About this policy
In this policy, personal information and sensitive information has the meaning given to it in the Privacy Act, which is available on the Federal Register of Legislation. Detailed information on privacy and the APPs is available on the Office of the Australian Information Commissioner’s website.
We collect, hold, use and disclose personal information to carry out our functions under the Aged Care Quality and Safety Commission Act 2018 (the Commission Act). These functions include:
- protecting and enhancing the safety, health, well-being and quality of life of aged care consumers
- determining applications for approval of providers of aged care, ensuring compliance with their responsibilities and imposing sanctions for non-compliance
- handling reportable incident notifications under the Serious Incident Response Scheme
- promoting the provision of quality care and services
- developing and promoting best practice models for engagement between aged care service providers and their aged care consumers
- dealing with complaints about certain aged care providers
- regulating and monitoring the provision of aged care services
- providing information and education about the functions of the Commissioner
- other functions that may be provided for by the Aged Care Quality and Safety Commission Act, the Aged Care Act 1997, or any other law of the Commonwealth.
We may also collect, use and disclose your personal information as part of activities we undertake that are incidental or conducive to our functions.
Collection of personal information
We collect your personal information when you interact with us when we perform our functions or related activities. For example, we may collect your personal information if you are an aged care consumer, a consumer’s representative or if you are representative or employee of an approved provider (or an applicant to be a provider).
We try to only collect the information we need for the function or activity we are carrying out. The main way we will collect your personal information is when you give it to us. For example, we collect your personal information when you:
- speak to our assessors when they visit an aged care service
- make, or provide information in connection with, a complaint about an aged care provider
- submit a notification of a reportable incident under the Serious Incident Response Scheme
- give us information about your qualifications and experience in connection with an application for approval as a provider of aged care
- ask the Commission for information or documents
- apply for a job with the Commission.
Sometimes we will collect your personal information indirectly, from:
- your representatives such as a legal guardian or family member
- your aged care provider, where necessary for the exercise of our functions
- a third party, such as another government agency, where authorised by law or with your consent (if possible)
- a contracted service provider that provides services on behalf of the Commission, or assists the Commission with its human resources, communications, IT or other corporate activities.
We will collect personal information through a range of different channels including when we communicate with you or your representative by letter, email, through our website and when you respond to a survey in which you are identifiable. We also collect personal information when you or your representative meet with us face to face or deal with us by telephone.
Kinds of personal information we collect
The following kinds of personal and sensitive information may be collected:
- your name, address, gender, and contact or identity details
- other information about you such as your employment status and history, financial affairs, and your cultural and linguistic background
- information about your health and wellbeing, including any disabilities you may have
- information about aged care services you provide, or that is provided to you
- information about any family or other related persons such as partners, children, dependents, carers, and nominees or authorised representatives
- information about how you use our online services such as online forms you fill in, pages you visit, your language preferences, and other online interactions including complaints or feedback
You can read more about the collection of personal information in our notice of collection.
If you send us your personal information when we don’t ask for it we will determine whether the information is relevant to our functions. If it is not, we may destroy or de-identify the personal information if it is lawful and reasonable to do so.
Where possible, you may interact with us anonymously or using a pseudonym. For example, you may remain anonymous when you ask for information about a program, policy or consultation process. You may also remain anonymous when making a complaint.
In some circumstances, it may not be practical to remain anonymous or use a pseudonym, or we may be legally required to deal with you in an identified form. For example, we may not be able to resolve a complaint without collecting your name. We will notify you at the time of collection if this is the case.
Use and disclosure
The Commission will generally only use and disclose personal information for the particular purpose for which it was collected. For example, personal information collected during a site visit will be used to assess an aged care service’s performance under the Aged Care Quality Standards. Personal information collected during a complaint process will be used to enable us to manage the complaint, or it may be disclosed to the other party to the complaint in our feedback letter. We may sometimes use your personal information for a related purpose, such as to survey you about your satisfaction with our service.
We routinely disclose personal information to a number of other agencies and bodies as required or authorised by or under law. For example, the Commission may be required to disclose information to the Secretary of the Department of Health where the information is relevant to the performance of the Secretary's functions or powers.
We will not otherwise use or disclose your personal information for another purpose unless we obtain your consent or the use or disclosure is permitted under the Privacy Act.
Disclosure of personal information overseas
We do not ordinarily send personal information overseas. However, in limited circumstances, we may disclose your personal information to another person if they are located outside of Australia.
If we propose to disclose your personal information to an overseas recipient, we will take reasonable steps before disclosure to ensure that the overseas recipient will not breach the APPs. Otherwise, we will:
- ensure the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information, or
- obtain your express consent to make the disclosure after informing you that the Commission will not be responsible for ensuring the overseas recipient complies with the APPs in relation to the information.
Storage and security of personal information
Personal information held by the Commission is stored on electronic media and on paper files. We take reasonable steps to protect your personal information against misuse, interference and loss, and from unauthorised access, modification or disclosure. These steps include:
- Our networks and websites have security features in place to protect the information that the Commission holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.
- Access to records by staff and contractors is restricted to officers on a need to know basis.
- We restrict physical access to our office and areas housing personal information, use lockable cabinets, secure databases, permission restrictions and password protection.
- Emails you send to us are screened by our email security systems and may be viewed by authorised information technology personnel for security purposes.
When no longer required, we destroy or archive personal information in a secure manner and as permitted by relevant legislation.
In addition, our staff are bound by legislative provisions in the Commission Act that regulate the handling of ‘protected information’ we collect to carry out the Commission's functions.
How to access and correct your personal information
You have a right under the Privacy Act to access the personal information that we hold about you. You also have a right to request correction of your personal information if it is inaccurate, out of date, incomplete, irrelevant or misleading.
If you ask, we must give you access to your personal information, and take reasonable steps to correct your personal information, unless there is a law that allows or requires us not to. We will notify you in writing and explain our reasons if we refuse to give you access to, or correct, your personal information.
If you are seeking access to an aged care provider's records, we recommend you contact the provider directly in the first instance. If you are seeking care records of someone you do not legally represent, be aware that there are restrictions in the Privacy Act and the Commission Act about disclosing this information to you.
If you wish to request access or correction of your personal information, you should contact the Commission's Privacy Officer using the details below.
If you have a concern about the way we handle your personal information, you can make a complaint. If you are dissatisfied with our response, you can complain to the Australian Information Commissioner, who is independent of the Commission. The Information Commissioner has the power to investigate complaints about possible breaches of the Privacy Act. Further information can be obtained directly from the Office of the Australian Information Commissioner at www.oaic.gov.au.
The Privacy Officer’s contact details are:
Mail: Privacy Officer
Aged Care Quality and Safety Commission
PO Box 9819
Canberra, ACT 2601
Phone: 1800 951 822.
Updates to this policy
Last updated: 21 January 2022
Review date: 1 May 2023
Privacy Impact Assessments
Under the Australian Government Agencies Privacy Code (the Code), agencies must undertake a written Privacy Impact Assessment (PIA) for all projects involving new or changed ways of handling personal information that is likely to have a significant impact on the privacy of individuals.
The table below is updated with PIAs completed by the Commission since its commencement on 1 January 2019:
|Date of completion||Title of PIA|
|August 2021||Serious Incident Response Scheme|
|July 2021||Consumer Engagement Survey Pilot|
|July 2021||Risk-Based Targeting and Information Sharing Project – Phase 2|
|February 2020||Risk Based Targeting and Information Sharing Project|
To find out more about how we manage personal information, to make a privacy complaint or to request access to or correction of your personal information, contact the Privacy Officer using the details above. For more general information on the Privacy Act and the APPs:
- Visit the Office of the Australian Information Commissioner's website
- Call the Information Commissioner's enquiries line 1300 363 992 (local call charge).