About this policy
In this policy, personal information and sensitive information has the meaning given to it in the Privacy Act, which is available on the Federal Register of Legislation. Detailed information on privacy and the APPs is available on the Office of the Australian Information Commissioner’s website.
We collect, hold, use and disclose personal information to carry out our functions under the Aged Care Quality and Safety Commission Act 2018 (the Commission Act). These functions include:
- protecting and enhancing the safety, heath, well-being and quality of life of aged care consumers
- determining applications for approval of providers of aged care, ensuring compliance with their responsibilities and imposing sanctions for non-compliance
- handling reportable incident notifications under the Serious Incident Response Scheme
- promoting the provision of quality care and services
- developing and promoting best practice models for engagement between aged care service providers and their aged care consumers
- dealing with complaints made or information given to the Commission about an aged care provider’s responsibilities under the Aged Care Act 1997 (Aged Care Act) or funding agreement
- regulating and monitoring the provision of aged care services
- providing information and education about the functions of the Commissioner
- taking action in relation to compliance with the Code of Conduct for Aged Care (Code of Conduct)
- reviewing and investigating the use of refundable deposits and the charging of fees, and assessing whether providers are financially sound to sustainably deliver quality services to consumers
- other functions that may be provided for by the Commission Act, Aged Care Act or any other law of the Commonwealth.
We may also collect, use and disclose your personal information as part of activities we undertake that are incidental or conducive to our functions.
Collection of personal information
We collect your personal information when you interact with us when we perform our functions or related activities. For example, we may collect your personal information if you are an aged care consumer, a consumer’s representative, an aged care worker, governing person, a representative of an approved provider or an applicant to be a provider.
We only collect the information we need for the function or activity we are carrying out. The main way we will collect your personal information is when you give it to us. For example, we collect your personal information when you:
- contact us through the various contact channels we have (including phone, website, email and social media) to provide feedback or make an enquiry
- speak to our assessors when they visit an aged care service
- speak to our investigators
- make, or provide information in connection with, a complaint about an aged care provider
- submit a notification of a reportable incident under the Serious Incident Response Scheme
- give us information about your qualifications and experience in connection with an application for approval as a provider of aged care
- ask the Commission for information or documents
- apply for a job with the Commission.
Sometimes we will collect your personal information indirectly, from:
- your representative such as a legal guardian or family member
- your aged care provider, where necessary for the exercise of our functions
- a third party, such as another government agency, where authorised by law or with your consent (if possible)
- an organisation contracted by the Commission to provide services on our behalf, or to assist the Commission with its human resources, communications, IT or other corporate activities.
We will collect person information through a range of different channels including when we communicate with you or your representative by letter, email, through our website and social media, when you respond to a survey in which you are identifiable and via the My Aged Care Service Provider Portal. We also collect personal information when you or your representative meet with us face to face or deal with us by telephone.
Kinds of personal information we collect
We collect a range of personal information where it is required for the exercise of our functions. The type of personal information we collect depends on the reason we are collecting it. The following kinds of personal and sensitive information are examples of personal information we may collect, where relevant to the function being exercised:
- your name, address, date of birth, position title, gender and contact details (such as mobile phone number, address and email address)
- other information to verify your identity, if required (such as country of birth, passport details, visa details, driver’s licence, birth certificates and ATM cards)
- information about your employment status and history, financial affairs, and your cultural and linguistic background
- photographs, video recordings and audio recordings
- information about your health and wellbeing, including any disabilities you may have
- information about aged care services you provide, or that are provided to you
- information about any family or other related persons such as partners, children, dependants, carers, and nominees or authorised representatives
- information about criminal history
- information or opinions about your behaviour and treatment of aged care consumers under the Code of Conduct
- government identifiers (e.g. Centrelink Reference Number or Tax File Number)
- information about how you use our online services such as online forms you fill in, pages you visit, your language preferences, and other online interactions including complaints or feedback.
You can read more about the collection of personal information in our Notice of Collection.
If you send us your personal information when we don’t ask for it we will determine whether the information is relevant to our functions. If it is not, we may destroy or de-identify the personal information if it is lawful and reasonable to do so.
Where possible, you may interact with us anonymously or using a pseudonym. For example, you may remain anonymous when you ask for information about a program, policy or consultation process. You may also remain anonymous when making a complaint.
In some circumstances, it may not be practical to remain anonymous or use a pseudonym, or we may be legally required to deal with you in an identified form. For example, we may not be able to resolve a complaint without collecting your name. We will notify you at the time of collection if this is the case.
Use and disclosure
The Commission will generally only use and disclose personal information for the particular purpose for which it was collected. For example, personal information collected during a site visit will be used to assess an aged care service’s performance under the Aged Care Quality Standards. Personal information collected during a complaint process will be used to enable us to manage the complaint, or it may be disclosed to the other party to the complaint in our feedback letter. We may also use your personal information for a related purpose, such as to undertake our other functions or to survey you about your satisfaction with our service.
We routinely disclose personal information to a number of other agencies and bodies as required or authorised by or under law. For example, the Commission may be required to disclose information to the Secretary of the Department of Health and Aged Care where the information is relevant to the performance of the Secretary's functions or powers.
We will not otherwise use or disclose your personal information for another purpose unless we obtain your consent or the use or disclosure is permitted under the Privacy Act.
Disclosure of personal information overseas
We do not usually use or disclose personal information overseas, except in limited circumstances:
- email traffic may be assessed by overseas service providers for malicious and harmful content, to mitigate security risks
- we may send personal information offshore to the person it is about or if the complainant is located overseas
If we intend to disclose personal information to an offshore recipient in other circumstances, we will take reasonable steps to notify you. We will also take reasonable steps before disclosure to ensure that the overseas recipient will not breach the APPs. Otherwise, we will:
- ensure the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information, or
- obtain your express consent to make the disclosure after informing you that the Commission will not be responsible for ensuring the overseas recipient complies with the APPs in relation to the information.
Storage and security of personal information
Personal information held by the Commission is stored on electronic media and on paper files. We take reasonable steps to protect your personal information against misuse, interference and loss, and from unauthorised access, modification or disclosure. These steps include:
- Our staff undertake annual privacy training and attend privacy awareness and education sessions.
- Our networks and websites have security features in place to protect the information that the Commission holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
- Access to records by staff and contractors is restricted to officers on a need to know basis.
- We restrict physical access to our office and areas housing personal information, use lockable cabinets, secure databases, permission restrictions and password protection.
- Emails you send to us are screened by our email security systems and may be viewed by authorised information technology personnel for security purposes.
When no longer required, we destroy or archive personal information in a secure manner and as permitted by relevant legislation.
In addition, our staff are bound by legislative provisions in the Commission Act that regulate handling of ‘protected information’ we collect to carry out the Commission's functions.
How to access and correct your personal information
You have a right under the Privacy Act to access personal information that we hold about you. You also have a right to request correction of your personal information if it is inaccurate, out of date, incomplete, irrelevant or misleading.
If you ask, we must give you access to your personal information, and take reasonable steps to correct your personal information, unless there is a law that allows or requires us not to. We will notify you in writing and explain our reasons if we refuse to give you access to, or correct, your personal information.
If you are seeking access to an aged care provider's records, we recommend you contact the provider directly in the first instance. If you are seeking care records of someone you do not legally represent, be aware that there are restrictions in the Privacy Act and the Commission Act about disclosing this information to you.
If you wish to request access or correction of your personal information, you should contact the Commission's Privacy Officer using the details below.
If you have a concern about the way we handle your personal information, you can make a complaint. If you are dissatisfied with our response, you can complain to the Australian Information Commissioner, who is independent of the Commission. The Information Commissioner has the power to investigate complaints about possible breaches of the Privacy Act. Further information can be obtained directly from the Office of the Australian Information Commissioner at www.oaic.gov.au.
The Privacy Officer’s contact details are:
Mail: Privacy Officer
Aged Care Quality and Safety Commission
PO Box 9819
Canberra ACT 2601
Phone: 1800 951 822.
Updates to this policy
Last updated: 1 December 2022
Review date: 1 December 2023
Privacy Impact Assessments
Under the Australian Government Agencies Privacy Code (the Code), agencies must undertake a written Privacy Impact Assessment (PIA) for all projects involving new or changed ways of handling personal information that are likely to have a significant impact on the privacy of individuals.
The table below is updated with PIAs completed by the Commission since its commencement on 1 January 2019:
Date of completion
Title of PIA
Aged Care Code of Conduct and Banning Orders
Front Door Project - Genesys
Serious Incident Response Scheme
Consumer Engagement Survey Pilot
Risk Based Targeting and Information Sharing Project – Phase 2
Risk Based Targeting and Information Sharing Project
To find out more about how we manage personal information, to make a privacy complaint or to request access to or correction of your personal information, see our Privacy webpage, Notice of Collection or contact the Privacy Officer using the details above. For more general information on the Privacy Act and the APPs:
- Call the Information Commissioner's enquiries line 1300 363 992 (local call charge).