Privacy, Administration & Information Management Policy

Privacy, Administration & Information Management Policy

Efficient and effective administrative procedures are implemented to meet care recipient/consumer (as appropriate) and regulatory requirements.  Information is used responsibly to inform the decision making process to improve care and services provided to care recipients / consumers and effective management.


As a provider of residential aged care/home care package services, RusCare is bound to collect personal information according to the Aged Care Act 1997. The organisation is also bound by the Victorian Health Records Act 2001 and the Australian Privacy Principles within the Privacy Amendment (Enhancing Privacy Protection) Act 2012 that set out the requirements for ensuring systems and processes are in place to appropriately manage personal information.   


An open and transparent approach to management of personal information is taken and communicated to care recipients/authorised representatives on admission in the Australian Privacy Principles Policy.


RusCare is committed to providing a culture for privacy of personal information and systems for responsible handling of personal information collected.  Staff must ensure information is as accurate as possible and must take steps to maintain the security and confidentiality of personal information at all times including, but not limited to: electronic information, paper based information and oral information such as handover and the use of telephone. 


A multidisciplinary team approach to providing care in partnership with care recipients/consumers (as appropriate) and their representatives is provided.  Information is only shared with team members on a need to know basis.


Systems are in place to ensure care recipient/consumer (as appropriate) personal information and confidential information related to staff and the management of the organisation is safeguarded against loss, unauthorised access, use, modification or disclosure.


A Privacy Officer has been appointed to assist with any issue care recipient / consumers (as appropriate) and their authorised representative/s may have related to privacy of personal information. All matters related to privacy should be directed to the Privacy Officer. 


Information and social media technology and social networking must be used according to the IT and Social Media procedure (4.4) to reduce the associated risks to the organisation, care recipients and staff.  


Personal information is information or an opinion about an identified person or who can be reasonably identifiable no matter whether the information or opinion is true or false, or whether it is recorded or not.

Sensitive information relates to:
Ethnicity or cultural background.
Religious beliefs.
Sexual preferences or practices
Political opinions.
Union / Association membership.
Criminal record.
Health or medical information.

Health Information is a subset of personal information and is also sensitive information. Health information relates to:

A person's physical, mental or psychological health and or disability with respect to the past, present, future
A person’s expressed wishes about future health services;
Health services provided or to be provided to a person; and
Information collected during treatment / care provision.


Staff have the responsibilities to maintain confidentiality and to only share privileged personal information about care recipients/consumers and staff members to other members of the team on a need to know basis.


Care recipients/consumers have a right to have their personal information protected through the control of the collection, use and dissemination of personal information as required by the Australian Privacy Principles (APP) and Victorian Health Privacy Principles (HPP).

Information privacy focuses on supporting the control care recipients/consumers have over personal information about themselves rather than ownership of the information.

Each new Home Care Packages consumer is allocated a "Program No" within TCM

Privacy does not apply to de-identified information for example, statistics where an individual cannot be reasonably identified.

A copy of the Australian Privacy Principles Policy and consent form is provided to all care recipients/consumers/representative on admission. They are also available on our website and in the Resident Handbook.

Home Care Packages consumers sign the SCTT consent form, receive a privacy information flyer and the Consumer Information Kit.


Whilst the Privacy Act does not cover the handling of personal information by organisations where it is contained in employee records, systems are in place to ensure staff’s personal information is safeguarded.

Staff phone numbers must not to be given to any person outside the organisation.


The Managing Director and the  Quality Manager have been appointed as the Privacy Officer for the organisation and acts in accordance with her/his position description and the organisation’s policies and procedures.

Additionally, RusCare has appointed an external Privacy Officer who may also be accessed in the first instance to resolve privacy issues.

All requests to access or correct information or complaints related to alleged breaches of privacy are to be referred to the Privacy Officer.

Action taken by the Privacy Officer will depend on the individual circumstances of an issue raised and legislative requirements.

An Action Plan is completed for complex issues to ensure follow up action is planned and completed within defined timeframes.

The Privacy Officer maintains accurate documentation of each issue raised related to privacy. A Privacy Issues Register is maintained to identify and monitor the progress of privacy related issues within the defined timeframes.

The Privacy Issues register and related documentation is kept in soft copy format only in a secure storage area.
The Privacy Officer refers any matter which is complex or may have legal implications to the Managing Director.


The Health Records Act (Vic) allows for an authorised representative to act for the care recipients/consumers if she/he is incapable of acting for her/himself.

An authorised representative may be:
Enduring Power of Attorney (Financial and Personal) or State Trustee – for finances, personal & lifestyle affairs
Medical Enduring Power of Attorney
Guardian appointed by the Victorian Civil and Administrative Tribunal (VCAT)
Guardian appointed by the Victorian Civil and Administrative Tribunal (VCAT)
Person with written authority or nominated by the resident/consumer.

The Australian Privacy Act 1988 as amended 2012 allows for a responsible person for an individual to act on her/his behalf if they are unable to do so.

A responsible person may be:
A spouse or de facto partner of the care recipient/consumer
A child or sibling of the care recipient/consumer who is over 18 years
A relative of the care recipient/consumer who may be traced to or through a de facto partner, child or sibling e.g. step-child, grandchild, niece.

Sensitive information must not be collected without resident/representative consent and should only include information required by an aged care facility or reasonably necessary for the provision of care and services to the care recipient/consumer

On admission care recipients/consumers/representatives are made aware of the following information by reading the APP Policy (4.0.1) and staff answering questions about:
the kinds of personal information required to be collected
how personal information is collected, stored, used and disclosed including any overseas disclosures
how the care recipient/consumer/authorised representative may access and or seek correction of her/his personal information
how to make a complaint about any breach of privacy and how complaints will be handled.
Staff must organise a suitable interpreter for those residents/consumers from non-English speaking background as required.

The APP Policy  has a section for the Consent for collection, use and disclosure of personal information. The care recipient/consumer or authorised representative is asked to sign the consent section of the APP policy form.

A copy of the APP Policy and signed consent form is offered to the care recipient/consumer/representative. This form is then filed in the care recipient/consumer’s admission notes.

Wherever possible information is collected from the individual care recipient/consumer or representative if this is not possible.

Staff must maintain privacy when collecting information for example, in the care recipients room rather than dining room. This applies throughout the care recipients stay.


Every effort is to be made to ensure information collected, used and or disclosed is accurate, up to date and complete.

Care recipients / consumers / representatives (as appropriate) / family members are encouraged to inform staff if information changes.

Entries in care recipients / consumers’ (as appropriate) files must be actual and factual about what staff have observed and have done, not their personal opinion of the care recipient / consumer.

The records must comply with legal documentation requirements including;
Care recipients / consumer’s name on each page
Date and time of each entry
No lines left between entries
Signed by the person making the entry and her/his designation for example, Mary Smith, Personal Carer. Nurses must sign according to the name registered to practice.

A Staff Signature Register is maintained to identify initials and signatures.

Whiteout must not be used in any care recipient/consumer record. Any errors have a line drawn through them and are initialled.


Personal Information must only be used or disclosed for the primary purpose for which it was collected; or directly related secondary purpose which would be reasonably expected by the care recipient / consumer (as appropriate) / authorised representative. For example:

sharing relevant information between team members to provide the care recipient with care and services appropriate to their needs and preferences
sharing information on a need to know basis to service departments
continuous improvement activities including documentation/clinical audits, surveys, reviews and data analysis activities
staff training for employees working within the organisation
Handling of complaints;
Incident reporting and or legal proceedings for example; assault, professional misconduct.
Providing information in an emergency to health professionals for example ambulance officers and locum doctors
Submission of funding claims
Accreditation assessments.

Refer also to the Australian Privacy Principles Policy.

Staff may disclose (communicate) health information related to a care recipient/consumer to an immediate family member as necessary to provide appropriate care unless there is an expressed wish that the care recipient / consumer or authorised representative does not want information discussed with a particular person. This includes general comments to next of kin and close relatives over the telephone.

Staff must document such discussions in the progress notes.

There must be informed consent for use / disclosures for other purposes where reasonable expectation does not apply for example;

The Resident Consent is used on admission for the consent to use information in the following ways:
Display of images / photographs
Display of name on doors
Birthday announcement
To provide a specialist pharmacist with relevant information to enable a comprehensive Medication Review to be conducted and to share the report with relevant health care team members.
The Consent to Use/Disclose Information is completed for consent for articles in the local newspaper or annual report or on the organisation’s website. A copy is filed in the care recipients/consumer’s file. Refer also to Research / Study.
Home Care Consumers complete the SCTT Consumer Consent to share information which includes nominating proposed information uses and disclosures.

The care recipient / consumer / representative must have options explained and have the right to refuse consent for the use of personal information for a secondary purpose.

A care recipient / consumer / authorised representative may request information to be available to another health service or provide authority for another health service provider to request information. This may involve a copy or summary of the information. Such requests must be referred to the Privacy Officer and processed as soon as practicable.

Personal information may be disclosed/used for a secondary purpose if it is related to a law enforcement or regulatory purpose for example; subpoena, notifiable disease, compulsory reporting of elder abuse and missing care recipient. Details of such disclosures require documentation including the date, the information was used/disclosed, the enforcement body to whom it was disclosed/use and how it was used/disclosed. Refer also to Incident Reporting (21.1).

In the case of a subpoena the whole record is copied prior to sending by Registered Mail to the address requested.

Solicitors requesting copies of records are referred to the Managing Director.

Legal advice is sought by the organisation if it unsure about how to proceed with a court order.


Care recipients / consumers or their authorised representative have the right to access personal / health information kept. The authorised representative must consider whether if able the care recipient/consumer would wish to access the information.

All reasonable steps must be taken to provide access.

Wherever possible access is provided according to the form the individual requested for example;
Inspection of documents
A copy, ensuring the deletion / omission / protection of personal information related to others
A verbal explanation
A written summary of the information.

Staff must direct any request to access records to the Privacy Officer who will provide a Request to Access /Correct Information Form (4.0.4). Upon receipt of a request for access the Privacy Officer will:
Verify that the person requesting access is authorised to do so
Read the relevant documents to which the request relates to identify
Any areas that may require inspection or copying to be denied
Information that could cause serious threat to life or effect the health of the person.
Whether other individuals are identified and require information protected or de-identified.
Prepare a summary or organise the preparation of a summary of the documents, if required.
Organise a meeting with a relevant health professional such as, medical practitioner to provide an explanation, if requested.
Photocopy or organise the photocopying of requested documentation.
Set up a mutually agreed time to inspect or view documents.
Arrange for a private and convenient area to inspect or have the information explained.

An Acknowledgement and Response is provided for all requests using Part B of the Request to Access /Correct Information Form including whether access can be provided or correction can be made and whether a fee applies. Refer below for Refusal of Access.


Generally a fee is not charged for access unless there is a large amount of photocopying/printing or time required. In these cases:

a fee of 20c per A4 page may be charged for photocopying of records.
A minimum charge of $5 / 15mins may be charged where staff are required to spend substantial time locating and preparing documents.
Health service providers such as, Medical Practitioners may charge a fee for providing an explanation. The fee cannot be more than for a usual consultation for the same time.
Where a charge is made by an Intermediary these costs may be shared or waived.
If is believed that the costs of access would pose undue hardship on the person accessing the fee can be waived.


Refusal of access is only to occur if access;
Would pose a serious threat to the care recipients life or health. If the threat was removed by providing the information in another form, this should be offered to the person.
Would impact unreasonably on another person.
Relates to information about legal proceedings between the person and the organisation.
The information was given in confidence.
Is unlawful.
Relates to information which would prejudice a security or legal function / investigation for example, a negligence claim
Has been given and a person is being unreasonable by asking repeatedly to access the same information, in the same way.
Is considered trivial or been made jokingly.
Would leave the organisation vulnerable related to commercially sensitive decision-making information.

However, the care recipient/consumer is still able to access the facts and opinions and an explanation about how the decision was made related to them.

Where a request for access has been refused the Privacy Officer must provide a reason as required by APP 12 or HPP 6. The Notification of Refusal template letter is used by the Privacy Officer.

An exception to providing a reason would be if the disclosure would prejudice a legal investigation.


Where refusal has occurred and all other avenues have been explored consider the offer of an intermediary person who is mutually acceptable to the person and the organisation to assist with limited access when direct or limited access is not appropriate.

The Privacy Officer will need to establish whether an acceptable outcome would be achieved for the person with the use of an intermediary without revealing the information covered by the exception.

The Privacy Officer will need to establish the availability of a suitable intermediary.

The Intermediary’s role is to facilitate sufficient access, which meets the person’s and the organisation’s needs.

This person should be another qualified health service provider who will act in the best interest of both parties.

Disclosure of the information to which access has been requested is required with the individual’s written consent using the Consent to Use/Disclose Information form. This disclosure is to enable the Intermediary to explain the contents of the information to the individual, without revealing specific details without the organisation’s authority.

The steps in this process must be explained to the individual when an Intermediary is offered.

The applicant may nominate a consenting health service provider to assess the grounds for refusal if the offer of an intermediary has not been made by the organisation or if she/he does not accept such an offer or is not satisfied with the outcome of the discussion. A written notice of the nomination must be provided within 21 days after receiving the notice of refusal or an offer or following discussion.

The organisation may object to the nomination in writing within 14 days.

The Privacy Officer will refer to the requirements of the legislation and may require legal advice for this situation.


A care recipient/consumer or authorised representative is entitled to request information to be corrected should they believe personal information is incorrect.

Requests for correction are required in writing using the Request to Access/Correct Information form.

Upon receipt of a request for correction of information the Privacy Officer will:
Verify that the person requesting correction is authorised to do so
Request supporting evidence to verify the validity of the request.
Corrected information should be attached as an addendum to the file whenever possible rather than deleting from the file. Incorrect information is to be filed to ensure it is not inadvertently used for example; in the care recipients archive file.
In rare circumstances an incorrect diagnosis for example, related to psychiatric condition can be permanently erased from the file if the individual expresses a strong concern
If practicable, the name of the person who made the correction and the correction date is recorded on the file where the correction was made.
A record of corrections made is also recorded on the Request to Access/Correct Information form (4.0.4).

The organisation can refuse to correct the personal / health information if it is believed there is lack of supporting evidence. However, a statement provided by the person should be attached to state that correction was requested.

Where a request for correction has been refused the Privacy Officer must provide a reason as required by APP 13 or HPP 6. The Notification of Refusal template letter is used by the Privacy Officer.


Care recipients /Consumers/ authorised representatives have the right to make a complaint where they believe there is a breach of the resident’s/consumer’s privacy. Such complaints must be recorded on an Feedback Form (2.0.1) and followed up promptly by the Privacy Officer according to the Complaint Handling procedure (2.6) and the Security Breach section below.

Care recipients /consumers/ authorised representatives also have the right to make a complaint to the Office of the Australian Information Commissioner / Victorian Health Services Commissioner.

The commissioners are able to investigate complaints where it is alleged that there has been a breach of the Australian Privacy Principles / Health Privacy Principles or access has been denied. Compliance notices can be served for serious breaches by the commissioners or binding orders by the Victorian Civil & Administrative Tribunal.


Any request to access medical records for the purpose of research must demonstrate in writing how information will be used and how ethical issues and privacy will be protected.

Written consent using the Consent to Use/Disclose Information form (4.0.3) is required if information is not de-identified or a consent form specifically designed for the research project is used.

Generally where de-identified information is used/disclosed for study purposes no privacy issue arises unless there is no direct relationship between the use and the purpose of the initial collection. In this case;

Consent where possible and feasible should be sought,
How the use / disclosure will tangibly benefit the public health or safety should be demonstrated,
How ethical issues will be addressed should be demonstrated, and
How privacy will be protected should be demonstrated.

The Managing Director handles media issues for the organisation. All media inquiries are to be directed to this person.

Personal or health information must not be disclosed unless there is informed consent or expressed consent.

Information may be provided only if individuals cannot be identified by the statement made.


The organisation does not use personal information to contact residents / families for the purpose of fundraising such as donations, bequests or direct marketing without written consent.


Information can be transferred if;
Similar information or health privacy principles apply,
The person provides informed consent or,
The person provides informed consent or,
Reasonable steps are taken to ensure privacy of information for example; a legal opinion,
Required by law.

Measures are in place to safeguard personal and health information in any form from loss, unauthorised access, use, modification or disclosure.

Key padded doors to all workstations in residential care
Staff ensuring filing cabinets are locked when unattended
Staff ensuring desks are clear of personal / health information when unattended
Locked storage area/s for care recipient/consumers histories with restricted access
Locating white boards with care recipient/consumer details only in areas where privacy can be maintained
No residential care recipient's file is allowed to be removed from the premises unless required by law
Where Home Care consumer files are taken off site, they must be transported in a secure bag e.g. brief case in the boot of the vehicle, not left at any time in an unattended vehicle and signed in and out of the Client Records Movement Register
Computers are password protected with levels of access. Refer also to Information Technology and Social Media.

The following steps should be taken if there is a situation where “…[p]ersonal information is lost or subjected to unauthorised access, modification, use or disclosure or other misuse.

Complete an Incident Report and inform the Privacy Officer who will take immediate steps to contain the breach and coordinate the response.
The Privacy Officer will conduct a Risk Assessment to assess what information has been affected and the risk of harm associated with the breach and if possible the cause and extent of the breach.
The Privacy Officer will then consider if affected individuals should be notified to reduce the risk of harm such as; identity crime, physical harm, humiliation, damage to reputation. Notification should include; details of the breach, the type of personal information affected, what is being done to minimise the impact and contact details for information and assistance.
The timing of the notification and method will depend on the level of risk e.g. immediate phone call or letter in the mail.
The Privacy Officer will also inform senior management and the need for notifying other agencies or regulatory bodies will be determined for example; the Office of the Australian Information Commissioner, the police, professional or regulatory bodies and or other organisations that maybe affected by the breach.

A comprehensive investigation is conducted following the incident to identify and if possible implement preventative action such as; increased security measures, staff training, review and update of policies and procedures


If you have any questions, feedback or concerns about this policy or how your information is handled by RusCare Ltd, you can contact our office on 03 9793 5955 (9am-5pm, Monday-Friday, AEST).

You can also contact us by fax, mail or email:

Fax – (03) 9791 3933
Mail – RusCare Ltd – 13 Conway Street Dandenong South Victoria 3175
Email – [email protected]

RusCare Ltd will manage any concerns internally, directly with you.

If you are not happy with our response, or if you do not feel your complaint has been resolved, you are able to seek advice from the Office of Australian Information Commissioner by calling 1300 363 992.