breaches,

or misuse of personal information.

• Assume full responsibility for any risks or consequences resulting from engaging with third-party

services or providing personal information to external platforms.

3.6 Notification of Broken or Compromised Links

While we strive to provide accurate and functional links, the Company is not liable for broken, outdated, or

compromised links. Users who encounter such issues are encouraged to notify the Company immediately to

allow us to investigate and remove any inappropriate or non-functional links.

4. Cookies, Tracking Technologies, and Analytics

4.1 Use of Cookies and Tracking Technologies

Xyston Pty Ltd (“the Company”) employs cookies, tracking pixels, beacons, and other similar technologies

across its website and platforms to enhance performance, personalise user experience, and analyse site usage.

These tools assist us in delivering high-quality services and maintaining the functionality of our online platforms.

Specifically, the Company uses cookies and tracking technologies for the following purposes:

• Website Functionality and Performance:

o Ensure essential website features function correctly (e.g., login management, page loading).

o Improve the speed, performance, and responsiveness of the website.

• Personalised User Experience:

o Customise content and services based on user preferences and behaviours.

o Recognise returning visitors and provide relevant recommendations.

• Analytics and Usage Tracking:

o Monitor website traffic and usage patterns to identify trends and improve our services.

o Collect anonymous data through tools such as Google Analytics, which track visitor numbers,

duration of visits, and interactions with specific pages.

o Evaluate marketing efforts by measuring engagement with email campaigns or advertisements.

The data collected via these technologies may include IP addresses, browser types, device information, and

referral sources. However, all data collected is anonymised or aggregated to ensure it cannot be used to

identify individual users unless users provide explicit consent otherwise.8

4.2 Types of Cookies Used

Our website may use the following categories of cookies:

• Essential Cookies:

Required for basic website functionality. Disabling these cookies may affect the website’s core features,

such as secure login or session management.

• Performance and Analytics Cookies:

Collect anonymised data about website performance and visitor behaviour to optimise user experience.

• Personalisation Cookies:

Store user preferences and settings to deliver tailored content and improve service delivery.

• Third-Party Cookies:

Set by external services (e.g., Google Analytics, social media plugins) to track interactions with

embedded content or advertisements. These third-party services operate under their own privacy

policies, and the Company is not responsible for their data handling practices.

4.3 Managing Cookies and User Consent

Users have the right to manage or disable cookies through their browser settings. This includes the ability to:

• Block or delete specific cookies on their browser.

• Receive notifications before cookies are set, enabling informed decisions about cookie preferences.

• Opt-out of certain tracking technologies by following Do Not Track (DNT) browser settings or using tools

provided by the Network Advertising Initiative (NAI) or Google’s opt-out mechanisms for analytics.

Disabling cookies or limiting their use may restrict the functionality of certain features on our website. Users

acknowledge that disabling essential cookies may impair the quality or availability of services provided through

our online platforms.

4.4 Use of Third-Party Analytics Services

The Company uses Google Analytics and similar third-party tools to track, monitor, and analyse website usage.

These services collect anonymised or aggregated data, including IP addresses, geographical locations, and

device types, which help us evaluate and improve user experience.

• Google Analytics cookies may transmit data to servers located outside Australia, and such transfers

are subject to the privacy policies of the relevant third-party service provider.

• Users may opt-out of Google Analytics tracking by installing the Google Analytics Opt-Out Browser

Add-On or adjusting browser settings.

The Company takes reasonable steps to ensure that all third-party analytics providers comply with applicable

privacy laws. However, we do not control the privacy practices of these third-party providers.

4.5 Consent to Tracking Technologies

By using our website, platforms, or services, users consent to the use of cookies and tracking technologies

as outlined in this policy. If users do not wish to accept cookies, they must adjust their browser settings to block

cookies or discontinue using the website.

For cookies that require explicit user consent under applicable laws, such as cookies used for personalised

advertising, users will be presented with a cookie consent banner upon accessing the website. Users may

choose to accept or reject such cookies at their discretion.9

4.6 Data Protection and Security

The Company ensures that data collected through cookies and tracking technologies is processed securely and

in accordance with this Privacy Policy. Anonymised and aggregated data collected via these technologies is

used only for legitimate purposes, such as improving services and analysing user engagement.

All data transmitted to third-party services (e.g., analytics providers) is managed under confidentiality

agreements where applicable, ensuring compliance with the Privacy Act 1988 (Cth) and Australian Privacy

Principles (APPs).

4.7 Indemnity and Limitation of Liability for Third-Party Cookies

Xyston Pty Ltd disclaims responsibility for any loss, damage, or data breach arising from the use of cookies or

tracking technologies employed by third-party providers embedded on our website (e.g., analytics providers,

social media platforms). Users agree to indemnify and hold the Company harmless against any claims

resulting from their interaction with third-party cookies or tracking technologies.

5. Security and Data Protection Measures

5.1 Commitment to Data Security

Xyston Pty Ltd (“the Company”) is committed to safeguarding all personal and sensitive information by

implementing robust security protocols and industry best practices. Our security measures are designed to

protect information from unauthorised access, alteration, disclosure, or destruction. These protocols apply to

both electronic and physical records stored by the Company.

5.2 Key Security Measures Implemented

We employ the following measures to ensure the confidentiality, integrity, and availability of personal data:

• Data Encryption (At Rest and In Transit):

o Personal data is encrypted using industry-standard encryption algorithms to protect it while

being transmitted and when stored on our servers.

o Encryption protects data from interception during transmission over networks, including emails,

internal systems, and cloud services.

• Access Control Protocols:

o Role-based access controls (RBAC) ensure that only authorised personnel have access to

specific categories of personal and sensitive information.

o Regular audits are conducted to review access rights and detect potential vulnerabilities.

o Access is immediately revoked for departing employees or personnel with changed

responsibilities to ensure continued data security.

• Multi-Factor Authentication (MFA):

o Sensitive data and administrative systems are protected by multi-factor authentication (MFA),

requiring multiple forms of verification (e.g., password and mobile authentication code).

o MFA mitigates the risk of unauthorised access, even if login credentials are compromised.

• Network and System Security:

o Firewalls, intrusion detection systems (IDS), and antivirus programs are deployed to monitor

network traffic and prevent unauthorised access or attacks.

o Regular vulnerability assessments and penetration tests are conducted to identify and

mitigate potential threats.

o All data systems and software undergo regular updates and patch management to address

known security vulnerabilities.

• Physical Security Measures:

o Physical access to data storage facilities is restricted to authorised personnel only, with

security surveillance and access logs maintained.

o Hard copies of sensitive information are stored in secure locations and disposed of through

secure shredding services when no longer required.

5.3 Employee Training and Awareness

All employees, contractors, and affiliates undergo mandatory privacy and security training to ensure they

understand their obligations under the Privacy Act 1988 (Cth) and the Company’s internal data protection

policies.

• Employees are required to immediately report any suspected security breaches or vulnerabilities.

• Disciplinary action, including termination, may result from non-compliance with data security protocols

or unauthorised access to personal information.

5.4 Data Anonymisation and Pseudonymisation

Where practical, personal data may be anonymised or pseudonymised to minimise risks in the event of a data

breach. Anonymised data cannot be traced back to an individual and is used for analytics and service

improvements without compromising privacy.

5.5 Third-Party Data Security Obligations

The Company takes reasonable steps to ensure that third-party service providers engaged for data storage,

processing, or other operational services comply with strict data protection standards.

• All third-party providers are subject to confidentiality agreements and must comply with the Privacy

Act 1988 (Cth) and other relevant privacy laws.

• Where personal data is stored on third-party servers or cloud platforms, the Company ensures that

such providers employ state-of-the-art encryption and access controls.

However, while we undertake due diligence in engaging third-party providers, the Company is not liable for

unauthorised breaches or misuse of data by third parties acting outside the scope of their agreements.

5.6 Data Retention and Secure Disposal

The Company retains personal and sensitive data for the duration required by law or for operational purposes, in

accordance with our Data Retention and Disposal Policy.

When data is no longer required, it is securely destroyed or anonymised to prevent unauthorised access or use.

Physical records are shredded and digital records are permanently deleted using industry-approved data

destruction techniques.

5.7 Monitoring, Audits, and Incident Response

To ensure continuous data security, the Company conducts:

• Regular security audits and vulnerability assessments.

• Real-time monitoring of systems and networks to detect suspicious activity.

• Penetration tests to simulate cyber-attacks and identify security weaknesses.

In the event of suspicious activity, an immediate investigation is launched, and appropriate containment actions

are taken to mitigate risks.

5.8 Limitation of Liability for Data Breaches

Despite implementing comprehensive security measures, the Company acknowledges that absolute data

security cannot be guaranteed due to the inherent risks associated with digital technologies and unforeseen

events (e.g., cyber-attacks, force majeure).

Participants acknowledge and agree that:

• The Company is not liable for any unauthorised access, data breach, or data loss resulting from

factors beyond its control, such as sophisticated hacking attempts or malicious third-party actions.

• Force majeure events (including natural disasters, cyber-attacks, and infrastructure failures) may

impact data security despite best efforts, and the Company disclaims liability for such incidents.

5.9 Participant Responsibilities for Security

Participants and users of the Company’s services also have a responsibility to protect their personal data by:

• Using strong passwords and not sharing login credentials.

• Enabling two-factor authentication (2FA) where applicable.

• Immediately reporting any suspicious activity or potential security issues to the Company’s Privacy

Officer.

5.10 Indemnification for Security Breaches Beyond Company Control

Participants and users agree to indemnify and hold harmless Xyston Pty Ltd, its management, employees,

and affiliates from any claims, damages, or liabilities arising from:

• User negligence in securing their accounts, passwords, or devices.

• Third-party security breaches occurring beyond the Company’s control (e.g., breaches involving

external service providers).

• Force majeure events or circumstances where the Company has acted reasonably to safeguard data.

6. Data Breach Response Plan

6.1 Overview

Xyston Pty Ltd (“the Company”) is committed to safeguarding personal and sensitive information. In the event of

a data breach involving personal information, the Company will respond promptly to contain the breach, mitigate

risks, and comply with all applicable laws, including the Privacy Act 1988 (Cth) and the Notifiable Data

Breaches (NDB) Scheme administered by the Office of the Australian Information Commissioner (OAIC).

6.2 Definition of a Data Breach

A data breach occurs when personal information held by the Company is lost, accessed, disclosed, altered, or

destroyed without authorisation, whether intentionally or accidentally. Examples of data breaches include:

• Cyber-attacks, such as hacking, ransomware, or phishing attacks.

• Theft or loss of devices containing personal information (e.g., laptops, USB drives, or documents).

• Accidental disclosure of information to unauthorised recipients (e.g., emails sent to the wrong person).

• Human error or system malfunctions resulting in unauthorised access.

6.3 Immediate Response to a Data Breach

If a data breach is identified or suspected, the following steps will be initiated immediately:

1. Identification and Containment:

o Identify the nature and extent of the breach.

o Contain the breach to prevent further unauthorised access, disclosure, or damage (e.g.,

disable compromised systems, revoke access rights, secure physical records).

2. Preliminary Assessment:

o Assess the scope of the breach, including the type of personal data involved.

o Determine whether the breach poses a risk of serious harm to individuals.

6.4 Notification Requirements under the NDB Scheme

If the data breach is assessed to likely result in serious harm to individuals, the Company will notify:

• Affected individuals:

o Notification will be provided through email, phone, or written communication, detailing the

nature of the breach, the information involved, and the actions being taken.

o Affected individuals will receive guidance on steps they can take to protect themselves (e.g.,

updating passwords, monitoring accounts).

• Office of the Australian Information Commissioner (OAIC):

o Notification will be provided within 72 hours of becoming aware of the breach, including a

description of the breach, the type of personal data affected, and steps taken to mitigate risks.

If there are legal or operational reasons preventing immediate notification, the Company will notify as soon as

practicable.

6.5 Remediation and Containment Actions

Following containment, the Company will implement measures to remediate the breach and prevent recurrence.

These actions may include:

• Patching vulnerabilities in systems or software.

• Enhancing encryption protocols and security configurations.

• Conducting a root-cause analysis to determine how the breach occurred.

• Retraining employees on data handling and privacy procedures.

The Company will also update internal policies and procedures as necessary to improve security and prevent

future breaches.

6.6 Engagement with Authorities and Legal Advisors

Where the data breach involves criminal activity or significant regulatory implications, the Company will:

• Engage with law enforcement authorities to assist in investigations.

• Consult with legal advisors to ensure compliance with privacy obligations and mitigate legal risks.

The Company may also seek guidance from the OAIC on breach handling, where appropriate.

6.7 Monitoring and Follow-Up

The Company will monitor its systems and operations for any further risks following the breach. A post-breach

review will be conducted to assess the effectiveness of the containment and remediation actions.

The findings will be used to strengthen policies, procedures, and security controls to prevent future

breaches.

6.8 Limitation of Liability and Indemnity

While the Company implements robust security measures, absolute data security cannot be guaranteed.

Xyston Pty Ltd disclaims liability for any losses or damages resulting from:

• Cyber-attacks or other unauthorised actions by third parties beyond the Company’s control.

• Force majeure events, including natural disasters and infrastructure failures.

• Actions or negligence of third-party providers engaged in good faith by the Company.

Participants and users agree to indemnify and hold harmless Xyston Pty Ltd, its officers, employees, and

affiliates from any claims or liabilities arising from third-party breaches or other factors beyond the Company’s

reasonable control.

6.9 Reporting Responsibilities of Employees and Participants

All employees, contractors, and participants must immediately report any suspected or confirmed data

breaches to the Company’s Privacy Officer.

Participants and users are also responsible for monitoring their accounts and taking appropriate steps to protect

their information following a breach, including updating passwords or security settings as recommended by the

Company.

6.10 Record-Keeping and Compliance

The Company will maintain detailed records of:

• All data breaches, including assessments, notifications, and remediation efforts.

• Internal reports documenting the cause of the breach and corrective actions taken.

These records will be retained for auditing purposes and to ensure ongoing compliance with the Privacy Act

1988 (Cth) and the NDB Scheme.

7. Data Retention and Disposal

7.1 Retention Policy

Xyston Pty Ltd (“the Company”) retains personal and sensitive information for only as long as necessary to meet

legal, regulatory, operational, and service delivery obligations. Our retention periods are determined in

accordance with the Privacy Act 1988 (Cth), NDIS Commission Guidelines, and other applicable laws.

The following retention periods apply:

• Health and Medical Records:

Retained for a minimum of seven (7) years following the termination of services or the participant’s last

interaction with the Company, unless a longer period is required by law (e.g., for minors, records must

be kept until seven years after the individual turns 18).

• Incident Reports and Behavioural Data:

Retained in accordance with NDIS guidelines and operational requirements to ensure compliance,

accountability, and participant safety. This data may be kept longer if required for legal, auditing, or

investigative purposes.

• Service Delivery Records (e.g., participant preferences, appointment history):

Retained for seven (7) years following service termination unless required longer for auditing or legal

purposes.

• Employee and Contractor Records:

Retained for a minimum period consistent with employment law requirements and Company policies,

typically seven (7) years after employment ceases.

7.2 Secure Disposal of Information

The Company is committed to securely disposing of personal and sensitive information once it is no longer

required. Secure disposal ensures that data is permanently destroyed or anonymised, reducing the risk of

unauthorised access, misuse, or disclosure.

Methods of Disposal

• Digital Data:

o All electronic records and files are deleted using secure deletion methods to ensure they

cannot be recovered (e.g., software-based data erasure tools).

o Cloud storage providers are required to comply with secure deletion protocols when

managing the Company’s data.

• Physical Records:

o Hard copies of personal information (e.g., medical records, incident reports) are destroyed

using industrial-grade shredding services.

o Disposal logs are maintained to record the secure destruction of physical records.

• Anonymisation:

o In cases where data may still hold value for research or operational analysis, it will be

anonymised or de-identified so that individuals can no longer be identified.

7.3 Record of Disposal and Auditing

The Company maintains detailed records of all data disposal activities, including:

• Dates of disposal for both physical and digital records.

• Method of disposal (e.g., shredding, secure deletion).

• Third-party service providers involved in secure disposal (e.g., external shredding companies).

These records are subject to internal and external audits to ensure compliance with privacy laws and NDIS

standards.

7.4 Legal and Operational Exceptions

In certain circumstances, the Company may be legally required to retain information beyond the standard

retention periods, including:

• Ongoing legal proceedings or investigations requiring the preservation of records.

• Regulatory audits or reviews initiated by the NDIS Commission or other government bodies.

Where retention is extended beyond the standard period, the Company will take appropriate steps to ensure the

continued security and confidentiality of the data.

7.5 Participant and User Rights

Participants or their authorised representatives may request:

• Information about the status of their records and retention periods applicable to their data.

• Early disposal or deletion of personal information where legally permissible. However, participants

acknowledge that certain records may need to be retained to comply with legal and regulatory

obligations.

If a request for early deletion cannot be accommodated, the Company will provide a written explanation

detailing the reasons.

7.6 Indemnity for Secure Disposal by Third-Party Providers

The Company engages reputable third-party service providers to assist with the secure disposal of physical

and digital records. While the Company undertakes due diligence to ensure compliance with privacy laws, it

disclaims liability for any unauthorised access or misuse resulting from third-party breaches during disposal.

Participants agree to indemnify and hold harmless Xyston Pty Ltd for any claims arising from third-party

actions beyond the Company’s control.

8. Access, Correction, and Portability of Data

8.1 Overview

Xyston Pty Ltd (“the Company”) recognises the rights of participants and authorised representatives to

access, correct, and request the portability of their personal information in compliance with the Privacy Act 1988

(Cth) and relevant NDIS regulations. The Company is committed to ensuring the accuracy and completeness

of personal data and facilitating access and portability requests where practicable.

8.2 Right to Access Personal Information

Participants or their authorised representatives have the right to access the personal information held by the

Company.

• Access Requests: Requests for access must be submitted in writing to the Privacy Officer (contact

details below).

• Response Time: The Company will respond to access requests within a reasonable time frame,

generally within 30 days of receiving the request, unless an extension is required.

• Form of Access: Information may be provided electronically or in hard copy, depending on the

participant’s preference and the format in which the data is available.

The Company may refuse access to certain information in limited circumstances, such as where:

• Access would unreasonably impact the privacy of others.

• Access is prohibited by law, legal proceedings, or government investigation.

• The request is considered vexatious or frivolous.

Where access is denied, the Company will provide a written explanation outlining the reasons for the refusal

and any available alternatives.

8.3 Right to Request Corrections

Participants or their authorised representatives have the right to request corrections to personal information to

ensure that it is accurate, complete, and up to date.

• Correction Requests: Requests to correct information must be submitted in writing to the Privacy

Officer, including evidence supporting the requested changes.

• Response Time: The Company will respond to correction requests within a reasonable period, typically

within 30 days.

• Notification of Changes: Where personal information has been shared with third parties (e.g., NDIS

representatives), the Company will take reasonable steps to notify them of the correction.

If the Company refuses a correction request, a written explanation will be provided, detailing the reasons for

the refusal and the available dispute resolution options.

8.4 Right to Data Portability

Participants or their authorised representatives may request that their personal information be provided in a

structured, machine-readable format to facilitate data portability. This allows the transfer of personal data to

another service provider or organisation, where feasible.

• Portability Requests: Requests for data portability must be submitted in writing to the Privacy Officer.

• Technical Feasibility: The Company will provide the data in a portable format (e.g., CSV, JSON) where

technically feasible and compliant with privacy laws.

• Limitations on Portability: The right to portability applies only to personal data that the participant

provided directly or authorised for collection. Derived data or proprietary formats used for internal

processes may not be portable.

The Company reserves the right to deny requests for portability where the transfer may compromise privacy,

security, or legal obligations.

8.5 Administrative Fees for Access or Portability Requests

The Company reserves the right to charge a reasonable administrative fee for access or portability requests

that require substantial resources to process.

• Participants will be notified in advance of any applicable fees and given the opportunity to proceed or

withdraw their request.

• The Company ensures that fees are reasonable, transparent, and proportionate to the effort required

to fulfil the request.

8.6 Participant Responsibilities and Accuracy

Participants or their authorised representatives are responsible for:

• Ensuring the accuracy and completeness of the personal information provided to the Company.

• Promptly notifying the Company of any changes to their information to ensure records are kept up to

date.

Failure to provide accurate or current information may impair the Company’s ability to deliver services effectively

and comply with regulatory obligations.

8.7 Dispute Resolution for Access and Correction Requests

If participants are dissatisfied with the outcome of an access, correction, or portability request, they may:

1. Submit a complaint through the Company’s internal complaints process.

2. Escalate the complaint to the Office of the Australian Information Commissioner (OAIC) if the

issue remains unresolved.

Contact details for complaints are provided below.

9. Withdrawal of Consent and Service Implications

9.1 Overview

Participants or their authorised representatives have the right to withdraw consent for the collection, use, or

disclosure of their personal information at any time by providing written notice to the Company’s Privacy Officer.

However, the withdrawal of consent may impact the Company’s ability to deliver essential services and meet

regulatory obligations under the NDIS framework and other applicable laws.

9.2 Process for Withdrawing Consent

Participants or their authorised representatives must submit a written request to withdraw consent, which must

specify the scope of the consent being withdrawn (e.g., specific data collection, use, or third-party disclosure).

Upon receiving the withdrawal request:

1. Acknowledgment of Withdrawal: The Company will acknowledge receipt of the request within seven

(7) business days.

2. Assessment of Service Impact: The Company will assess the impact of the withdrawal on service

delivery and compliance obligations.

3. Confirmation of Changes: Participants will receive a written response confirming how the withdrawal of

consent will be implemented and detailing any implications for service delivery.

9.3 Implications of Withdrawal of Consent

The withdrawal of consent may limit or prevent the provision of services, as certain personal information is

essential for:

• Developing care plans, behaviour support plans, or risk assessments.

• Coordinating services with healthcare providers, NDIS representatives, or other third-party service

providers.

• Complying with regulatory and legal obligations, such as mandatory reporting.

Where the Company determines that the withdrawal of consent affects its ability to provide services effectively or

compromises safety and compliance obligations, the Company reserves the right to:

• Suspend or terminate services until the required consent is reinstated or alternate arrangements are

made.

• Discontinue services permanently, where the absence of consent makes it impracticable to deliver

safe and effective services.

9.4 Service Suspension or Termination

If withdrawal of consent leads to suspension or termination of services:

• Participants will receive written notice specifying the reasons for the suspension or termination.

• The Company will assist with the transition to other service providers, where appropriate and

feasible, to minimise disruption to participants.

Participants acknowledge that the Company is not liable for any adverse consequences resulting from the

withdrawal of consent, including service disruption, delays, or reduced access to care.

9.5 Legal and Regulatory Considerations

In certain circumstances, the Company may be legally required to:

• Retain and use personal information, even after consent is withdrawn, for regulatory reporting,

compliance, or dispute resolution purposes.

• Disclose information to government authorities or law enforcement, where legally mandated,

regardless of the participant’s withdrawal of consent.

Participants acknowledge that withdrawal of consent will not affect information previously collected or

disclosed where such actions were undertaken lawfully and with prior consent.

9.6 Indemnity and Limitation of Liability

Participants or their authorised representatives agree to indemnify and hold harmless Xyston Pty Ltd, its

officers, employees, and affiliates from any claims, damages, or liabilities arising from:

• The withdrawal of consent that limits or prevents the Company from providing services.

• Any adverse outcomes or service disruptions resulting from withholding essential information.

The Company disclaims all liability for consequences beyond its control, including regulatory penalties or non-

compliance risks caused by the withdrawal of consent.

9.7 Reinstating Consent

Participants may choose to reinstate consent at any time by submitting a written notice to the Privacy Officer.

The Company will resume services where feasible, subject to operational capacity and regulatory compliance

requirements.

10. Third-Party Providers and Indemnification

10.1 Engagement of Third-Party Providers

Xyston Pty Ltd (“the Company”) engages with third-party service providers to support the delivery of services,

including but not limited to:

• IT and cloud storage providers for secure data management.

• Healthcare professionals and allied health providers involved in participant care.

• External consultants or contractors assisting with service delivery or compliance.

The Company takes reasonable steps to ensure that third-party providers comply with their privacy

obligations under the Privacy Act 1988 (Cth), Australian Privacy Principles (APPs), and other applicable laws.

All third-party providers are required to sign confidentiality agreements and adhere to the Company’s data

handling standards.

10.2 Limitations on Liability for Third-Party Actions

Despite taking reasonable precautions, the Company cannot guarantee the actions, security practices, or

privacy compliance of third-party providers. Once personal information is lawfully disclosed to a third party

under these agreements, the Company disclaims responsibility for any:

• Privacy breaches, unauthorised access, or misuse of data by third-party providers.

• Loss, theft, or compromise of information resulting from the third party’s actions or negligence.

Participants acknowledge that interactions with third-party providers are governed by the respective

provider’s privacy policies, which may differ from the Company’s policies.

10.3 Indemnification Clause

Participants or their authorised representatives agree to indemnify, defend, and hold harmless Xyston Pty

Ltd, its officers, employees, and affiliates from and against any and all claims, liabilities, damages, losses,

or expenses (including legal fees) arising from:

• Privacy breaches or security incidents involving third-party providers acting outside the Company’s

control.

• Actions, omissions, or negligence of third-party providers engaged to assist with service delivery.

• Participant’s direct engagement or interaction with third-party providers without the Company’s

supervision or coordination.

This indemnity applies unless the breach or loss is caused by gross negligence or wilful misconduct on the

part of Xyston Pty Ltd.

10.4 Monitoring and Auditing of Third-Party Providers

The Company conducts regular monitoring and audits of third-party providers to ensure ongoing compliance

with privacy obligations. However, participants acknowledge that:

• Auditing capabilities may be limited by the operational control or jurisdiction of the third-party

provider.

• The Company’s liability for third-party providers is limited to reasonable efforts made to select, engage,

and monitor these providers.

10.5 Third-Party Data Transfers and Storage

Where personal information is transferred to or stored with third-party providers, the Company ensures that:

• Data transfer agreements are in place, including compliance with Standard Contractual Clauses

(SCCs) where required.20

• Third-party providers implement appropriate encryption, access controls, and monitoring systems

to protect data.

However, the Company disclaims liability for data breaches or losses caused by infrastructure failures, cyber-

attacks, or force majeure events affecting third-party systems.

10.6 Notification of Third-Party Privacy Breaches

In the event that a third-party provider experiences a privacy breach involving personal information provided by

the Company:

• The Company will notify affected participants as soon as it becomes aware of the breach, detailing

the nature of the breach and any actions taken.

• The Company will work with the third-party provider to contain the breach and minimise further impact.

• Affected participants will be provided with guidance on how to protect themselves from any potential

harm.

10.7 Participant Responsibilities in Third-Party Interactions

Participants are responsible for:

• Reviewing the privacy policies and terms of service of third-party providers with whom they interact.

• Ensuring that personal information is only disclosed to authorised third parties when necessary.

• Reporting any privacy concerns or suspected breaches involving third-party providers to the

Company’s Privacy Officer.

11. Children’s Privacy

11.1 Overview

Xyston Pty Ltd (“the Company”) provides services to individuals of all ages, including minors under the age of

18, in accordance with the Privacy Act 1988 (Cth) and the National Disability Insurance Scheme (NDIS)

framework. We are committed to safeguarding the privacy of minors by ensuring that their personal information

is collected, stored, and used in compliance with strict privacy and child protection standards.

11.2 Parental or Guardian Consent

For participants under the age of 18, parental or guardian consent is required before personal or sensitive

information is collected, used, or disclosed, except where:

• Emergency care is required to protect the health, safety, or well-being of the child.

• Legal or statutory obligations require the collection or disclosure of information without prior consent

(e.g., mandatory reporting of child abuse or neglect).

The parent or guardian must provide informed consent on behalf of the minor, and the Company will take

reasonable steps to verify the authority of the parent or guardian.

11.3 Collection and Use of Children’s Information

The personal information collected about minors may include:

• Identifying data: Name, date of birth, contact information, and NDIS participant number.21

• Health and medical information: Medical history, diagnoses, treatment plans, and therapy details.

• Behavioural and incident data: Behaviour support plans, incident reports, and risk assessments.

• Service delivery records: Appointments, progress notes, and feedback relevant to the participant’s

care.

This information is used solely to:

• Develop care plans and behaviour support strategies specific to the minor’s needs.

• Coordinate services with healthcare providers, support workers, and the NDIS.

• Ensure the safety and well-being of the minor, both within the Company’s care and in the community.

11.4 Sharing of Children’s Information

The personal information of minors may be shared with:

• Parents or legal guardians, unless the minor has the capacity to make their own privacy decisions in

accordance with relevant laws.

• Healthcare providers, allied health professionals, and NDIS representatives involved in the

participant’s care.

• Government agencies or law enforcement authorities where required by law (e.g., child protection

services or in compliance with mandatory reporting obligations).

The Company will ensure that only authorised personnel and service providers have access to the minor’s

information, and that data is shared in a manner that respects the child’s privacy.

11.5 Minor’s Capacity to Consent

Where a minor has the maturity and understanding to make informed decisions about their personal

information, they may be permitted to:

• Provide their own consent for the collection, use, and disclosure of their personal information.

• Manage their privacy settings and access their personal data directly, subject to relevant laws and the

Company’s assessment of their capacity.

The Company will make these determinations on a case-by-case basis, considering the minor’s age, maturity,

and circumstances.

11.6 Deletion of Unauthorised Information

If the Company becomes aware that personal information of a minor has been collected without the necessary

consent, it will:

1. Investigate the circumstances surrounding the collection of the information.

2. Delete or de-identify the information unless it is required to be retained under legal or regulatory

obligations.

3. Notify the parent, guardian, or the minor (if appropriate) regarding the unauthorised collection and

actions taken.

11.7 Security of Children’s Data22

The Company applies enhanced security measures to protect personal information collected from minors.

These measures include:

• Restricted access to children’s data, limited only to authorised staff and service providers.

• Encryption and secure storage of sensitive information.

• Regular audits and monitoring to ensure compliance with child privacy requirements.

11.8 Indemnity and Limitation of Liability

The Company takes all reasonable steps to ensure the accuracy, security, and proper handling of children’s

personal information. However, participants and their guardians agree to indemnify and hold harmless Xyston

Pty Ltd from any claims, liabilities, or damages arising from:

• Errors or omissions in the information provided by the parent, guardian, or minor.

• Unauthorised disclosure or use of the minor’s personal data by third-party service providers beyond

the Company’s control.

• Actions or negligence of the parent, guardian, or minor in managing their privacy rights or interactions

with external providers.

12. International Data Transfers

12.1 Overview

Xyston Pty Ltd (“the Company”) may transfer and store personal data on servers located outside of Australia

as part of its operations. This includes the use of cloud service providers and third-party vendors with

international infrastructure. The Company ensures that all international data transfers comply with Australian

privacy laws, including the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and that

appropriate safeguards are implemented to protect the privacy and security of personal information.

12.2 Circumstances Requiring International Data Transfers

International data transfers may occur under the following circumstances:

• Cloud-based storage solutions or platforms with data centres outside Australia.

• Third-party service providers engaged to assist with IT support, analytics, or data processing.

• Backups and disaster recovery services hosted on international servers.

• International collaboration with external consultants or healthcare providers involved in the

participant’s care.

12.3 Legal Basis for International Transfers

All international data transfers will be conducted under one of the following legal bases:

• Informed consent from the participant or authorised representative, where required.

• Compliance with contractual obligations (e.g., using third-party providers essential to service

delivery).

• Legal and regulatory requirements, where data must be transferred to international bodies for

compliance or investigation.23

12.4 Safeguards for International Data Transfers

The Company ensures that appropriate safeguards are in place for all data transferred outside Australia,

including:

• Standard Contractual Clauses (SCCs) or equivalent agreements where the receiving country’s privacy

laws are not deemed adequate by Australian standards.

• Data encryption during transfer and storage to prevent unauthorised access.

• Restricted access protocols to ensure only authorised personnel can access personal data.

• Monitoring and auditing of third-party providers to ensure compliance with privacy obligations.

12.5 International Service Providers and Third Parties

The Company only engages reputable service providers that demonstrate compliance with international

privacy frameworks, such as:

• The General Data Protection Regulation (GDPR) in the European Union.

• The California Consumer Privacy Act (CCPA) in the United States (where relevant).

All providers must agree to confidentiality agreements and data protection clauses that align with Australian

privacy laws.

12.6 Participant Rights and Consent for International Transfers

Participants or their authorised representatives will be informed when personal data is transferred internationally.

Where explicit consent is required, participants will have the opportunity to:

• Provide or withhold consent before their data is transferred outside Australia.

• Withdraw consent for international transfers by submitting a written request to the Privacy Officer,

provided that such withdrawal does not compromise the delivery of essential services or regulatory

compliance.

If a participant declines or withdraws consent, the Company will explore alternative solutions. However,

participants acknowledge that certain services may be limited or unavailable without international data

transfer.

12.7 Risk Management for International Transfers

While the Company takes reasonable steps to ensure the security of internationally transferred data, participants

acknowledge that:

• Foreign jurisdictions may have different privacy laws and enforcement mechanisms that are not

identical to Australian privacy standards.

• The Company is not liable for unforeseen events, such as data breaches or cyber-attacks, occurring

within the infrastructure of third-party international service providers, provided that the Company

exercised due diligence in engaging these providers.

12.8 Monitoring and Compliance

The Company will monitor compliance with all international data transfer agreements and conduct periodic

reviews of third-party providers to ensure ongoing adherence to privacy obligations. Any breach or non-

compliance by an international provider will be managed under the Company’s Data Breach Response Plan.24

13. Automated Decision-Making and Profiling

13.1 Overview

Xyston Pty Ltd (“the Company”) is committed to ensuring that all decisions related to participant care and

service delivery are made transparently, with appropriate human oversight and consideration. As part of this

commitment, the Company does not engage in automated decision-making or profiling that could adversely

affect participants’ rights, interests, or access to services.

This policy aligns with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) to ensure fair,

transparent, and accountable decision-making in all areas of service delivery.

13.2 Definition of Automated Decision-Making and Profiling

• Automated Decision-Making refers to decisions made entirely by automated systems or algorithms

without human involvement. Such decisions could include the automated approval, denial, or

modification of services based on pre-set criteria.

• Profiling involves the analysis of personal data to assess specific characteristics, such as behaviour,

preferences, or health conditions, which could influence decisions regarding services or interactions with

participants.

13.3 Use of Technology with Human Oversight

The Company uses technology and data analytics tools to enhance operational efficiency, but all critical

decisions regarding service delivery, care plans, and participant interactions are subject to human review and

discretion. For example:

• Behaviour management strategies, care plans, and support delivery decisions are made by

qualified professionals, not automated systems.

• Risk assessments are based on a combination of human expertise and data insights, with final

decisions approved by responsible staff.

Any data used for service planning is supplementary to professional judgment and does not replace the

human evaluation required for individualised care.

13.4 Assurance of Non-Automated Decisions

Participants are assured that:

• No automated decisions will be made that significantly affect their rights or access to services.

• All decisions affecting participants, including eligibility, service adjustments, and care planning, are

made with the involvement of human professionals.

If technology is used to assist in decision-making (e.g., to generate reports or analyse data trends), the final

decision will always involve qualified staff who understand the participant’s individual needs and circumstances.

13.5 Participant Rights and Transparency

Participants have the right to:

• Request an explanation of how decisions affecting them are made.

• Challenge or appeal decisions if they believe that any automated processes (if used in a

supplementary role) have resulted in unfair or inaccurate outcomes.25

• Access information about the data or criteria used to make service-related decisions.

If a participant believes that a decision has been made incorrectly or unfairly, they may contact the Privacy

Officer to discuss their concerns.

13.6 Monitoring and Policy Review

The Company will monitor all systems and processes that use data analytics or technology to ensure they are

used appropriately and ethically. This policy will be periodically reviewed to ensure compliance with evolving

privacy laws and technological developments.

14. Marketing Communications and Opt-Out

14.1 Overview

Xyston Pty Ltd (“the Company”) may use the contact information provided by participants, authorised

representatives, or other users to communicate essential service updates and send marketing

communications related to the Company’s services, events, and relevant opportunities. All such

communications comply with the Spam Act 2003 (Cth) and the Privacy Act 1988 (Cth).

14.2 Consent to Receive Communications

By providing their contact information (including email addresses, phone numbers, or mailing addresses),

participants and users consent to receive:

• Service-related updates: Notifications relevant to the participant’s care, service delivery, or operational

changes (e.g., policy updates, shifts, or new service offerings).

• Marketing communications: Information about the Company’s events, promotions, or new services

that may be of interest to participants or users.

Consent to receive these communications is voluntary, and participants may choose to opt-out at any time.

14.3 Opt-Out Mechanisms

Participants and users may opt out of receiving marketing communications at any time using one of the following

methods:

• Unsubscribe Link: Each marketing email sent by the Company will contain an unsubscribe link

allowing users to stop further marketing emails.

• Direct Contact: Participants may also contact the Privacy Officer directly to opt out of marketing

communications (contact details below).

The Company will process opt-out requests promptly and ensure that no further marketing communications

are sent to individuals who have opted out.

14.4 Communications Not Subject to Opt-Out

Participants and users acknowledge that certain service-related communications are essential for the delivery

of services and cannot be opted out of. These include:

• Service updates: Changes to care plans, appointments, or operational procedures.

• Mandatory notifications: Communications required under the NDIS framework, including incident

reporting or compliance matters.26

Opting out of marketing communications will not affect the delivery of essential service-related

communications.

14.5 Responsibility for Managing Preferences

Participants are responsible for:

• Keeping their contact information up to date to ensure they receive relevant communications.

• Promptly notifying the Company if they wish to change their communication preferences or opt out of

marketing communications.

14.6 Indemnity and Limitation of Liability

The Company takes reasonable steps to ensure compliance with all applicable laws related to communications.

However, participants and users agree to indemnify and hold harmless Xyston Pty Ltd from any claims,

damages, or liabilities arising from:

• Failure to receive service updates due to incorrect or outdated contact information provided by the

participant.

• Misuse of contact information by third-party providers where the Company exercised reasonable care

in engaging those providers.

15. Complaints and Dispute Resolution

15.1 Overview

Xyston Pty Ltd (“the Company”) is committed to addressing all privacy-related complaints promptly, fairly, and

transparently. We value feedback from participants, authorised representatives, and other stakeholders and aim

to resolve any concerns through internal dispute resolution processes.

If a privacy-related complaint cannot be resolved internally, the complainant has the right to escalate the issue

to external authorities as outlined in this policy.

15.2 Internal Complaints Process

Participants, authorised representatives, or users who have concerns about the collection, use, disclosure, or

handling of personal information are encouraged to contact the Company’s Privacy Officer directly.

• How to Submit a Complaint:

Complaints can be submitted via email, phone, or in writing to the Privacy Officer (contact details

below).

• Acknowledgment of Complaint:

The Company will acknowledge receipt of the complaint within five (5) business days.

• Investigation and Response:

The complaint will be investigated thoroughly, and the Company will provide a formal response within

30 days of receiving the complaint, outlining the outcome and any remedial actions, if necessary.

The Company will work with the complainant to resolve the issue amicably. If additional time is required to

address complex complaints, the complainant will be informed of the delay and provided with a revised timeline.

15.3 Escalation to External Authorities

If the complainant is not satisfied with the outcome of the internal complaint process, they may escalate the

matter to the following external bodies:27

• Office of the Australian Information Commissioner (OAIC):

For complaints related to privacy and data handling practices.

o Website: www.oaic.gov.au

• NDIS Quality and Safeguards Commission:

For complaints related to service delivery, compliance, or participant care under the NDIS

framework.

o Website: www.ndiscommission.gov.au

15.4 Contesting Unfounded or Vexatious Complaints

The Company is committed to handling all complaints professionally. However, if a complaint is determined to be

unfounded, vexatious, or submitted in bad faith, the Company:

• Reserves the right to contest the complaint through appropriate legal or regulatory channels.

• Will provide the complainant with a written explanation outlining the reasons for the determination.

• May decline further communication on the matter if the complaint is deemed frivolous or abusive.

15.5 Participant Rights During Dispute Resolution

Participants have the right to:

• Access information about the status of their complaint during the resolution process.

• Be treated with respect and fairness throughout the complaint process.

• Appeal internal decisions through external bodies if dissatisfied with the outcome.

The Company ensures that participants will not be penalised or treated unfairly for lodging a complaint.

15.6 Continuous Improvement and Policy Review

The Company uses complaints and feedback to improve internal processes and ensure compliance with

privacy obligations. Regular reviews of the complaints handling process will be conducted to maintain high

standards of service and accountability.

15.7 Contact Information for Complaints and Dispute Resolution

For inquiries, complaints, or further assistance regarding privacy or data handling practices, please contact:

Privacy Officer

Xyston Pty Ltd

ABN: 84 641 527 433

Email: admin@xyston.com.au

Phone: 08 9468 1502

Mailing Address:

PO BOX 48, KINGSWAY 6065

Perth, Western Australia

16. Governing Law and Jurisdiction

16.1 Governing Law28

This Privacy Policy and any disputes arising from or related to the collection, use, disclosure, storage, or

handling of personal information are governed by the laws of Western Australia. The Company complies with

relevant privacy legislation, including the Privacy Act 1988 (Cth), the Spam Act 2003 (Cth), and applicable

NDIS regulations.

16.2 Jurisdiction for Dispute Resolution

Participants, authorised representatives, and other stakeholders agree that any disputes, claims, or legal

proceedings relating to the Company’s handling of personal information or services will be:

• Resolved under Australian law.

• Subject to the exclusive jurisdiction of the courts of Perth, Western Australia.

All parties waive any objections to the venue or jurisdiction of these courts on the grounds of inconvenient

forum or any other reason.

16.3 International Use

If the Company’s services or platforms are accessed from locations outside of Australia, participants and users

acknowledge that:

• The laws of Western Australia will apply, regardless of the participant’s location or local jurisdiction.

• They are responsible for complying with local privacy laws, to the extent those laws do not conflict with

Australian law.

16.4 Limitation of Claims

Any legal claims or disputes must be filed within 12 months of the event giving rise to the claim, unless a longer

period is required by law. Failure to initiate legal proceedings within this period will result in the claim being

permanently barred.

16.5 Dispute Resolution and Good Faith Negotiation

Before initiating formal legal proceedings, all parties agree to:

• Attempt to resolve disputes in good faith through mediation or negotiation, where possible.

• Pursue alternative dispute resolution (e.g., mediation) as a first step, unless immediate legal action is

required to protect the rights of any party.

17. Policy Amendments and User Notifications

17.1 Right to Amend the Policy

Xyston Pty Ltd (“the Company”) reserves the right to amend, update, or modify this Privacy Policy at its sole

discretion to reflect:

• Changes in legal or regulatory obligations, including updates to the Privacy Act 1988 (Cth) or NDIS

requirements.

• Operational or technological changes that affect how personal information is collected, used, or

disclosed.

• New business practices, systems, or partnerships that may require updates to the policy.29

Amendments will take effect immediately upon publication, unless otherwise specified in the notice provided to

users.

17.2 Notification of Policy Changes

The Company is committed to ensuring transparency by providing timely notice of significant policy

amendments. When changes are made, participants and users will be notified through the following methods:

• Email notification: Sent to the most recent email address on record.

• Website notice: A public announcement or banner displayed on the Company’s website.

If participants or users do not receive a notice due to outdated contact information or technical issues beyond

the Company’s control, it remains the user’s responsibility to review the updated policy on the Company’s

website.

17.3 Continued Use of Services

By continuing to use the Company’s services or platforms after the publication of amendments, participants

and users:

• Acknowledge and accept the revised terms of the Privacy Policy.

• Agree to be bound by the amended policy, regardless of whether they have reviewed it.

If participants or users do not agree with the amended policy, they must discontinue using the Company’s

services and may contact the Privacy Officer to discuss any concerns.

17.4 User Responsibility to Stay Informed

Participants, authorised representatives, and other users are responsible for:

• Keeping their contact information up to date to ensure they receive policy change notifications.

• Regularly reviewing the Privacy Policy on the Company’s website to stay informed about any

changes.

18. Accessibility and Language Options

18.1 Commitment to Accessibility

Xyston Pty Ltd (“the Company”) is committed to ensuring equal access to information for all participants,

authorised representatives, and users, including those with disabilities or language barriers. We strive to make

this Privacy Policy and all other communications accessible and easy to understand for everyone, in

accordance with the Disability Discrimination Act 1992 (Cth) and other relevant laws and standards.

18.2 Availability of Alternative Formats

Participants or users who require this Privacy Policy in alternative formats can request the following:

• Large print versions for users with vision impairments.

• Screen-reader compatible digital formats (e.g., PDF or HTML) for users with disabilities using

assistive technologies.

• Braille versions (if requested and feasible).30

18.3 Language Translation Options

To ensure participants from non-English speaking backgrounds understand the Company’s privacy practices,

the Privacy Policy can be made available in translated versions upon request. The Company will:

• Engage professional translation services to provide accurate translations.

• Ensure that translated versions align with the original English-language policy to maintain

consistency.

Participants and users are encouraged to contact the Company if they require this policy in a specific language.

18.4 Timely Provision of Accessible Formats and Translations

The Company will take reasonable steps to provide the requested format or translation promptly. If a delay

occurs, participants will be informed of the reason and provided with an estimated delivery time.

18.5 No Additional Costs for Accessible Formats or Translations

The Company will provide alternative formats or translations of this Privacy Policy free of charge to ensure fair

access to all participants and users.

18.7 Indemnity and Limitations on Responsibility

While the Company will make every reasonable effort to provide accessible formats and accurate

translations, participants acknowledge that:

• Translations may introduce minor differences in wording or phrasing, which do not affect the

substance or intent of the original English version.

• The English-language version of this Privacy Policy remains the official and legally binding version

for all purposes.

19. Contact Information

For inquiries, complaints, data access requests, or any other questions related to this Privacy Policy and your

personal information, please contact our Privacy Officer at the details provided below:

Privacy Officer

Xyston Pty Ltd

ABN: 84 641 527 433

Email: admin@xyston.com.au

Phone: 08 9468 1502

Mailing Address:

PO BOX 48, KINGSWAY 6065

Perth, Western Australia

19.1 Response Time for Inquiries

The Company is committed to responding to inquiries and complaints promptly. You can expect:

• Acknowledgment of your inquiry or request within five (5) business days.

• A formal response or resolution within thirty (30) days, unless additional time is required. In such

cases, we will inform you of the delay and provide a revised timeframe.31

19.2 Contact for Escalated Complaints

If you are not satisfied with the resolution provided by the Company, you may escalate your complaint to external

authorities:

• Office of the Australian Information Commissioner (OAIC):

www.oaic.gov.au

• NDIS Quality and Safeguards Commission:

www.ndiscommission.gov.au