To view this page correctly you must have Chinese characters installed.

Privacy Reforms – What do they mean for the aged care industry?

By Julie McStay13 Feb 2014


Significant reforms to the privacy laws in Australia are set to commence on 12 March 2014.  The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cwth) (the Act) makes changes to the Privacy Act 1988 (Cwth) (the Privacy Act) including the introduction of a new harmonised set of privacy principles, the Australian Privacy Principles (the APPs).

Generally businesses with an annual turnover of $3 million or less are not required to comply with the APPs.  However aged care providers are covered by the Privacy Act and the APPs because they provide a health service to individuals and are an exception to the $3 million turnover rule.

In this article we have set out the basic information you need to know about the changes to privacy laws.  This article is not a substitute for legal advice.  If you are interested obtaining further advice, obtaining a compliant policy or attending one of our webinars please contact us.

Failure to comply

A failure to comply with the new APPs may have significant consequences for entities.  After 12 March 2014, the Privacy Commissioner will have new powers in dealing with non-compliance with the APPs and other privacy laws.  Fines of up to $1.7 million for organisations and $340,000 for individuals may apply for serious and repeated breaches of the APPs. 

The Australian Privacy Principles

The APPs will replace the National Privacy Principles and the Information Privacy Principles that currently apply to Australian businesses and Australian Government agencies. 

There are a number of APPs that are new and significantly different from the current principles that are likely to impact on the activities of aged care providers.  In particular, the APP introduces:

  • more onerous obligations in respect of the storage of information;
  • new rules regarding the collection of unsolicited information;
  • new rules about  notifying  individuals whose personal information is collected by an entity; and
  • changes to the rules relating to direct marketing.

There are also significant changes surrounding cross boarder disclosure of information.  While these changes will mostly impact those businesses operating internationally they will also affect those providers who use off shore data storage.  

The key changes are outlined below:

Open and transparent management of personal information

All APPs must be read in the context of APP1 which provides that you must take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs.  In addition to having a compliant privacy policy, you will be required to take a proactive approach to privacy compliance.  This means you may have to upgrade your information systems, collection policies and staff training.

Importantly, the APPs will require entities to have a “clearly expressed and up to date” APP policy.  This document should be tailored to aged care providers as it must be specifically account for the types of information collected by facilities (i.e. health information). A “cookie cutter” approach will not be acceptable.

Unsolicited information

The APPs create new rules on how an entity must deal with “unsolicited information.”  Unsolicited information includes any personal information, not relevant to the entities functions, which the entity did not actively seek to collect.

If you receive unsolicited information then you will be required to “de-identify or destroy the information as soon as practicable”.  For example, if a prospective resident in filling out a resident agreement accidently provides personal records not relevant to their care or financial position, then this would constitute unsolicited information and should be destroyed.  

Notification of the collection of personal information

Under the current privacy principles, an entity is required to inform an individual about various matters, such as, the identity of the organisation collecting the personal information, the purpose of the collection and the rights an individual has to access their personal information.  However, post 12 March 2014, entities will be required to provide additional information to an individual such as, whether the personal information will be disclosed to overseas recipients (if so, the location of the recipient), how the individual can access and correct their personal information and how the individual can make a complaint about a breach of the APPs.

The rules about the collection of sensitive information (ie health information) are essentially the same. An entity will only be able to collect sensitive information if the individual consents and the information is reasonably necessary for the entity’s functions.  

Direct marketing

The APPs now provide that an entity must not use or disclose personal information for the purposes of direct marketing unless the individual has consented or at least been given an opportunity to opt-out. 

Security of information

Under the current privacy principles, entities must ensure that an individual’s personal information is protected from misuse, loss, unauthorised access, modification or disclosure.  The new APPs will place an additional requirement on entities to ensure that personal information is secure from “interference”. 

For example, this means aged care providers who hold personal information on computers or other electronic devices must ensure that the information is protected from computer viruses, and other forms of virtual-attacks.  Aged care providers should at a minimum review their record security, computer systems, software and information technology practices to ensure there are adequate security protections in place.

Where to from here?

If you have not undertaken a thorough review of your facility’s privacy policies and procedures, you should do so because it is likely you will need to make some changes to your systems to ensure you are compliant  post 12 March 2014.  

Quick steps for compliance

As a minimum aged care providers should:

  1. Conduct a privacy audit – Review the types of information they hold, how the information is collected, how the information is stored and disclosed, the steps in place for de-identifying or destroying personal information, whether the current privacy policy document is compliant and their staff training.
  2. Update and review your privacy policy – Ensure you have an up-to-date and compliant APP policy specifically tailored to aged care providers and the types of information collected.
  3. Review how information is stored – Review your system of storing personal information to ensure the information is secure.
  4. Update and review policies for de-identifying and destroying information – Ensure you have policies and procedures in place for dealing with unsolicited information or information no longer required by a facility.
  5. Update and review collection statements – Implement policies on how an individual will be notified that their personal information is being collected.
  6. Appoint a privacy officer – Appoint a privacy officer, who will be responsible for providing staff training, dealing with complaints and inquiries and monitoring the performance of your privacy policy and procedures. An existing employee could assume the role of privacy officer and it does not have to be their only role.  The person who does take on the role needs to clearly understand the organisation’s privacy obligations and the steps that the organisation has taken to become compliant.

Hynes Legal and Simply Legal can help you comply. Our privacy policy for aged care providers is available now. If you are interested in the policy, legal advice or in attending one of our webinars please contact us.