Picture a team with a running group chat where workers share updates about their shift, meant well, keeps everyone in the loop. Someone posts a photo "for a laugh," a person mid-laugh at a barbecue, nothing graphic, nothing unkind. Except nobody asked that person if the photo could go anywhere beyond the shift notes, and by the time anyone thinks to check, it's been seen by six people who had no reason to see it. Nobody in that chat means harm. That's exactly why privacy needs to be a habit, not just an instinct a worker relies on in the moment.
What counts as personal information in support work?
More than most workers assume. Health details and support needs, obviously, but also routines, relationships, finances, photos, opinions the person has shared in confidence, and even small details like what time someone usually showers or which neighbour they don't get along with. Under the Privacy Act 1988, organisations that provide a health service and hold health information are covered by the Act regardless of size, and the OAIC specifically names disability service providers as an example, so the usual small business exemption doesn't apply the way it might for other small operators.
What does confidentiality look like day to day?
It means only sharing what's necessary, with the people who genuinely need it, for a genuine reason connected to the person's support. It means not discussing one person you support with another, not leaving notes or paperwork visible in a shared space, and being careful about what gets said to family, neighbours, or other services, even when the conversation feels casual. The NDIS Practice Standards' rights and responsibilities module expects consistent processes that protect a participant's privacy and dignity, and that expectation reaches every casual conversation a worker has, not just formal records.
What about photos and social media?
Ask before taking a photo, and ask again before using it for anything beyond what was agreed. A photo taken with consent for a case note is not automatically fine to post to a service's social media, share in a team chat, or send to a family member who wasn't part of the original conversation. Each new use is a new decision, and the person gets a say in each one.
The habit worth building
Before sharing anything about the person you support, a photo, a detail, an opinion they've shared, ask whether they would be comfortable knowing exactly who's about to see or hear it. If the honest answer is "probably not," that's the answer to whether you should be sharing it.
When does confidentiality have to give way to safety?
When there's a genuine risk of harm, to the person or to someone else. Suspected abuse or neglect, a serious safety concern, or information a treating clinician genuinely needs are all situations where the duty to protect outweighs the default of confidentiality. The key word is genuine. Confidentiality shouldn't bend for gossip, convenience, or because a family member is asking and it's easier to just answer than to say the information isn't theirs to have.
What should a worker do if they've made a mistake?
Tell a supervisor straight away. Privacy mistakes happen, a message sent to the wrong person, a document left out, and an early, honest disclosure gives the organisation a real chance to limit the damage and correct the record. Quietly hoping it goes unnoticed almost always makes things worse if it surfaces later.
How CORA's course fits into this
CORA's course Privacy & Confidentiality, part of the Compliance Foundations stream in the course library, covers what privacy means in support work, handling personal information, photos, conversations and digital records with appropriate care, and when confidentiality must yield to safety obligations. It builds a worker's understanding and judgement. It does not replace your organisation's specific privacy policy or its obligations under the Privacy Act, which any registered provider handling health information needs to meet directly.
If you're mapping this alongside the rest of Compliance Foundations for your team, try the Pathway Builder, free and no sign-up required, or request a demo.
Individual membership
One seat, for one support worker. Full access to the CORA course library, plus your own credential register to upload and track your certificates, and settings you manage yourself. The Workforce Capability Report is part of the organisation plans, not the individual membership. Standalone, and not combinable with organisation tiers.
- Best value 1 year $175 $175 a year Get 1 year
- 2 years $315 $157.50 a year Get 2 years
- 3 years $446.25 $148.75 a year Get 3 years
- Monthly $30/month Spread the cost across the year Pay monthly
See how CORA covers privacy and the rest of Compliance Foundations
Browse the full course library, or get in touch if you want to talk through what your team's coverage looks like right now.
Try the Pathway Builder Browse the course libraryCommon questions
Are disability support providers covered by the Privacy Act?
Generally yes. Under the Privacy Act 1988, small businesses with turnover under $3 million are usually exempt, but the OAIC specifically names disability service providers who handle health information as an example of an organisation that remains covered regardless of size.
Can a worker take photos of the person they support?
Only with the person's informed consent for that specific photo and its intended use, whether that's a case note, a family update, or a shared activity. A photo taken for one purpose shouldn't be reused for another, like a marketing post, without asking again.
When does confidentiality have to give way to safety?
When there's a genuine risk of harm to the person or someone else, confidentiality gives way to the duty to report and protect. This includes suspected abuse or neglect, a serious safety risk, or information that must be shared with a treating clinician. The default is confidentiality; the exception is a real safety obligation, not convenience.
What should a worker do if they've accidentally shared something they shouldn't have?
Tell your supervisor straight away. A prompt, honest disclosure lets the organisation limit any harm and correct the record. Trying to quietly fix it yourself, or hoping nobody noticed, almost always makes the outcome worse if it does surface later.
Sources and further reading
- What is a health service provider, Office of the Australian Information Commissioner
- Guide to health privacy, Office of the Australian Information Commissioner
- Core module: Rights and responsibilities, NDIS Quality and Safeguards Commission
This page is general information for support workers and providers, not legal advice. Always follow your organisation's privacy policy and current Privacy Act and NDIS requirements.
← Back to the course library