The Positive Behaviour Support Group

Privacy Policy

How PBSG manages personal information, including information used with AI, automated technologies, recordings and de-identification.

Find a topic

Start with the plain-language summary or jump to a common question.

The full policy remains below. These links move directly to the relevant section without hiding any of the policy text.

MB Positive Behaviour Support Pty Ltd, trading as The Positive Behaviour Support Group (PBSG)
ABN 57 684 771 257 · NDIS Registration Number 4053368702
Version 1.0 · Effective 15 July 2026

Plain-language summary

PBSG provides positive behaviour support services to children, adolescents and adults with disability. To deliver those services, we handle personal information and highly sensitive health, disability, behavioural, safety and family information.

We use technology to make our services more accessible, consistent and efficient. This may include approved artificial intelligence (AI) tools for meeting notes, transcription, summarising, drafting, quality checks, planning, translation, accessibility, data analysis, software development, workflow automation and administrative support.

Where an AI tool needs identified personal or sensitive information, PBSG will only use an approved system and will rely on consent or another lawful basis. We do not permit staff to place identifiable participant information or confidential case material into publicly available, consumer-grade generative AI tools.

PBSG may use properly de-identified, anonymised, aggregated or synthetic information very broadly. This includes using it with generative AI for ideas, coding, writing, planning, templates, research, training, quality improvement, service design, analytics and the development or improvement of PBSG systems and resources. Properly de-identified information may be retained and reused for current and future lawful purposes.

AI-generated notes and drafts are aids, not substitutes for professional judgement. Clinically significant documents and decisions are reviewed by an appropriately qualified person. PBSG does not ordinarily make final clinical, restrictive-practice or service-termination decisions solely through AI.

You may ask for access to or correction of your information, raise a privacy concern, ask how AI has been used in relation to you, or object to an optional recording or AI note-taking process. Some core processing cannot be avoided where it is necessary to provide services, protect safety, meet legal obligations or keep secure and accurate records.

1. About this Privacy Policy

This Privacy Policy explains how MB Positive Behaviour Support Pty Ltd, trading as The Positive Behaviour Support Group (PBSG), collects, holds, uses, discloses, protects, retains, de-identifies and otherwise manages personal information. It also explains PBSG’s use of AI, automated technologies, recordings, transcription tools and de-identified information.

The policy is intended to be clear, technology-neutral and future-facing. References to AI include generative AI, large language models, machine-learning systems, productivity assistants, coding assistants, transcription and summarisation tools, analytics, recommendation systems, workflow automation, AI agents and other computer-assisted tools that generate, classify, predict, recommend, retrieve, transform or act on information.

This policy applies to information handled through PBSG’s websites, referral and contact forms, website tools, email, telephone, SMS, telehealth, in-person and mobile services, home and community visits, school and workplace services, assessments, reports, behaviour support plans, training, resources, complaints, incidents, recruitment, contracting, supplier relationships and general business operations.

This policy should be read together with any collection notice, service agreement, consent form, recording notice, terms of use, incident or complaints policy, participant handbook and other notice PBSG gives at the point information is collected. A more specific notice may explain a particular collection or use in greater detail. Applicable law prevails to the extent of any inconsistency.

Words such as “may”, “including” and “for example” are used deliberately. They describe the range of activities PBSG may undertake and are not intended to limit PBSG to the examples listed. PBSG will only undertake a particular activity where it is lawful, reasonably necessary or otherwise permitted, and proportionate to the circumstances.

This policy is not a substitute for a separate, current and informed consent where the law requires consent, particularly for the collection of sensitive information, recording of a private conversation, use of biometric identifiers, or an AI use that is materially different from the purpose for which information was originally collected.

2. Who PBSG Is

MB Positive Behaviour Support Pty Ltd (ABN 57 684 771 257) is an Australian private company. It trades as The Positive Behaviour Support Group (PBSG) and has a main business location in NSW 2287, Australia. PBSG’s NDIS registration number is 4053368702.

PBSG provides evidence-based, neurodivergent-affirming and trauma-informed positive behaviour support services. Services may be delivered in homes, schools, workplaces, community settings and by telehealth. PBSG works with participants, families, nominees, guardians, support workers, educators, therapists, coordinators, plan managers and other members of a participant’s support network.

PBSG supports NDIS participants and private clients, including children from approximately four years of age, adolescents, adults and older people. Services may involve functional behaviour assessment, behaviour support planning, implementation support, staff and family training, monitoring, review, reports, letters, funding evidence and work relating to restrictive-practice reduction and safeguarding.

PBSG may provide services through employees, officers, contractors, subcontracted behaviour support practitioners, consultants and approved service providers. Unless the context requires otherwise, references to “PBSG”, “we”, “us” or “our” include those people when acting for PBSG.

PBSG’s Privacy Officer can be contacted at Hello@PBSG.com.au or 0468 167 025.

3. Privacy and Regulatory Framework

PBSG aims to manage personal information consistently with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), applicable State and Territory health-records and privacy laws, the National Disability Insurance Scheme Act 2013 (Cth), applicable NDIS Rules, the NDIS Code of Conduct, the NDIS Practice Standards and other laws governing records, surveillance, child safety, mandatory reporting, workplace safety, direct marketing and electronic communications.

Because PBSG provides a health-related disability service and handles health information, privacy obligations may apply even if a small-business exemption would otherwise be available. Different State or Territory laws may apply depending on where a service is delivered, where a participant lives, where information is collected, and the nature of the practitioner or service.

PBSG also recognises professional duties of confidentiality, participant dignity, supported decision-making, choice and control. Privacy and confidentiality are related but not identical. There are circumstances in which PBSG may lawfully disclose information without consent, including to manage a serious threat, make a mandatory report, respond to a reportable incident, comply with a court order, exercise or defend a legal claim, or meet NDIS and other regulatory obligations.

Where more than one law applies, PBSG will seek to comply with the standard that is legally required in the circumstances. Nothing in this policy reduces a person’s rights under applicable law.

4. Key Definitions

Personal information

Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether recorded in material form or not. It can include information created or inferred by AI.

Sensitive information and health information

Sensitive information includes health, disability, racial or ethnic origin, religious or philosophical beliefs, sexual orientation or practices, criminal record, political opinions or affiliations, professional or trade-association membership, union membership, genetic information and certain biometric information. Health information includes information or opinions about physical or mental health, disability, health services, wishes concerning future health services, and information collected in connection with providing a health service.

Participant

A person receiving, seeking or being referred for PBSG services, whether funded through the NDIS, privately or by another arrangement. A participant may be a child, young person or adult.

Representative or support person

A parent, guardian, nominee, attorney, administrator, advocate, responsible person, support coordinator, family member or other person who assists, represents or supports an individual. A support role does not automatically give unrestricted access to all information.

AI and generative AI

Computer-based systems that infer from input how to generate outputs such as text, code, images, audio, summaries, predictions, classifications, recommendations, actions or decisions. Generative AI produces new content based on patterns in data.

AI note-taking

Use of software to capture or process audio, video, speech, chat, screen content, documents or meeting metadata to produce a recording, transcript, summary, speaker label, action list, draft note or related output.

Automated decision-making

A computer program making a decision, or doing something substantially and directly related to making a decision. Not every automated task is a significant automated decision.

De-identified or anonymised information

Information that has been treated so that no individual is reasonably identifiable in the relevant context and the risk of re-identification is very low. De-identification is context-dependent. Removing a name alone is usually not enough.

Pseudonymised or coded information

Information where direct identifiers are replaced with a code or pseudonym but a person may still be re-identified using a key or other information. Pseudonymised information remains personal information and is protected accordingly.

Synthetic information

Artificially generated information designed to resemble patterns or structures in real data without representing a real identifiable person. Synthetic information may still require safeguards if it can be linked back to a person or was generated from identifiable source data.

Approved AI system

An AI product, feature, integration or service that PBSG has authorised for a defined use after considering privacy, security, contractual, clinical, operational and regulatory risks. Approval may be subject to settings, restrictions, data classes and human-review requirements.

Public AI tool

A publicly accessible, consumer-grade or open AI service that is not specifically approved by PBSG for identifiable or confidential information. Public AI tools may only be used with information that is non-confidential and does not contain personal information, or that has been robustly de-identified for the relevant use.

5. Whose Information PBSG Handles

PBSG may handle information about:

  • current, former and prospective participants;
  • parents, guardians, nominees, attorneys, advocates and other representatives;
  • family members, carers, support workers, teachers, employers, therapists, health practitioners, coordinators, plan managers and other members of a support network;
  • referrers and people making enquiries on behalf of another person;
  • people involved in incidents, complaints, safeguarding concerns, investigations, restrictive practices or legal matters;
  • employees, officers, job applicants, contractors, subcontracted practitioners, students, volunteers, referees and emergency contacts;
  • suppliers, professional advisers, auditors, insurers, regulators and business contacts; and
  • website visitors, users of online resources, subscribers, social-media users and people who communicate with PBSG.

A participant record commonly contains personal information about other people. PBSG will protect third-party information and may redact or restrict access where necessary to protect another person’s privacy, safety, confidentiality or legal rights.

When a person gives PBSG personal information about somebody else, PBSG expects the person to have authority to provide it, to give accurate information, and, where reasonably practicable, to tell the other person that PBSG may handle the information under this policy. PBSG may contact the individual or seek evidence of authority where appropriate.

6. Kinds of Information PBSG May Collect and Hold

6.1 Identity, contact and personal details

  • name, preferred name, previous names, date of birth, age, gender, pronouns, signature and photograph;
  • home, postal and service addresses; email addresses; telephone numbers; emergency contacts; and communication preferences;
  • language, interpreter, accessibility and communication requirements;
  • family, household, relationship, living, school, work and community information;
  • identity and authority documents where reasonably necessary, including guardianship, nominee, attorney or parental-authority documents; and
  • cultural background, Aboriginal or Torres Strait Islander status, ethnicity, religion or other identity information where relevant, voluntarily provided or lawfully required.

6.2 Health, disability, behaviour and support information

  • diagnoses, disability, functional capacity, developmental, cognitive, neurological, mental-health and physical-health information;
  • communication, sensory, emotional-regulation, social, behavioural, learning, mobility and daily-living information;
  • behaviours of concern, antecedents, triggers, functions, frequency, duration, intensity, consequences and environmental factors;
  • information about aggression, self-injury, absconding or wandering, PICA, smearing, refusal, property damage, withdrawal, safety risks and other behaviour relevant to support;
  • trauma history, family circumstances, relationships, vulnerabilities, abuse, neglect, exploitation, discrimination or safeguarding concerns where relevant and lawfully collected;
  • medication, allergies, treatments, practitioners, hospitalisations, health-management plans, emergency information and relevant clinical history;
  • restrictive practices, authorisations, behaviour support plans, implementation records, reduction strategies, incidents and reportable incidents;
  • assessments, observations, case notes, progress notes, functional behaviour assessments, data charts, goals, outcomes, reports, letters, recommendations and plan drafts; and
  • information about a person’s preferences, strengths, interests, routines, values, goals, quality of life and desired supports.

6.3 NDIS, funding and service information

  • NDIS participant number and other government-related identifiers where lawful;
  • plan dates, goals, funding categories, budget, management type, PACE endorsement and service-booking information;
  • details of the NDIA, NDIS Commission, plan manager, support coordinator, nominee, guardian and other providers;
  • referral information, service needs, location, practitioner preferences, capacity matching and wait-list information;
  • service agreements, consents, bookings, attendance, cancellations, travel, telehealth and service-delivery records; and
  • claims, invoices, quotes, reports supporting funding requests or plan reassessments, and communications about payment or funding.

6.4 Communications, recordings and interaction data

  • emails, letters, forms, text messages, telephone notes, chat messages and social-media communications;
  • audio or video recordings, photographs, transcripts, speaker labels, captions, meeting summaries, action items and AI-generated notes where notice and any required consent have been provided;
  • telehealth metadata, meeting attendance, screen-shared information, documents provided during sessions and information captured through approved meeting tools;
  • feedback, compliments, complaints, allegations, witness accounts and investigation material; and
  • preferences or objections concerning recording, AI, disclosure, contact and participation.

6.5 Financial, contractual and business information

  • billing contact details, payment status, transaction references and bank or payment details where needed;
  • tax, insurance, legal, debt-recovery and contract information;
  • supplier, referrer and professional contact information; and
  • information required for audits, accreditation, registration, quality assurance, tenders, grants and business administration.

6.6 Website, device and technical information

  • IP address, browser, operating system, device type, language, time zone and approximate location;
  • pages viewed, links selected, referral source, form interactions, timestamps, error logs, security events and cookie or similar identifiers;
  • information submitted through contact, referral, recruitment or resource forms; and
  • technical logs, diagnostic data and support records associated with PBSG systems, integrations, websites and software.

6.7 Workforce and recruitment information

  • resumes, qualifications, registrations, professional memberships, skills, experience, work history and references;
  • identity, right-to-work, NDIS Worker Screening, Working with Children, police, probity and other required checks;
  • contracts, rates, bank, tax, superannuation, insurance and business details;
  • training, supervision, performance, conduct, availability, location, caseload, complaints, incidents and workplace adjustments; and
  • health, safety, leave, emergency-contact and other employment or contractor information where lawful.

6.8 Information generated or inferred by AI

AI systems may generate summaries, classifications, themes, draft wording, risk or urgency flags, suggested actions, possible matches, accessibility transformations, code, quality checks, predictions or other inferences. If an output is about an identifiable person, PBSG treats it as personal information and, where it reveals health or another sensitive characteristic, as sensitive information. An AI-generated statement is not automatically treated as fact.

7. How PBSG Collects Information

PBSG may collect information:

  • directly from an individual through a referral, enquiry, consultation, assessment, observation, interview, questionnaire, service agreement, consent form, survey, complaint, employment application or other interaction;
  • from a parent, guardian, nominee, attorney, advocate, family member, carer, support worker or other authorised person;
  • from support coordinators, plan managers, schools, workplaces, allied-health providers, medical practitioners, hospitals, accommodation providers and other organisations involved in support;
  • from the NDIA, NDIS Commission, government agencies, regulators, law-enforcement bodies, courts, tribunals, insurers or legal representatives where authorised;
  • through observation in the home, school, workplace, community or another setting in which behaviour and support occur;
  • through telephone, email, SMS, telehealth, online forms, websites, cookies, analytics, security tools and technical logs;
  • through an approved AI note-taking, transcription, summarisation, translation, accessibility or workflow system after appropriate notice and consent where required;
  • from publicly available sources, professional registers, social media or online material where lawful, fair and reasonably necessary; and
  • by generating or inferring information through an AI system where the collection is reasonably necessary, lawful and fair, and any required consent has been obtained.

PBSG generally seeks to collect information directly from the individual where reasonable and practicable. Indirect collection is often necessary in behaviour support because information may be held by a support network, a participant may need assistance to communicate, the service may concern environmental factors, or safety and regulatory obligations require information from several sources.

If PBSG receives unsolicited personal information, it will determine whether the information could lawfully have been collected. If not, and if no legal or record-keeping obligation requires retention, PBSG will take reasonable steps to destroy or de-identify it. Unsolicited information may be retained where it forms part of an incident, complaint, safeguarding matter, legal record or other matter PBSG is required or permitted to keep.

8. Why PBSG Collects, Holds, Uses and Discloses Information

PBSG may handle personal information for the primary purpose for which it was collected and for related or directly related purposes that an individual would reasonably expect, with consent, or as otherwise permitted or required by law. Purposes may include:

  • responding to enquiries, requests for callbacks and referrals;
  • assessing service suitability, urgency, risk, location, funding, practitioner availability and capacity;
  • verifying identity, authority, consent, NDIS details, service agreements and payment arrangements;
  • providing positive behaviour support, functional behaviour assessment, behaviour support planning, implementation support, monitoring, review, training and telehealth;
  • understanding needs, strengths, communication, environment, behaviour, safety, preferences, goals and quality-of-life outcomes;
  • drafting, reviewing and maintaining notes, reports, behaviour support plans, letters, funding evidence, training material and other service records;
  • communicating and collaborating with a participant and authorised support network;
  • supporting continuity of care and coordinating with schools, workplaces, health practitioners, allied-health providers and other services;
  • managing restrictive practices, safeguarding, incidents, reportable incidents, complaints, risks, emergencies and mandatory reports;
  • making claims, issuing invoices, collecting payments, managing debt, responding to audits and administering contracts;
  • meeting NDIS registration, practice-standard, quality, insurance, legal, professional and regulatory obligations;
  • supervising practitioners, reviewing quality, monitoring outcomes, conducting audits and improving clinical and operational consistency;
  • developing staff, training support teams and creating educational or accessibility resources;
  • conducting research, evaluation, benchmarking, analytics, service design and quality improvement, preferably using de-identified information;
  • using approved AI and automation for the purposes described in this policy;
  • operating, securing, testing, supporting and improving websites, software, databases, communications and business systems;
  • recruiting, onboarding, engaging, supervising and managing staff, contractors and suppliers;
  • sending service communications and, where permitted, newsletters, resources, event information or other direct marketing;
  • responding to legal claims, subpoenas, warrants, investigations, insurance matters and requests from authorised bodies;
  • protecting the rights, safety, property and systems of participants, staff, PBSG and other people; and
  • planning, financing, restructuring, selling, transferring or otherwise managing PBSG’s business, subject to confidentiality and privacy safeguards.

PBSG will not rely on the mere existence of this policy as consent where current, specific and informed consent is legally required. However, clear disclosure in this policy and at the point of collection may form part of determining what a person reasonably expects and whether a use is related to the original purpose.

9. Sensitive Information, Health Information and Government Identifiers

Most participant information handled by PBSG is sensitive health or disability information. PBSG generally collects sensitive information with consent and where it is reasonably necessary for service delivery or another lawful function. Exceptions may apply where collection, use or disclosure is required or authorised by law, necessary to lessen or prevent a serious threat, necessary for a health service under applicable rules, or otherwise permitted by the Privacy Act or relevant health-records legislation.

PBSG seeks to collect the minimum sensitive information reasonably necessary for the relevant purpose. A person is not required to disclose information that is unrelated to their service, but incomplete or inaccurate information may affect PBSG’s ability to assess risk, provide safe and effective support, meet NDIS requirements or prepare reliable reports.

PBSG may collect cultural, racial, religious, sexual, criminal, trauma or other highly sensitive information only where relevant, voluntarily provided, lawfully required or necessary to understand an individual’s circumstances and provide respectful support. Such information is not used to discriminate unlawfully.

PBSG may use NDIS participant numbers, Medicare details, worker-screening identifiers, tax file numbers and other government-related identifiers only where lawful and necessary. PBSG does not adopt a government identifier as its own identifier unless permitted by law and may instead assign an internal participant, referral, invoice or workforce reference number.

PBSG does not ordinarily create biometric templates or use voice or facial data to identify a person biometrically. Audio, video and photographs may nevertheless reveal sensitive information. If PBSG proposes biometric identification, facial recognition, voiceprint authentication or another materially different biometric use, it will undertake a separate assessment and seek specific consent where required.

10. PBSG’s Approach to Artificial Intelligence and Automated Technologies

PBSG supports responsible, practical and innovative use of AI. AI can reduce administrative burden, improve consistency, support accessibility, help practitioners find and organise information, accelerate writing and coding, and enable PBSG to create useful resources. It also creates privacy, confidentiality, accuracy, bias, safety, security and governance risks that must be managed.

PBSG may use AI now or in the future for any lawful purpose connected with its services and operations, including the uses expressly described in this policy. PBSG is not required to give a separate notice every time AI assists with a routine administrative, de-identified, technical or low-risk task. Separate notice and consent will be sought where required, particularly for recording, sensitive-information collection, materially different secondary uses and high-impact decisions.

10.1 Approved systems and public tools

PBSG distinguishes between approved AI systems and public AI tools. Approved systems may process personal information where the use is lawful, reasonably necessary, appropriately secured and within the approved scope. Public AI tools must not receive identifiable participant information, health information, confidential case material, unredacted records, private meeting content or other protected information.

10.2 Privacy-by-design and governance

Depending on the risk and scale of a proposed AI use, PBSG may undertake privacy, security, clinical, legal or operational assessments; review supplier terms; examine data locations and model-training settings; configure retention and access controls; test accuracy and bias; set human-review requirements; limit integrations; maintain an approved-tool register; train users; monitor performance; and review the use over its lifecycle.

10.3 Data minimisation

PBSG will seek to minimise personal information provided to AI. This may include using de-identified, pseudonymised, redacted, summarised or synthetic information; excluding unnecessary attachments; limiting date ranges; selecting only relevant fields; using secure retrieval rather than copying whole records; and deleting unnecessary outputs.

10.4 Outputs are also information

AI outputs may contain personal information, sensitive information, confidential information, incorrect claims or unexpected third-party information. PBSG applies privacy and security controls to outputs as well as inputs. An output that PBSG is not permitted to collect will be corrected, destroyed or de-identified where required.

10.5 Current and future capabilities

AI products and features change quickly. A tool may add transcription, memory, agentic action, search, image, voice, code or integration capabilities after initial adoption. PBSG may use such capabilities following appropriate review. The fact that a capability is technically available does not by itself authorise its use with personal information.

11. AI Note-Taking, Transcription, Recording and Meeting Assistants

PBSG may use approved meeting and note-taking tools in consultations, supervision, staff meetings, care-team meetings, intake calls, training, interviews and other interactions. A meeting assistant may appear as a participant in a video meeting or may operate within a telephone, telehealth or conferencing platform.

11.1 Information that may be processed

An AI note-taking system may process names, voices, images, audio, video, chat, screen content, documents, meeting title, date, time, attendees, speaker identity, device and connection metadata, and the substance of the discussion. Because behaviour-support discussions can reveal health, disability, trauma, family, cultural and safety information, meeting data will often be sensitive information.

11.2 Purposes

  • creating a transcript, summary, progress note or draft case note;
  • identifying action items, decisions, follow-up tasks, risks and questions;
  • supporting accurate recall, continuity, supervision and quality assurance;
  • drafting reports, behaviour support plan content, letters, training material or communications;
  • creating captions, translations, plain-language versions or accessibility supports;
  • searching or retrieving prior discussions within an approved workspace; and
  • reducing duplication and allowing practitioners to focus on the participant and support network.

11.3 Notice and consent

PBSG’s policy is to give clear notice before a private conversation is recorded or transcribed and to obtain express or otherwise valid consent where required by privacy, surveillance or health-records law. Notice may be provided in a meeting invitation, on-screen banner, recorded announcement, written consent form or verbal statement. The notice should identify the tool or type of tool, the information captured, the purpose, likely disclosure to a provider, any overseas processing, retention approach and available alternatives.

Silence or continued attendance will not be treated as sufficient consent where current, specific and informed consent is legally required. Where an opt-out notice is lawful and appropriate, it must be clear, prominent and offer a meaningful opportunity to object before capture begins.

11.4 Group meetings and information about other people

The organiser and attendees should avoid discussing unnecessary third-party information. PBSG may pause or stop an AI assistant if a person objects, confidential information outside the meeting purpose arises, or the discussion becomes unsuitable for recording. Each organisation represented at a meeting remains responsible for its own handling of copies it receives.

11.5 Alternatives and objections

A participant or attendee may ask questions, request that a recording not be made, ask that an existing recording be paused, or request manual notes where reasonably practicable. PBSG will consider the request in light of legal obligations, service safety, accessibility, accuracy, the rights of other attendees and the operational purpose. Declining optional AI note-taking will not, by itself, result in unfair treatment.

11.6 Review, correction and status of notes

AI transcripts and summaries can be incomplete or wrong. A practitioner or authorised worker should review clinically or operationally significant content before it is relied on or entered as a final record. PBSG may retain the reviewed note rather than the full transcript. A person may ask PBSG to correct a material error under the access and correction process in this policy.

11.7 Retention

Raw audio or video may be deleted after a transcript or note is checked, but PBSG may retain it where reasonably necessary for a clinical, supervision, accessibility, quality, complaint, incident, legal, training or regulatory purpose and where retention is lawful. Transcripts, summaries and final notes may form part of the participant, workforce or business record and be retained for the applicable record-retention period. Supplier logs and backups may persist for a limited period under the supplier’s settings and contract.

12. Generative AI, De-Identified Information and Broad Innovation Uses

PBSG may use information that has been robustly de-identified, anonymised, aggregated or converted into suitable synthetic information very broadly, including with public or approved generative AI tools. PBSG considers this an important way to improve services and reduce the need to expose identifiable participant information.

12.1 De-identification is more than removing names

PBSG may remove or transform names, contact details, NDIS numbers, exact dates, addresses, rare attributes, free-text identifiers, images, voices, file metadata and combinations of facts that could identify a person. It may generalise ages, locations, dates and diagnoses; group small categories; replace unique details; separate keys; restrict access; and assess the environment in which the data will be used. Coded or pseudonymised information remains personal information unless re-identification risk is very low in context.

12.2 Broad permitted uses of de-identified information

To the maximum extent permitted by law, PBSG may collect, create, retain, analyse, combine, adapt, disclose, share, publish in aggregate, license, commercialise and otherwise use de-identified, anonymised, aggregated or synthetic information for any lawful present or future purpose, including:

  • brainstorming, ideation, creative exploration and testing alternative approaches;
  • drafting, rewriting, editing, proofreading, summarising, formatting and translating text;
  • developing behaviour-support plan structures, templates, checklists, questionnaires, assessment tools, training scenarios and resource libraries;
  • creating policies, procedures, manuals, service agreements, consent language, quality systems, risk frameworks, reports, proposals, tenders, grant applications and business plans;
  • programming, code generation, code review, debugging, documentation, database queries, formulas, workflow automation, integrations, prototypes, websites, calculators, dashboards, referral tools and internal software;
  • creating synthetic test data, test cases, simulations, benchmarks, evaluation datasets, safety tests and red-team scenarios;
  • service design, capacity planning, workforce planning, process improvement, productivity analysis and operational forecasting;
  • research, statistics, benchmarking, outcome evaluation, trend analysis, quality improvement, audit, supervision and professional education;
  • developing public resources, presentations, articles, social-media content, website material, newsletters and marketing concepts;
  • training, fine-tuning, configuring, evaluating or improving AI systems, prompts, retrieval systems, classifiers and automated workflows;
  • allowing AI and technology providers to operate, secure, test, evaluate or improve their products or models where PBSG considers the information adequately de-identified and the arrangement acceptable;
  • collaborating with consultants, developers, researchers, educators, universities, professional advisers, service providers or industry bodies; and
  • creating knowledge, methods, templates, code, analytics, products and services for PBSG’s commercial or non-commercial benefit.

12.3 Retention and future use

Properly de-identified or synthetic information may be retained indefinitely, combined with other datasets, reused for purposes not known at the time of original collection, and processed using technologies developed in the future, provided it remains de-identified in the relevant context and the use is lawful. PBSG is not generally required to obtain further consent for information that is no longer personal information.

12.4 Supplier model improvement

PBSG may choose settings that permit an AI provider to retain or use de-identified prompts, outputs, feedback, telemetry or evaluation material to maintain, secure, train or improve its models or services. PBSG will not intentionally enable provider training on identifiable participant health information unless PBSG has assessed the use, established a lawful basis, implemented appropriate safeguards and obtained any required specific consent.

12.5 No re-identification

PBSG will not knowingly attempt to re-identify properly de-identified information except where reasonably necessary to test or validate de-identification, investigate a security incident, comply with law or protect an individual, and only under appropriate controls. Recipients of de-identified datasets may be required not to attempt re-identification.

12.6 Choice and de-identified use

A person may raise concerns about the way source information is prepared for de-identification. Once information has been lawfully and effectively de-identified so that it is no longer personal information, PBSG’s ongoing use of that information is generally not subject to an individual opt-out. PBSG will continue to protect confidentiality, intellectual-property rights and contractual restrictions that apply independently of privacy law.

13. Use of Identified Personal Information in Approved AI Systems

PBSG may use an approved AI system with identified personal or sensitive information where the use is reasonably necessary for a PBSG function, connected to the purpose for which the information was collected, covered by valid consent, or otherwise permitted or required by law. The amount and sensitivity of information used will be proportionate to the task and risk.

13.1 Examples of approved identified-data uses

  • transcribing or summarising a consented consultation, meeting, telephone call, supervision session or interview;
  • drafting or organising session notes, functional behaviour assessments, interim or comprehensive behaviour support plans, progress reports, implementation guidance, letters and funding evidence;
  • extracting dates, actions, goals, risks or themes from authorised records;
  • checking a draft for internal consistency, readability, spelling, structure, missing fields or alignment with an approved template;
  • creating participant-specific plain-language, visual, translated or accessible versions of information;
  • searching an approved internal knowledge base or record system to retrieve information for an authorised user;
  • drafting emails, appointment messages, agendas, task lists, handover notes and administrative communications;
  • supporting referral triage, practitioner matching, scheduling, capacity, billing, claims, workflow routing and follow-up;
  • detecting spam, fraud, unauthorised access, unusual activity, malware or other security threats;
  • supporting quality review, supervision, audit, complaint or incident analysis; and
  • supporting recruitment, credential review, onboarding, workforce allocation and contractor administration.

13.2 Connected workspaces and AI agents

An approved AI system may be connected to PBSG email, calendar, telephone, telehealth, practice-management, document-management, cloud-storage, helpdesk, accounting, code repository, website or workflow systems. It may retrieve information and, where authorised, create tasks, drafts, appointments, records or other actions. Permissions should be limited to the user, purpose and information reasonably required.

13.3 Provider access and service operation

An AI provider and its subprocessors may process personal information to host and deliver the service, generate outputs, maintain security, detect abuse, troubleshoot, provide support, monitor reliability, enforce terms and meet legal obligations. PBSG will consider contractual limits on provider use, retention and model training, and will prefer settings that do not use identifiable customer content to train a general-purpose model where reasonably practicable.

13.4 Public AI prohibition for identifiable information

PBSG personnel must not enter names, contact details, NDIS numbers, identifiable case histories, participant photographs, voices, unredacted reports, raw clinical notes, private correspondence or other personal or confidential information into a public AI tool. Where a public tool is useful for ideas, writing, planning or coding, the input must be non-confidential and appropriately de-identified or synthetic.

13.5 Development or training using personal information

PBSG may configure, fine-tune, train, evaluate or develop an AI system using personal information only after assessing whether the information is reasonably necessary, whether the original collection permits the use, whether consent or an exception applies, how accuracy and deletion rights can be addressed, and how the dataset and model will be secured. De-identified or synthetic information is preferred. PBSG will not treat a general statement in this policy as sufficient consent to train a general-purpose model on identifiable sensitive information.

13.6 Technical and coding information

Coding and debugging tools may process source code, configuration, system logs, error messages, database structures and test data. PBSG will seek to use synthetic or de-identified test data. If technical logs contain an IP address, user identifier, form content or other personal information, they will be treated as personal information and provided only to an approved system where reasonably necessary.

14. AI Outputs, Accuracy, Bias and Human Oversight

AI systems can produce content that is incomplete, biased, out of date, misleading or confidently wrong. They may confuse people, invent references, omit context, mislabel speakers, overstate risk or reproduce patterns that disadvantage people with disability, children, First Nations people, culturally and linguistically diverse communities or other groups.

PBSG applies a level of review proportionate to the risk. A low-risk grammar suggestion may require little review. A participant note, risk assessment, report, behaviour support plan, restrictive-practice recommendation or funding document requires review by an appropriately authorised and qualified person before it is treated as final or relied on.

AI may suggest hypotheses, strategies, wording, coding or actions, but the responsible practitioner or worker must consider the participant’s actual circumstances, preferences, rights, evidence, professional obligations and legal requirements. AI-generated output is not a diagnosis, clinical fact, incident finding or authorisation merely because it appears in a draft.

PBSG may mark, log or retain information about the AI system, model, prompt, version, reviewer and changes where useful for traceability. PBSG may also test outputs against source records, use structured templates, require citations, restrict autonomous actions, sample outputs for quality and maintain escalation processes.

An individual may tell PBSG that an AI-generated statement appears wrong, unfair or misleading. PBSG will consider the concern, review relevant source information and correct, annotate, delete or restrict the information where required. Where information was disclosed to another organisation, PBSG will take reasonable steps to notify the recipient of a correction where legally required or appropriate.

15. Automated Decision-Making and Decisions Affecting Rights or Interests

PBSG may use rules, algorithms, AI or other computer programs to make routine decisions or to do things substantially and directly related to a decision. This section is intended to provide transparency now and to address additional Australian privacy-policy requirements that commence on 10 December 2026.

15.1 Routine and low-impact automation

Systems may automatically block spam, authenticate users, detect suspicious activity, validate form fields, issue reminders, calculate travel or invoice amounts, route enquiries, assign task categories, generate reference numbers, identify missing information or suggest available appointment times. These processes may operate without individual human review where the effect is routine and low risk.

15.2 Information that may be used

  • identity, contact, age, location, communication and accessibility information;
  • referral source, service requested, urgency, risk, support needs and funding information;
  • availability, practitioner location, capacity, skills and conflicts;
  • appointment, attendance, cancellation, claim, invoice and payment information;
  • website, device, security, account and authentication information;
  • worker qualifications, checks, experience, location and availability; and
  • information generated by prior interactions, including a triage category, risk flag, match score or recommended next step.

15.3 Kinds of decisions or recommendations

  • how an enquiry is routed or prioritised;
  • whether more information or a human review is required;
  • which practitioners or service options may be suitable or available;
  • appointment, wait-list, communication and workflow sequencing;
  • whether a transaction, login or communication appears fraudulent or unsafe;
  • whether a claim or invoice requires review; and
  • whether an applicant or contractor appears to meet specified minimum criteria for further human assessment.

15.4 Significant decisions and human review

PBSG’s policy is not to make a final diagnosis, final behaviour support plan, final restrictive-practice recommendation, final reportable-incident finding, final safeguarding determination, final service termination decision or final employment decision solely through AI without meaningful human involvement. AI may assist, but an authorised person should review the relevant information and remain accountable for the decision.

If a program is used in a way that could reasonably be expected to significantly affect an individual’s rights or interests, PBSG will provide the transparency required by law and will consider the person’s ability to request information, correct input data, express their view and seek human review. The form of review may vary depending on the decision, urgency, legal constraints and the role of third-party systems such as NDIA or payment platforms.

15.5 Changes to automated decision use

PBSG will update this policy or provide a more specific notice if it materially expands the kinds of personal information used in significant automated decision-making or the kinds of significant decisions made by a computer program.

16. Consent, Acknowledgement, Choices and Objections

Providing information after receiving this policy acknowledges that PBSG has explained its general information-handling practices. It does not automatically amount to consent for every activity described. Where consent is legally required, PBSG may obtain it through a service agreement, referral form, specific consent, meeting notice, electronic checkbox, recorded verbal consent or another valid method.

Consent may be given by the individual or an authorised representative. PBSG will consider the individual’s capacity, age, communication needs, supported decision-making preferences, freedom to choose and the specificity and currency of consent. A guardian, nominee or parent’s authority depends on applicable law and the decision involved.

A person may withdraw consent prospectively by contacting PBSG. Withdrawal does not invalidate prior lawful handling and may not require deletion of a clinical, incident, financial, legal or regulatory record that PBSG must or is permitted to keep. PBSG will explain material consequences of withdrawal where reasonably practicable.

16.1 Choices about AI

  • A person may object to an optional recording or AI note-taking process and request manual notes where reasonably practicable.
  • A person may ask whether an approved AI system was used to create or substantially assist a material document or decision concerning them.
  • A person may request human review of a materially significant AI-assisted decision or output, subject to applicable law and the nature of the decision.
  • A person may ask PBSG not to use their identified information for an optional secondary AI purpose. PBSG will consider the request and whether consent or another legal basis applies.
  • A person generally cannot opt out of lawful use of properly de-identified information, essential cybersecurity, legal record-keeping, mandatory reporting or processing reasonably necessary to deliver the requested service.
  • PBSG may be unable to provide a particular feature, communication method or service efficiently if necessary information or processing is declined. PBSG will consider reasonable alternatives and will not misrepresent an optional process as mandatory.

16.2 Accessible explanations

PBSG will seek to explain a material AI use in a form the person can understand, including plain language, an interpreter, a support person, visual information or another accessible format where reasonably practicable.

17. Who PBSG May Disclose Information To

PBSG may disclose personal information to the following recipients where authorised, reasonably necessary, expected, consented to, required by contract, or permitted or required by law:

  • PBSG employees, officers, contractors, subcontracted practitioners, supervisors, quality personnel and authorised administrators;
  • the participant and authorised parents, guardians, nominees, attorneys, advocates or support persons;
  • family members, carers, support workers, SIL providers, day programs and other members of the support network where authorised;
  • support coordinators, plan managers, recovery coaches and other intermediaries;
  • schools, childcare services, employers, allied-health providers, medical practitioners, hospitals, pharmacies and other service providers;
  • the NDIA, NDIS Quality and Safeguards Commission, State or Territory authorising bodies and other government or regulatory agencies;
  • auditors, certification bodies, professional associations, accreditation bodies and registration authorities;
  • insurers, brokers, banks, payment providers, accountants, debt-recovery providers and financial advisers;
  • lawyers, consultants, investigators, mediators, courts, tribunals, law-enforcement bodies and authorised complainant or incident bodies;
  • website hosts, cloud-storage providers, practice-management systems, communications providers, telehealth platforms, analytics providers, cybersecurity providers, AI providers, transcription providers, software developers, IT support and other technology suppliers;
  • mail, document, printing, archiving, secure-destruction, recruitment, training and administrative providers;
  • research, education or quality-improvement collaborators, normally using de-identified information; and
  • a prospective purchaser, investor, financier, successor, administrator or adviser in connection with a proposed or actual business transaction, subject to appropriate confidentiality and legal safeguards.

PBSG seeks to limit disclosure to information reasonably necessary for the recipient’s role. Some recipients, such as independent health practitioners, schools, the NDIA, the NDIS Commission or a plan manager, manage information under their own legal obligations and privacy policies rather than solely as PBSG’s service provider.

PBSG does not sell identifiable participant information to data brokers or disclose health information to third-party advertisers for their own targeted advertising without valid consent or another clear legal basis.

18. Safety, Safeguarding, Incidents and Disclosures Without Consent

PBSG may collect, use or disclose information without consent where permitted or required by law. Examples include:

  • responding to a serious threat to the life, health or safety of an individual or to public health or safety;
  • contacting emergency services, a crisis service, police, child-protection authority, guardian, responsible person or relevant provider;
  • making mandatory child-protection, elder-abuse, domestic-violence, professional-conduct or other reports;
  • notifying, managing and investigating reportable incidents or alleged reportable incidents;
  • reporting unauthorised or unapproved restrictive practices and providing information required for behaviour-support oversight;
  • preventing, detecting or investigating violence, abuse, neglect, exploitation, discrimination, fraud or unlawful activity;
  • locating a missing person under a permitted general situation;
  • responding to a subpoena, warrant, court or tribunal order, statutory notice or lawful regulator request;
  • establishing, exercising or defending a legal or equitable claim, or participating in confidential dispute resolution;
  • meeting workplace health and safety, insurance, registration, audit and professional obligations; and
  • cooperating with a regulator, investigator or law-enforcement body as authorised.

PBSG will consider the urgency, legal authority, participant’s wishes and safety, and the minimum information necessary. Where appropriate and lawful, PBSG may inform the individual about the disclosure. In some cases, giving notice would be unsafe, unlawful or prejudicial to an investigation.

19. Participants, Representatives and Support Networks

PBSG supports participant choice and control and recognises that behaviour support is collaborative. PBSG may communicate with a support network to assess behaviour in context, coordinate strategies, train implementers, monitor progress and meet safety or regulatory requirements.

PBSG will seek the participant’s consent or another lawful authority before disclosing information to a family member, support worker, school, employer or other support person. Consent may specify recipients, topics, purposes, duration and restrictions. PBSG may disclose information without consent where a legal exception applies.

A person’s presence at a meeting, inclusion in an email chain or role as a support person does not automatically authorise access to the entire participant record. PBSG may verify identity and authority, consult the participant privately, restrict information to what is relevant, or decline a request that would conflict with the participant’s rights, another person’s privacy or applicable law.

Where a participant uses supported decision-making, PBSG will seek to involve the participant to the greatest extent practicable, respect communication preferences and distinguish assistance from substituted decision-making. PBSG may record the scope of a representative’s authority and review it when circumstances change.

20. Children and Young People

PBSG provides services to children and young people and may handle information from parents, carers, schools, health practitioners and other services. Children and young people have privacy interests in their own right. PBSG will consider age, maturity, capacity, safety, family circumstances, legal authority and the nature of the information when deciding who can consent, access information or receive a disclosure.

PBSG seeks to explain information handling and AI-assisted processes to a child or young person in a developmentally appropriate and accessible way and to involve them in decisions where practicable. A parent or guardian may not be entitled to every detail if disclosure would be unlawful, contrary to the young person’s valid wishes, create a serious threat, unreasonably affect another person or conflict with professional obligations.

PBSG may collect or disclose information without consent to protect a child or young person, make a mandatory report or respond to abuse, neglect, exploitation, family violence, self-harm, violence or another serious risk. PBSG may consult relevant authorities or professionals before informing a parent or other person where notice could increase risk.

PBSG does not encourage young children to submit detailed health information through a general website form without adult support. A parent, guardian, referrer or authorised professional should ordinarily assist with a referral. PBSG may contact the appropriate representative to verify authority and complete consent.

AI uses involving children or young people receive heightened consideration because errors, bias and loss of control can have greater consequences. PBSG will not use a child’s identifiable information to train a general-purpose AI model merely because it appears in a service record or because a parent has accepted this policy.

21. Service Providers, Subcontractors and Business Transfers

PBSG uses external providers to deliver services and operate its business. Providers may host information, process payments, manage referrals, provide telehealth, send messages, store documents, support practice management, transcribe meetings, supply AI features, develop software, perform analytics, protect security, conduct audits, destroy records or provide professional advice.

PBSG may assess providers according to the nature and sensitivity of information and the risk of the service. Measures may include contractual confidentiality, data-processing terms, access controls, multi-factor authentication, encryption, data-location review, model-training restrictions, retention settings, incident notification, audit rights, subcontractor disclosure and secure deletion.

PBSG may engage subcontracted behaviour support practitioners across Australia. A subcontractor may access participant information needed to provide, supervise, document and invoice services. PBSG requires subcontractors to comply with relevant privacy, confidentiality, record-keeping, security, NDIS and professional obligations. An independently practising provider may also have a separate privacy policy for information it handles in its own capacity.

If PBSG considers a merger, sale, financing, restructure, transfer of services, insolvency arrangement or succession plan, it may disclose information under confidentiality to advisers and counterparties and may transfer records to a successor where lawful. PBSG will seek to preserve continuity, access rights and appropriate protection of participant records.

22. Overseas Disclosure and Processing

PBSG may use cloud, communications, AI, transcription, software, support, security, analytics and other providers that store or process information outside Australia or permit overseas personnel to access it. Information sent over the internet may also transit through other countries.

Depending on the provider and service, likely overseas locations may include the United States, Canada, the United Kingdom, countries in the European Economic Area, New Zealand, Singapore, India, the Philippines and other countries in which a provider or its subprocessors operate. Provider locations and data-routing arrangements can change. PBSG may make a current provider or region list available on reasonable request where practicable and not security-sensitive.

Before an overseas disclosure, PBSG will take the steps required by applicable law. This may include assessing the recipient, using contractual safeguards, limiting information, selecting Australian data regions, relying on an applicable exception, or obtaining informed consent after explaining that PBSG may not be able to require the overseas recipient to comply with the APPs in the same way.

Where a provider merely stores information in an overseas cloud environment and PBSG retains effective control, the legal characterisation may differ from a disclosure. PBSG nevertheless applies risk-based security and contractual controls. Some services cannot be provided without overseas processing; where a material choice exists, PBSG will explain relevant alternatives where reasonably practicable.

23. Websites, Referral Forms, Cookies, Analytics and Online Resources

PBSG’s websites and online tools may collect information submitted by a user and technical information generated by a browser or device. This can include referral details, contact information, documents, location or service preferences, IP address, device information, session events, form status, error logs and security information.

23.1 Cookies and similar technologies

PBSG may use cookies, local storage, pixels, tags, software development kits and similar technologies for essential operation, preferences, accessibility, security, fraud prevention, performance, analytics and, where used and lawfully consented to, advertising. Users can manage many cookies through browser or consent settings, but blocking essential technologies may affect functionality.

23.2 Sensitive information and tracking

Information entered in a referral, contact or clinical free-text field may be health or sensitive information. PBSG’s policy is to configure analytics and advertising tools so that they do not intentionally receive the contents of sensitive form fields. PBSG will not intentionally disclose referral or health information to an advertising platform for targeted advertising without valid consent and a lawful basis.

23.3 Form progress and attachments

An online form may temporarily save progress in a browser or secure system, generate a reference number, validate fields, scan attachments for malware and send notifications. Uploaded documents may contain more information than PBSG needs. Users should provide only relevant documents and should avoid including unnecessary information about other people.

23.4 Analytics and website performance

PBSG may analyse aggregated use of its website and resources to understand demand, performance, errors, geography and user experience. Information may be de-identified and used broadly under section 12. Website information is general and does not guarantee service acceptance, suitability, timing or practitioner availability.

23.5 Third-party websites and embedded services

PBSG’s website may link to or embed third-party services. Those providers may collect information under their own privacy policies. PBSG is not responsible for an independent third party’s privacy practices, but will seek to assess providers that process PBSG information.

23.6 Security and urgent matters

No website transmission is completely secure. Do not use a general website form for an emergency. Contact emergency services where there is an immediate threat to life or safety. PBSG may use anti-spam, bot-detection and security services that process device and interaction data, including overseas.

24. Communications, Direct Marketing, Social Media and Testimonials

PBSG may communicate by email, telephone, SMS, post, telehealth platform, portal or messaging service about referrals, appointments, services, safety, documents, accounts, changes, feedback and other matters connected with the relationship. Communications may be generated, prioritised, translated, summarised or quality-checked with approved AI.

PBSG may send newsletters, resources, event information, service updates or other direct marketing where consent has been given or the communication is otherwise permitted. Marketing messages will provide an opt-out where required. Opting out of marketing does not stop service, safety, legal, account or administrative communications.

PBSG will not use sensitive health or disability information for direct marketing, or disclose it to another organisation for direct marketing, unless valid consent or a clear legal exception applies. PBSG does not sell contact lists to third-party marketers.

Comments, reviews or messages posted publicly on social media may be visible to others and may be retained by the platform. PBSG may moderate, respond to, archive or use public engagement data for service and communications purposes. A private social-media message is not an appropriate channel for urgent or detailed clinical information.

PBSG will ordinarily obtain specific consent before publishing an identifiable testimonial, case study, photograph, video or participant story. Consent will describe the intended audience and channels. De-identified case examples may be used under section 12, but PBSG will consider whether a combination of rare facts could identify the person.

25. Research, Quality Improvement, Training and Public Materials

PBSG may review service information to improve quality, consistency, safety, participant outcomes, practitioner training, workforce planning, resources, systems and business performance. Activities may include audit, supervision, peer review, incident trend analysis, restrictive-practice reduction, outcome measurement, benchmarking, evaluation, research and service design.

PBSG prefers de-identified, aggregated or synthetic information for these purposes and may use it broadly as described in section 12. PBSG may share de-identified material with researchers, consultants, universities, professional bodies, technology providers, funders or collaborators under suitable arrangements.

Identifiable information may be used for internal quality and supervision where directly related to service delivery and expected, or with consent or another lawful basis. External research, publication or model training involving identifiable sensitive information will require a separate legal and ethical assessment and any required consent, approval or data-sharing agreement.

Training may use fictional, synthetic or de-identified scenarios. Where an identifiable real case is necessary, PBSG will limit access and use the information only where authorised. Staff and contractors may not copy participant records into unapproved training or AI tools.

PBSG may use AI to identify themes, create de-identified examples, draft training materials, generate quizzes, create code or visuals, translate content and evaluate resources. Human review is required where accuracy, clinical safety, cultural sensitivity or accessibility is material.

26. Recruitment, Workers, Contractors and Referees

PBSG may collect information from job applicants, subcontractor applicants, workers, students, volunteers and referees to assess suitability, verify credentials, meet NDIS and legal requirements, enter and administer contracts, allocate work, supervise performance, manage safety and protect participants.

PBSG may disclose workforce information to screening bodies, professional regulators, insurers, payroll or accounting providers, training providers, referees, clients where relevant, the NDIS Commission and other authorised bodies. PBSG may keep unsuccessful applications for future opportunities with consent or where reasonably expected, and will delete or de-identify them when no longer required.

Approved AI may assist with resume summarisation, qualification extraction, interview transcription, correspondence, skills matching, scheduling, onboarding, training and workforce planning. AI may recommend that an application be reviewed or identify a missing requirement, but PBSG’s policy is not to make a final hiring, engagement, disciplinary or termination decision solely through AI without meaningful human review.

The Privacy Act contains an employee-records exemption for certain acts directly related to a current or former employment relationship. PBSG nevertheless aims to apply reasonable confidentiality, security, access and accuracy safeguards to workforce records. Contractor and applicant information may not fall within the exemption and is handled under applicable privacy law.

A referee should provide only information relevant to the assessment and should have an appropriate basis for doing so. PBSG may tell an applicant the general outcome of a reference process but may withhold or redact confidential third-party information where permitted.

27. Data Quality and Correction During Service Delivery

PBSG takes reasonable steps to ensure personal information it collects, uses and discloses is accurate, up to date, complete and relevant. The steps depend on the purpose and consequences of error. PBSG may confirm information with the participant, representative or source; compare records; record the date and source; distinguish observation from opinion; review AI output; and annotate uncertainty or conflicting accounts.

Participants and representatives should tell PBSG when contact, authority, diagnosis, medication, support, funding, risk or other material information changes. PBSG is not responsible for an error it could not reasonably identify where information supplied was incomplete, outdated or inaccurate, but will correct the record when notified and required.

Behaviour support information often includes professional opinions, hypotheses and reports from different people. A request to correct a factual error is different from disagreement with a professional opinion. PBSG may preserve the original record for clinical, legal or audit integrity while adding a correction, updated assessment, participant statement or notation of disagreement.

AI-generated content is subject to heightened checking where it concerns an individual. PBSG may delete an unsupported inference, label it as unverified, correct the source data, regenerate the output or prevent further use where appropriate.

28. Security of Personal Information

PBSG takes reasonable steps to protect personal information from misuse, interference, loss and unauthorised access, modification or disclosure. Security measures may include:

  • role-based access, least-privilege permissions and separation of duties;
  • password standards, multi-factor authentication, device controls and session security;
  • encryption in transit and, where appropriate, at rest;
  • secure cloud and practice-management systems, backups and recovery procedures;
  • logging, monitoring, anti-malware, spam filtering, vulnerability management and incident alerts;
  • physical security for devices, paper records and work locations;
  • privacy, cybersecurity, confidentiality, AI and records training for personnel;
  • confidentiality clauses, provider due diligence and contractual security requirements;
  • data minimisation, de-identification, retention controls and secure destruction;
  • procedures for remote work, mobile visits, telehealth, email, portable devices and lost equipment; and
  • clinical governance and human review for high-risk AI outputs.

PBSG personnel must use approved systems for participant information and take care when working in homes, vehicles, schools, shared offices and public locations. Paper notes, screens and conversations must be protected from unauthorised viewing or hearing. Personal devices may be restricted or managed where they access PBSG information.

No organisation can guarantee absolute security. Internet transmission, human error, malicious activity, supplier incidents and new technology create residual risk. Individuals should use secure passwords, keep contact details current, check recipients before sending information and notify PBSG promptly of suspected unauthorised access or an incorrectly addressed communication.

29. Data Breaches and Security Incidents

PBSG maintains or will maintain processes to identify, contain, assess, remediate and document suspected data breaches. A breach may include loss of a device, misdirected email, unauthorised record access, compromised credentials, ransomware, accidental publication, inappropriate AI input, model leakage, supplier incident or unauthorised disclosure.

PBSG may suspend access, recall messages, reset credentials, preserve evidence, contact recipients, involve technology or legal advisers, notify insurers, review affected systems, assess likely harm and take steps to prevent recurrence.

Where the Notifiable Data Breaches scheme or another law applies, PBSG will undertake the required assessment within the prescribed period and notify the Office of the Australian Information Commissioner and affected individuals where an eligible data breach is likely to result in serious harm and remedial action has not prevented that risk. PBSG may also notify the NDIS Commission, State or Territory health-privacy regulator, law enforcement, insurer, professional body or other authority where required or appropriate.

A person who believes information has been lost, accessed or disclosed without authority should contact PBSG immediately using the details in section 35. Prompt notice can help PBSG contain harm.

30. Retention, Archiving, Deletion and De-Identification

PBSG retains personal information for as long as reasonably necessary for service delivery, continuity, safety, complaints, incidents, legal claims, insurance, audit, NDIS obligations, professional requirements and other lawful business purposes. The applicable period depends on the record, the individual’s age, the jurisdiction and whether a legal hold or investigation applies.

As a general guide, participant and health records may need to be retained for at least seven years after the last service. Under NSW health-records law, health information collected while a person was under 18 is generally retained until the person reaches 25. NDIS incident and provider records may also require minimum retention periods. PBSG will apply a longer period where another law, contract, professional rule, complaint, claim or safeguarding need requires it.

Final notes, assessments, behaviour support plans, reports, consents and material communications may form part of the health or service record. Raw recordings, duplicate files, working drafts and temporary AI outputs may be retained for a shorter period unless needed for verification, accessibility, supervision, complaint, incident, training, legal or regulatory purposes.

Financial, tax, corporate, insurance, workforce, screening and contract records are retained for the applicable statutory or business period. Unsuccessful recruitment information may be retained for a reasonable talent-pool period with consent or then destroyed or de-identified.

Deletion from an active system may not immediately remove information from secure backups, archives, audit logs or supplier recovery systems. Such copies are protected, not routinely accessed and deleted or overwritten according to the relevant cycle. PBSG may retain a minimal record of destruction or transfer where required.

When personal information is no longer required and no exception applies, PBSG will take reasonable steps to destroy or de-identify it. Properly de-identified, aggregated or synthetic information may be retained indefinitely and used as described in section 12.

31. Access to and Correction of Personal Information

An individual may request access to personal information PBSG holds about them and may request correction if it is inaccurate, out of date, incomplete, irrelevant or misleading. A request should be sent to the Privacy Officer and should identify the person, the information requested and the preferred form of access.

PBSG may require evidence of identity and authority before giving access or making a correction. A representative may need to provide written authority, guardianship, nominee, attorney or other documentation. PBSG may contact the individual directly to verify the request.

PBSG aims to respond within a reasonable period, generally within 30 days where practicable, and within any applicable statutory period. Certain NSW private-sector health-information requests may have a 45-day response period. Urgent requests will be considered according to need and legal requirements.

Access may be provided by secure electronic copy, paper copy, inspection, explanation, summary or another suitable form. PBSG may charge a reasonable fee for the administrative cost of providing access where permitted, but will not charge merely for making a request.

PBSG may refuse or limit access where permitted by law, including where access would pose a serious threat, unreasonably affect another person’s privacy, reveal legally privileged material, prejudice an investigation, be unlawful, relate to certain negotiations or be an unreasonable repeated request. PBSG will give written reasons and complaint options where required.

If PBSG does not agree to change a record, the individual may ask PBSG to attach a statement or notation explaining the claimed correction. Where PBSG corrects information previously disclosed, it will take reasonable steps to notify relevant recipients where required or appropriate.

A request for deletion will be considered, but PBSG may need to retain the information as a health, NDIS, incident, financial, employment, legal or audit record. Where deletion is not available, PBSG may restrict use, correct, annotate, archive or de-identify information where appropriate. PBSG may provide a portable electronic copy where reasonably practicable but does not promise a specific data-portability right beyond applicable law.

32. Anonymity and Pseudonymity

A person may make a general enquiry, browse public resources or provide anonymous feedback without identifying themselves where practicable. A pseudonym may sometimes be used for a preliminary enquiry.

PBSG will generally need a person’s real identity and sufficient information to provide behaviour support, verify consent and authority, assess risk, communicate with a support network, claim NDIS funding, maintain health records and meet regulatory obligations. PBSG may decline or limit a service where anonymity or a pseudonym would make the service unsafe, unlawful, impracticable or misleading.

33. Privacy Enquiries and Complaints

A person may contact PBSG with a privacy question, concern or complaint, including a concern about AI, recording, access, correction, disclosure, security, overseas processing or an automated decision. Complaints may be made by the individual or an authorised representative and will be handled without reprisal.

A complaint should include enough detail for PBSG to understand the issue, relevant dates, people or records, the outcome sought and any supporting information. PBSG may ask for identity or authority evidence and may need to consult staff, providers, insurers, advisers or regulators.

PBSG will normally acknowledge a complaint promptly, investigate it fairly, keep appropriate records and aim to provide a substantive response within 30 days. Complex, safety-sensitive or multi-party matters may take longer. PBSG will explain material delay where practicable.

Possible outcomes include explanation, correction, apology, access restriction, deletion where lawful, staff education, process change, provider review, security improvement, human reconsideration of an AI-assisted decision or referral to another complaints process.

If a person is not satisfied, they may contact the Office of the Australian Information Commissioner. For NSW health information, they may also be able to contact the Information and Privacy Commission NSW. Concerns about NDIS provider conduct, participant rights, incidents or safeguards may also be raised with the NDIS Quality and Safeguards Commission. Other State or Territory health-privacy regulators may have jurisdiction depending on the circumstances.

34. Changes to this Policy

PBSG may update this policy to reflect changes in law, NDIS requirements, services, systems, AI capabilities, providers or information practices. The current version will be made available on PBSG’s website and will state its effective date.

A revised policy generally applies from its stated effective date. If PBSG proposes a materially different use that requires consent, updating the policy alone will not replace the need to obtain that consent. PBSG may provide additional notice by email, service communication, website banner, meeting notice or updated agreement where appropriate.

35. Contact Details

Privacy Officer
MB Positive Behaviour Support Pty Ltd
Trading as The Positive Behaviour Support Group (PBSG)
ABN 57 684 771 257
NDIS Registration Number 4053368702
Main business location: NSW 2287, Australia
Email: Hello@PBSG.com.au
Telephone: 0468 167 025
Website: https://www.pbsg.com.au/

When contacting PBSG about privacy, please avoid sending unnecessary sensitive information in the initial message. PBSG may arrange a more secure way to provide documents or verify identity.

Appendix A: Detailed AI Use and Safeguard Matrix

This matrix gives practical examples of the broad AI uses covered by this policy. It is illustrative, not exhaustive. PBSG may adopt new tools and workflows where the use remains lawful and appropriately governed.

AI activity Examples of use and information Safeguards and individual choice
Meeting notes and transcription Audio, video, voice, attendee details, discussion, chat and shared documents may be processed to create transcripts, summaries, actions and draft notes. Clear notice and any required consent; approved tool; option to object where practicable; review of material notes; raw recording retention limited according to purpose.
Clinical and behaviour-support drafting Approved AI may assist with assessment structure, progress notes, reports, behaviour support plans, implementation guidance, letters and funding evidence. Minimum necessary information; professional review; source checking; no final clinical or restrictive-practice decision solely by AI.
Ideas, writing and planning Generative AI may brainstorm, outline, rewrite, edit, summarise, translate or format policies, procedures, plans, training, communications, proposals and resources. Public tools receive only non-confidential, de-identified or synthetic material; identified information only in an approved system where lawful.
Programming and software development AI may generate or review code, database queries, formulas, scripts, automations, integrations, websites, calculators, dashboards, tests and documentation. Use synthetic or de-identified test data; minimise personal data in logs; approved coding assistant for protected code or technical information.
Internal search and knowledge retrieval AI may search approved documents, emails, policies, records or knowledge bases and summarise relevant content for an authorised user. Role-based access; retrieval limited to permitted sources; output inherits the sensitivity of source data; logging and human verification.
Accessibility and communication AI may create plain-language, Easy Read drafts, translations, captions, visual concepts, AAC-support ideas or adapted communications. Human review for meaning, culture and clinical safety; interpreter or specialist review where necessary; consent for sensitive recording inputs.
Referral, availability and scheduling Automation may classify referrals, suggest urgency, match locations or skills, identify missing information and propose appointments or practitioners. Human review for material service decisions; ability to correct input; no guarantee based on automated result; significant decisions not solely automated.
Security, fraud and system integrity AI or rules may detect spam, malware, suspicious login, anomalous access, fraudulent claims or unsafe content. May operate automatically; information limited to security purpose; alerts investigated; access restricted; legal reporting where required.
Quality, supervision and audit AI may identify missing fields, inconsistent dates, themes, outcome trends, incident patterns or training needs. Access limited; findings treated as indicators, not facts; human review; de-identification preferred for broader analytics.
Recruitment and workforce AI may summarise resumes, extract credentials, transcribe interviews, suggest matches, draft communications and support workforce planning. No final hiring, disciplinary or termination decision solely by AI; review for bias; applicant may correct factual information.
Research, model evaluation and service development De-identified or synthetic information may be used to evaluate, train, fine-tune or improve models, prompts, systems, templates, resources and services. Robust de-identification; re-identification risk assessment; contractual controls where appropriate; identifiable sensitive data requires separate lawful basis and safeguards.
Marketing and public content AI may generate ideas, drafts, images, articles, social posts, newsletters and website content. No identifiable participant story, image or health information without specific consent; de-identified examples checked for re-identification risk.

Appendix B: Suggested AI Note-Taking and Recording Notice

PBSG would like to use an approved AI meeting assistant to record and/or transcribe this meeting and prepare a summary, action list and draft notes. The tool may process the names and voices of attendees and information discussed, which may include health, disability, behavioural, family and other sensitive information. The provider may process information in Australia and/or overseas as described in PBSG’s Privacy Policy.

A PBSG practitioner or authorised worker will review material notes before they are relied on. The raw recording may be deleted after verification or retained where reasonably necessary for the agreed purpose, accessibility, supervision, quality, complaint, incident, legal or regulatory requirements. The reviewed transcript, summary or final note may form part of the participant or business record.

You may ask questions, request that the tool not be used, ask for manual notes where reasonably practicable, or ask for the recording to be paused. Declining an optional recording will not by itself affect your access to PBSG services, although PBSG may explain if a particular alternative is not practicable.

Consent options:
[ ] I consent to recording, transcription and AI-assisted summarisation for the purposes described.
[ ] I consent to transcription and summarisation but request deletion of raw audio after the note is checked, subject to legal obligations.
[ ] I do not consent to recording or AI note-taking and request an alternative.
Name: ____________________ Signature or recorded verbal consent: ____________________ Date: __________

Appendix C: Suggested Short Collection Notice for the Online Referral Form

MB Positive Behaviour Support Pty Ltd, trading as The Positive Behaviour Support Group (PBSG), collects the information in this form to assess and respond to the referral, verify authority and funding, match an appropriate practitioner, manage risk and provide positive behaviour support services. The information may include sensitive health, disability, behavioural, safety, cultural and family information about the participant and other people.

PBSG may collect information from and disclose it to authorised representatives, the participant’s support network, practitioners, schools, health and disability providers, plan managers, support coordinators, the NDIA, the NDIS Commission, regulators and service providers including cloud, communications, practice-management and approved AI providers. Some providers may process information overseas.

PBSG may use approved AI to help triage the referral, identify missing information, transcribe or summarise authorised communications, draft documents, support administration and improve quality. Public generative AI tools are not used with identifiable referral or participant information. PBSG may use properly de-identified information broadly for analytics, training, research, service development, writing, planning, coding and AI improvement as set out in the Privacy Policy.

If required information is not provided, PBSG may be unable to assess or accept the referral or provide safe and effective services. Please provide only relevant information and confirm that you are authorised to provide information about the participant and any other person named.

By submitting, you acknowledge the PBSG Privacy Policy. This acknowledgement is not a substitute for any separate consent PBSG is required to obtain. Privacy enquiries: Hello@PBSG.com.au or 0468 167 025.

Back to top

Privacy Officer · MB Positive Behaviour Support Pty Ltd · Hello@PBSG.com.au · 0468 167 025