1 Purpose

This Policy governs how members of the All Care 4 you Pty Ltd (we, us, our) collect, store, use, disclose and manage personal information. This Policy also outlines and explains the types of personal information we collect, the purposes for which it is collected, how you can request access to and correct personal information that we hold about you and how you can make a privacy complaint or contact us with your enquiries or concerns.

We take your privacy seriously and are committed to open and transparent management of personal information. When dealing with personal information, we comply with the Privacy Act 1988 (Cth) (Act), the Australian Privacy Principles in the Act, and all other applicable legislation, including State and Territory health records legislation.

Our suppliers and contractors are required to enter into written contracts ensuring their strict compliance with privacy laws.

This Policy does not apply to personal information that is exempt under the Act, including the employment records of our employees relating to their former or current employment with us.

2 Application

This document applies to all:

• Board members
• Executive Leadership Team
• Leaders of functions, areas and teams
• Workers.

3 What is personal information?

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable:

• whether the information or opinion is true or not; and
• whether the information or opinion is recorded in a material form or not.

Sensitive information is a subset of personal information and includes:

• health information about an individual;
• genetic information (that is not otherwise health information);
• information or opinion (that is also personal information) about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, sexual preferences or practices or criminal record; and
• biometric information that is to be used for the purpose of automated biometric verification, biometric identification, or biometric templates.

What constitutes personal information will vary, depending on whether any individual can be identified or is reasonably identifiable in the particular circumstances.

4 What kinds of personal information do we collect and why?

Clients and prospective clients

When you enquire about our services or when you become a client of AC4U, a record is made which includes your personal information. Information Collected and Retained by AC4U is generally, but not limited to, Personnel Records and Information, Medical Records and Information, and Electronic Media and Communication.

The type of personal information that we collect will vary depending on the circumstances of collection and the kind of service that you request from us. Where relevant, we may also collect your medical or health information (discussed further below).

Prospective employees/applicants

We collect personal information when recruiting personnel, such as your name, contact details, qualifications, work history, your next of kin or your primary contact. Generally, we will collect this information directly from you.

We may also collect personal information from third parties in ways which you would expect. Before offering you a position, we may also collect additional details such as your tax file number and superannuation information and other information necessary to conduct background checks to determine your suitability for certain positions (for example, positions that require extra qualifications or a working with children check). Sources of information could include as examples, recruitment agencies or referees you have nominated, AHPRA, CrimTrac, Company Insurers, Regulators, Government Agencies e.g. Australian Tax Office, Social Security, Department of Foreign Affairs etc, Law enforcement, Legal Firms, Business partners and Clients, Medical Practitioners and Medical Facilities (e.g. Hospitals), Courts and Tribunals.

Other individuals

AC4U may collect personal information about other individuals who are not clients or employees of AC4U. This includes customers and members of the public who participate in events we are involved with; agencies, individual service providers and contractors to AC4U; and other individuals who interact with AC4U on a commercial basis. The kinds of personal information we collect will depend on the capacity in which you are dealing with AC4U.

Generally, it would include your name, contact details (including email, phone number and street address where relevant, financial details, date of birth, and information regarding our interactions and transactions with you. Where relevant, we may also collect your medical or health information.

If you are participating in an event we are managing or delivering, or enter a premise we own or manage, we may take images or audio-visual recordings which identify you (subject to applicable law).

In limited circumstances, AC4U may collect information which is considered sensitive information.

You can always decline to give AC4U any personal information we request, but that may mean we cannot provide you with some or all of the services you have requested. If you have any concerns about personal information we have requested, please let us know.

Visitors to our websites

The way in which we handle the personal information of visitors to our websites is discussed below.

Medical Records and Information

AC4U collects medical “sensitive” information about its Clients or Employees where it is lawful to do so. The information may relate to compulsory and or elective inoculations, medical restrictions, medical reports, sick leave absenteeism, and workers compensation reports from medical practitioners and or agents of the respective regulator.

AC4U collects medical “sensitive” information about its clients directly related to AC4U’s function or activities (e.g. direct care – medical, allied, personal care). This information may relate to current and past medical history, medications, past surgeries/operations, medical reports, current level of functioning and support/assistance required.

The information collected and held includes, but not limited to: Identifying information, Residential information, Medical history/records, Medications and regimes, Medical certificates, Certificates of Capacity, Medical Reports and Assessments, Summaries of claim information, Claim reports. What is not collected is the individuals Medicare number.

5 When do we collect personal information?

We will not collect personal information unless it is reasonably necessary for one of our functions or activities. Personal and sensitive information will only be collected through lawful and fair means. Collection of personal or sensitive information will primarily be collected with your consent. However, such information may also be collected in a manner that is required or authorised by law (for example, where it is necessary to prevent or minimise a serious or imminent threat to a person’s life or health).

6 Where do we collect personal information from?

The sources from which we collect personal information will depend on the circumstances of the collection and may include the following:

6.1 From you or with your consent

We will try to collect your personal information directly from you, or alternatively, with your consent. We will collect personal information from you:

• if you provide us with information about yourself and, if necessary, your medical condition;
• if you complete relevant agreements, applications, forms, surveys, competitions, questionnaires or you communicate with us by taking part in a discussion or forum or by email, telephone, in writing, in person or by audio visual means;
• if you are providing services or goods to us or our customers;
• if you apply for employment or engagement with us; or
• if you make a donation to us.

6.2 From other people

Where it is unreasonable or impracticable to collect information directly from you, we may obtain personal information about you from a third party. For example, we may collect personal information about you:

• from your general practitioner or another healthcare provider who has information about you to assist us in providing services to you;
• from a member of your family, a carer, a close friend, your authorised representative or responsible person, next of kin, your nominated emergency contact person or the police;
• from any person or organisation that assesses health status or care requirements, for example the Aged Care Assessment Team;
• from relevant government departments such as Medicare, the Department of Health, the Department of Social Services or your health insurer to assist us in providing services or processing billing for services provided to you;
• from third parties who you have asked to provide your personal information to us; or
• from a reference or referral identified in your application for employment or engagement with us.

6.3 From our website

When you visit our website, our web server may download a cookie to your computer. A cookie is a small piece of information sent by our server to your browser. Cookies do not contain personal information about you but can identify a user’s browser. We use cookies to capture information about a user’s browser. If you do not wish to receive cookies, you may set your browser to refuse them.

7 Can I choose to remain anonymous?

We automatically gather anonymous information to monitor use. For example, the numbers and frequency of visitors to our website. This collective data helps us determine how our audiences use parts of our website, so we can improve our services. We may publish or provide this aggregate data to other people or organisations.

If you are receiving aged care or health services from us, it is not practical for you to remain anonymous because we need to keep a record of the care and services provided to you.

We may be able to accommodate you using a pseudonym. However, if you choose not to provide your real identity this may impact the quality of the services provided to you and relevant billing and claiming.

If you wish to use a pseudonym that is linked confidentially to your real identity, please let us know and we will discuss with you any arrangements that can be made.

8 How do we use and disclose personal information?

We may use and disclose personal information for the particular purpose for which it was collected (Primary Purpose).

For customers, this will include the use and disclosure necessary to care services including accommodation, and where relevant, health care or wellness services. We may also use or disclose your personal information:

• to staff or other service or healthcare providers involved in providing services to you or your care (including your general practitioner, nurses, physiotherapists, occupational therapists) or administrative staff (involved in preparation of documentation, billing and other administrative and management duties);
• in assessing whether you are eligible to be admitted to one of our retirement living, home care or residential aged care services;
• to Medicare, the Department of Health, the Department of Social Services or your private health insurer for the purposes of billing;
• to government authorities for the purposes of providing aged care or health services;
• to funding bodies and government agencies;
• to a member of your family, a carer, a close friend, your authorised representative or responsible person, next of kin, your nominated emergency contact person or the police; or
• any third party that you request or authorise us to.

For prospective employees, contractors and suppliers, we may disclose your information to third parties to assist us in considering you for a position (including suitability) and if applicable, for subsequently administering and managing your engagement or employment.

We will only generally use or disclose personal information collected for a Primary Purpose. However, it may be necessary in some cases to disclose personal information for a secondary purpose, including:

• If we have your consent;
• If required for the management of our business. For example:
  • billing or debt-recovery, service-monitoring, funding, complaint-handling, incident reporting, developing and planning services, evaluation and improvement, quality assurance or audit activities, and accreditation activities;
  • education and training of our staff (who may not be our employees), where de-identified information is not sufficient for this purpose; and
  • disclosure to our advisors and contractors who provide services to us, for example IT and database management service providers;
• For research, compilation or analysis of statistics;
• If use or disclosure is necessary to lessen or prevent a serious or imminent threat to someone’s life, health or safety or a serious threat to public health and safety; or
• If we are required or authorised by or under an Australian law or a court or tribunal order.

We effectively and securely destroy and de-identify personal information which is no longer required to be retained by us to satisfy any legal, financial and other requirement in accordance with our information management framework and document retention schedule.

9 Data quality

We will take reasonable steps to ensure that the personal information we collect is accurate, complete, up to date and relevant to the purpose for which it is to be used, both at the time of collection and use.

10 How do we hold personal information and keep it secure?

All personal information collected is securely stored on our electronic databases. In some instances, it may also be held in hard copy files in secure and locked facilities in Australia.

We will take reasonable steps to ensure that the personal information we hold is protected from misuse, loss, interference, unauthorised access, modification or disclosure.

If we find that there has been any unauthorised access, disclosure or loss of your personal information that is likely to result in serious harm to you, we will:

• take remedial action (where reasonably possible) to minimise risk of harm to you; and
• notify you and the Office of the Australian Information Commissioner, as soon as reasonably practicable.

11 Openness

If requested, we will let you know what kind of personal information of yours we hold, for what purpose, and how we handle that information. We will also make this Policy available to anyone who requests a copy of it.

12 How can I access or correct my personal information?

You can request access to your personal information held by us, upon written request to our Privacy Officer (see Section 15 below for details). We may charge reasonable costs for carrying out your request.

To obtain access to personal information, we must be satisfied that you are legally authorised to make the request. We will ask you to verify your identification or authority. This is necessary to ensure that your personal information is provided only to the correct individuals and that the privacy of others is protected.

If, upon receiving access to your personal information or at any other time, you believe your personal information is inaccurate, incomplete or out of date, you can notify our Privacy Officer to correct your personal information. We will take reasonable steps to correct the information so that it is accurate, complete and up to date.

We may decline a request for personal information in circumstances prescribed in the Act, including where:

• access would pose a serious threat to life or health of an individual, or to public health or safety;
• access would unreasonably impact the privacy of other individuals;
• the request is frivolous or vexatious;
• the information relates to existing or anticipated legal proceedings;
• access would be unlawful; or
• we are prohibited by Australian law, a court or tribunal.

If we decline to provide access, we will give you a written notice setting out the reasons for refusal and the complaint mechanisms available to you.

13 Do we use your personal information for direct marketing and can you opt out?

There may be occasions where personal information is used for direct marketing purposes including direct contact, telephone enquiries, email, SMS, letters, internet and web interactions, surveys and other forms of communication. Any such use will be limited to circumstances where you would reasonably expect us to use or disclose your personal information for that purpose and it has been collected from you, or if you have otherwise consented or requested this information.

You have the right:

• to contact us to ‘opt-out’ of receiving direct marketing communications; or
• to request that we provide the source of your personal information where reasonable and practicable.

If you have consented to us providing direct marketing to you and you wish to stop receiving such marketing, please contact us on the details set out in this Policy or provided in the marketing communication.

14 How can I complain about the handling of my personal information?

If you believe we have at any time breached this Policy, you may lodge a written complaint with our Privacy Officer on the contact details in this Policy.

We will endeavour to acknowledge your complaint within 14 days of its receipt, and to make a determination on the complaint within 30 days of its receipt.

If you are not happy with our response, you may lodge a written complaint with the Office of the Australian Information Commissioner using the following link: https://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us/

15 Contact details and further information

For all employees and contractors, please contact:

The Privacy Officer
530 Little Collins Street, Melbourne
Email: [email protected]

Further information about the Australian Privacy Principles and the application of the Act to us can be found at the website of the Office of the Australian Information Commissioner at http://www.oaic.gov.au.

16 This policy document supports All Care 4 You’s compliance with the following legislation:

• Privacy Act 1988 (Cth) (Act)
• Charter of Human Rights and Responsibilities 2006 (Vic)
• Privacy Act 1988 (Cwth)
• Privacy and Data Protection Act 2014 (Vic)
• Health Records Act 2001 (Vic)
• Public Records Act 1973 (Vic)
• Fair Work Act 2009 (Cwth)
• Freedom of Information Act 1982
• Children, Youth and Families Act 2005 (Vic)
• Child Wellbeing and Safety Act 2005 (Vic)
• Family Violence Protection Act 2008 (Vic)
• Australian Privacy Principles (APPs)
• Information Privacy Principles (IPPs)
• Health Privacy Principles (HPPs)
• Victorian Protective Data Security Standards 2016
• Notifiable Data Breaches Scheme 2017
• Child Information Sharing Scheme 2017
• Family Violence Information Sharing Scheme 2017

17 Terms and definitions

18 Monitoring and review

This document will be reviewed by the Director in line with the scheduled review cycle, depending on the level of risk and in line with the All Care 4 You Policy Governance Framework.

Changes to legislation and regulation that may impact this document are monitored by the Director.

Last scheduled review: 01 February 2024
Next scheduled review: 17 January 2026