How we protect your personal information

Ability Advocates is committed to handling your personal information responsibly, securely, and in accordance with all applicable Australian laws and regulatory frameworks. This Privacy Policy applies to both Ability Advocates Australia Pty Ltd (AA) - a registered NDIS provider and registered Group Training Organisation (GTO) - and the Ability Advocates Foundation (AAF), a registered ACNC charity. Both entities collect, use, and store personal information in line with the obligations described in this policy. This policy is governed by the following legislative and regulatory frameworks: • Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) • NDIS Act 2013 (Cth) and NDIS Practice Standards • Health Records and Information Privacy Act 2002 (NSW) • My Health Records Act 2012 (Cth) - where applicable • National Vocational Education and Training Regulator Act 2011 (Cth) - for GTO obligations • Australian Consumer Law - for fair handling of personal data • Medicare Benefits Schedule (MBS) requirements - for health information collected under Medicare-funded services This policy explains what information we collect, why we collect it, how it is used and stored, who we share it with, and your rights in relation to your personal information. Last updated: April 2026

Why we collect and use your personal information

Ability Advocates collects and uses your personal information only for purposes that are directly related to our services, our legal obligations, or the legitimate operation of our business. We never use your information for unrelated commercial purposes or sell it to third parties. NDIS Services (Ability Advocates Australia) To assess eligibility, deliver NDIS-funded supports, manage service agreements, report to the NDIS Commission, and meet NDIS Practice Standard requirements including incident reporting and quality audits. Medicare-Funded Services (Ability Advocates Australia) To deliver services funded through the Medicare Benefits Schedule (MBS), including psychology and allied health sessions. Medicare-funded services require collection of sensitive health information in accordance with the Privacy Act 1988 (Cth) and the Health Records and Information Privacy Act 2002 (NSW). Where a GP referral is required (e.g. Mental Health Treatment Plans under Better Access), referral information and Medicare numbers are collected and handled in accordance with MBS requirements. GTO (Group Training Organisation) Services (Ability Advocates Australia) As a registered GTO, we collect personal information about apprentices and trainees - including tax file numbers (where required), employment history, training records, and health or disability information relevant to workplace adjustments. This information is collected under obligations set out in the National Vocational Education and Training Regulator Act 2011 (Cth), the Australian Apprenticeships Policy, and applicable state training authority requirements. Personal information collected for GTO purposes is used solely for training, host employer placement, payroll, and compliance reporting. Advocacy Services (Ability Advocates Foundation) To provide free, independent advocacy, including system navigation, human rights advocacy, and NDIS access support. The Foundation collects only the minimum information necessary for each case and does not share personal information with Ability Advocates Australia without explicit consent. General Operational Purposes (both entities) To communicate with clients, carers, and referrers; respond to enquiries; manage complaints; conduct quality improvement activities; and comply with our legal and regulatory obligations. Sensitive Information Health information, disability status, mental health records, and Medicare details are treated as sensitive information under the Privacy Act 1988 (Cth). We collect sensitive information only with your consent, or where required or authorised by law. We apply additional safeguards to the storage, access, and disclosure of all sensitive information.

Who we share your information with - and your rights

Ability Advocates will only disclose your personal information where you have given consent, where it is necessary to deliver the service you have requested, or where we are required or authorised by law. Who we may share your information with: • NDIS Commission - for compliance, audit, and incident reporting purposes as required by the NDIS Act 2013 (Cth) • NDIA (National Disability Insurance Agency)** - to support plan management, funding claims, and service delivery under your NDIS plan • Medicare Australia / Services Australia - for MBS billing, GP Mental Health Treatment Plan claims, and health service reporting under Medicare • Host employers and training organisations - for GTO traineeship and apprenticeship placement, supervision, and compliance purposes only. Personal information shared with host employers is limited to what is necessary for the placement. • State and territory training authorities - for GTO registration, audit, and apprenticeship reporting obligations • NSW Department of Education - where required for GTO compliance and audit • GP and referring health professionals - with your consent, to coordinate care and provide progress updates • Support coordinators and plan managers - with your consent, to coordinate NDIS supports • Allied health professionals and other service providers - only where necessary for your care and with your consent • The Ability Advocates Foundation - only where you have given explicit consent for your information to be shared between the two entities We do not share your personal information with any party outside these categories without your explicit consent, unless required to do so by law. Cross-border disclosure Ability Advocates uses cloud-based systems that may store data on servers located outside Australia. Where this occurs, we take reasonable steps to ensure your information is protected in accordance with the Australian Privacy Principles. Your rights: You have the right to: • Access a copy of your personal information held by us • Request correction of any inaccurate or outdated information • Withdraw consent to the use or disclosure of your information at any time (subject to our legal obligations) • Make a complaint about how your information has been handled To exercise any of these rights, contact us at info@abilityadvocates.com.au or call 1300 028 928. We will respond within 30 days.