Privacy Policy | Assisi Centre


The privacy policy is a statement that discloses the way in which information is gathered, used, disclosed, and managed by the organisation. It also reinforces the importance of workforce understanding of the consumers right to privacy.

It fulfils a legal requirement to protect the privacy of consumers and workforce personnel.


Based on the Privacy Act 1988 and the Health Records Act of Victoria 2001, Privacy of consumers, workforce personnel and visitors is considered paramount in regard to:

  • The appropriate management of personal information
  • The responsible use of information in the care and services decision-making process
  • The use, disclosure and destruction of personnel records
  • The secure storage of information
  • The monitoring and reporting of data breaches

The privacy policy also ensures that Australian Privacy Principles are followed at all times including:

  • The open and transparent management of personal information
  • An individual having the option of transacting anonymously or using a pseudonym where practicable
  • The collection of solicited personal information and receipt of unsolicited personal information including giving notice about collection
  • How personal information can be used and disclosed (including overseas)
  • Maintaining the quality of personal information
  • Keeping personal information secure
  • The right for individuals to access and correct their personal information


Privacy Officer

A privacy officer maintains accurate documentation of issues raised related to privacy

A privacy register and an electronic record in REPORTABLES (Manad Plus) are used by the privacy officer to identify and monitor privacy related issues.

Authorised Personnel only access this information ie Key personnel involved in monitoring and auditing privacy standards related to:

  • Staff Practices
  • Systems failure
  • Code of conduct failure

Related documentation is kept in secure storage

The privacy officer refers any complex matters or those which may have legal implications to the CEO and DOC who may then refer to a legal advisor

The Privacy Officer’s photo (with work designation and contact details) is distributed within the home to inform consumers

Authorised Representative

The Health Records Act (Vic) allows for an authorised representative to act for the consumer in a situation where the consumer no longer has capacity to manage their own affairs.

Authorised representatives may be:

  • Enduring Power of Attorney (Financial)
  • Medical Treatment Decision Maker (Medical POA)
  • Enduring power of guardianship
  • Guardian appointed by the VCAT
  • A Person with written authority or nominated by the consumer

The Australian Privacy Act 1988 (as amended 2012) allows for a responsible person for an individual to act on their behalf if they are unable to do so.

A responsible person may be:

  • A spouse or partner of the consumer
  • A child of sibling of the consumer who is over 18 years
    A relative of the consumer e.g step child, grandchild or niece


Collection, Use and Disclosure of Information

Collection of information

  • The consumers consent will be obtained prior to collection of personal information. Consumers must have sufficient information to provide informed consent.
  • As part of the consent process, consumers will be advised of their right to access and/or correct the information.
  • The consumers consent form will be included in the medical record.
  • Consumers personal information is to be collected in a private area.
  • Account procedures should be conducted in a discreet manner. Often it will be necessary to offer the resident the privacy of an office away from the main reception area.


Use and Disclosure

Personal information must only be used for the primary purpose for which it is collected OR directly related to a secondary purpose which would be reasonably expected by the consumer, e.g to a statutory authority.

Consumer Information can be shared- e.g:

  • During handover
  • On a need to know basis to service departments of the organisation
  • Continuous Improvement Activities such as surveys, audits and data analysis
  • Handling of complaints
  • Incident reporting
  • Providing information in an emergency
  • Submission of funding claims


If information is to be disclosed to a person overseas, Assisi will comply with Privacy Act in ensuring reasonable steps are taken to ensure the entity to receive the information will not disclose it – in some circumstances this may require contractual obligations to be put in place prior to the disclosure of the information

Any request to access medical information for the purpose of study must demonstrate in writing how the information will be used and how ethical issues and privacy will be protected


Data Quality:          

Every effort will be made by the facility to ensure that resident information is accurate, complete and up-to–date.

Data Breach reporting procedures will be undertaken should consumer information be disclosed that may cause serious harm to the consumer (see confidentiality and Security of Information policy)


Data security and retention:  

Consumer information MUST be kept secure by implementing the following:

  • Medical records storage areas to be restricted to authorized personnel
  • Filing cabinets or rooms where resident information is stored etc to be kept locked
  • Desks are to be kept clear of consumer information
  • Whiteboards with consumer information are to be away from public view
  • Fax machines to be situated away from public view.
  • Computer screens to be away from public view and switched to a screen saver when not in use.
  • Computerised information security systems will comply with National Data Information Guidelines and Standards.  (See data breach procedures)


Access to Information

Consumers have the right to access their health and personal information

All reasonable steps must be taken to provide access

On receiving a request to access to information the privacy officer will:

  • Verify authority of person requesting access
  • Identify the documents requested to ensure:
  • Any areas that may require access to be denied – these will include:
    • Any information which could cause serious threat or affect the health of the consumer
    • If other individuals are identified and require information to be protected
    • Information related to legal proceedings between the consumer and the organisation
    • The information was given in confidence
    • Would leave the organisation vulnerable related to commercially sensitive information
  • Prepare a summary if required
  • Organise a meeting with relevant health professionals to provide an explanation, if requested
  • Set up a mutually agreed time to view documents



A fee may be charged for a large amount of photocopying /printing or where a considerable time is involved.



20c per A4 page for photocopying

$5.00 per 15 minutes of staff time locating and preparing documents

If it is believed a charge would pose undue hardship on the person accessing the information, the charge can be waived


Corrections of personal information

A consumer (or authorized representative is entitled to request information to be corrected should they believe an error has been made On receiving a request, the privacy officer will:

  • Verify the person requesting the correction is authorized to do so
  • Request supporting evidence to verify validity of request

Corrected information should be attached to the consumers file as an addendum rather than deleting the previous information

The correction action is recorded by the privacy officer in the privacy register



Assisi’s Privacy statement is available to residents and staff. Information regarding the policy and statement is referred to in the Resident and Family guide.

The complaints process for consumers is reinforced with staff. Complaints are referred to the DOC and will be treated in the strictest confidence. A written acknowledgement will be returned to the individual.

As part of induction training, staff will be educated in the Privacy Policy.

Regular in- service updates will also be held and incorporated into the in-service education calendar.

Senior staff will be educated in regard to:

  • The Privacy Act 1988
  • The Health Records Act 2001
  • The data breach laws Feb 2018

All employees will be required to sign a Privacy and Confidentiality Statement on commencement of employment.

Contracts will describe the responsibilities of external service providers to maintain confidentiality and privacy of residents as well as security of personally identifiable health information.


  • The provisions of the ‘Privacy Act’ 1988 and the ‘Health Records Act of Victoria 2001
  • Guidance and Resources for providers to support the New Aged Care Standards August 2018. Australian Aged Care Quality Agency
  • Office of the Australian Information Commissioner (OAIC) Privacy fact sheet 17.
  • Office of the Australian Information Commissioner (OAIC) a guide to handling personal information
  • Data Breach Act Feb 2018