Healthcare Australia’s Privacy Management Standard

Policy Statement

Healthcare Australia Pty Ltd (HCA) is legally bound by the Privacy Act 1988 and the Australian Privacy Principles (APP’s). HCA will endeavour to ensure the security, accuracy and quality of all staff, clients and business information that we collect, use, disseminate and disclose.

Collection, Quality and Protection

  • It is HCA usual practice to collect personal information directly from staff, clients and when reasonably expected, third parties.
  • The types of information we collect may include your contact details, DOB, financial details, health and medical information and employment history.
  • HCA and/or its employees shall only access and use any personal information supplied by clients/staff for the purpose of fulfilling its obligation under the agreement HCA has with its clients.
  • HCA will take all reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete and current. If you are aware of any error or inaccuracy in the personal information about you please contact the State Manager.
  • HCA will take all reasonable steps to protect your information from misuse, loss, unauthorised access, modification or disclosure. All information is stored in secured premises and electronic databases which are access level or password protected. Only authorised HCA personnel are to have access to personal information.

Use and disclosure

  • HCA and/or its employees shall not disclose any personal information obtained in connection with its agreement with its clients/staff without written authority of its clients/staff.
  • HCA shall not disclose personal staff information to other clients, agencies or organisations or anyone else unless the staff member has consented, or it is reasonably expected or it is a legal requirement. Private information may be disclosed without permission if it will lesson a serious and imminent threat to somebody’s life or health. Accessing your personal information
  • You are entitled to request access to personal information that we have in our possession. Request for personal information must be made in writing. HCA can deny this request in certain circumstances. In this case HCA will advise the staff/client of the reasons for doing so.
  • HCA shall advise its clients/staff immediately if it becomes aware that a disclosure of personal information may be required by law.
  • HCA are to advise its clients immediately if a breach of the above occurs and that these obligations will survive any termination of an agreement between HCA and its clients.


In fulfilling HCA’s legislated and moral responsibilities to provide protection of personal information, collected in any manner whatsoever through the operations of the business, the Policy is enforced to ensure your personal information will not be released unless the law requires or permits it, and or your permission is given.


The Policy applies to Healthcare Australia and companies within the group in Australia and New Zealand,
and is binding on its employees, contractors, visitors, other persons and/or end users of our premises:

  • whilst present in any premises or facility owned, occupied or managed by Healthcare Australia;
    and or,
  • whilst a person employed or contracted to Healthcare Australia and is defined as a worker under
    the relevant legislation and is within any premises or facility owned, leased, occupied or
    managed by third party; and/or,
  • in the course of, or as a result of any recreational, social, occupational, educational, commercial
    activity Healthcare Australia endorsed whatever its location.

Accountabilities and Responsibilities

Each level of management within Healthcare Australia is accountable and/or responsible to implement existing policies and procedures and to continuously review and improve our processes. Management and those who have supervisory roles shall endeavour to raise awareness and knowledge of the company’s Privacy Policy and Standard with staff under their supervision and/or control. All employees are to participate and ensure all steps are taken to secure private information and as such  are proactive in their behaviour to ensure legal compliance to the relevant Act and company policy.

Healthcare Australia (HCA) will develop, implement and maintain a reporting structure and process to manage and improve HCA’s Privacy Policy, Standards and procedures and manage personal information in an open and transparent way including dealing with inquiries and complaints from individuals.

Authorised Officer

A HCA Senior Executive is nominated as Authorised Privacy Officer and the Freedom of Information Officer. (Refer to the QMS Position List).


Personal information – is information or an opinion (including or forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained from the information or opinion.

Sensitive information – Sensitive information includes health and genetic information as well as personal information about an individual’s religious beliefs and affiliations, race, ethnicity, political opinions, membership of a political association, sexual preferences or practices, philosophical beliefs, membership of a professional or trade association, membership of a trade union, or criminal record. The Privacy Act imposes stricter rules about when sensitive information can be collected and how it should be handled. Usually, sensitive information can only be collected with the individual’s consent and there are tighter restrictions on how this type of information can be used and disclosed.

Australian Privacy Principles (APP) Standards

HCA has established an appropriate policy and standards, systems, infrastructure and practices that apply the Australian Privacy principles. The HCA Privacy Policy and Standards are open, transparent and consistently applied. The Australian Privacy Policy (APP) deals with:

  • The kinds of information the HCA collects and holds;
  • How HCA collects and holds personal information;
  • The purposes HCA collects, holds, uses, and discloses personal information;
  • How an individual may access personal information about the information that is held by HCA and seek the correction of such information;
  • How an individual may complain about a breach of the APP and how HCA will deal with such a complaint;
  • Whether HCA is likely to disclose personal information to overseas recipients; and
  • If HCA is likely to disclose to overseas recipients, the countries in which recipients are likely to be located.

Part A – Consideration of personal information privacy

APP 1 — Open and transparent management of personal information

HCA has developed a Privacy Policy and Privacy Standard under its certified Quality Management
System that is available upon request and visible on our electronic web sites.

APP 2 — Anonymity and pseudonymity

HCA understands that where an individual chooses to not provide personal information when requested that is their entitlement, however we may not be able to deliver the service requested. We will endeavour to make this as clear as possible for each service.

Where you choose to deal with us anonymously or using a pseudonym, this may affect our ability
to provide services to you, and/or our ability to deal with issues you have raised. While HCA will
not demand that a notifier identify themselves, a refusal to give your name and contact details may
mean that:

  • an investigation cannot be commenced or completed
  • any claims you make may be less easy to establish, and
  • it may be impracticable for the relevant national law entity to continue to deal with or contact an anonymous notifier.

Part B – Collection of personal information

APP 3 — Collection of solicited personal information

Generally, we will collect personal and sensitive information directly from the individual who’s identify has been confirmed, eg employee, applicant for employment with HCA or for permanent or on-hire employment with a HCA Client, or from clients – and only to the extent necessary to provide the service (including our agency functions) you requested HCA to carry out. An ‘agency function’ means a service that we provide on-hire employees to our Clients.

We may collect personal information when:

  • an application for employment form is lodged from HCA
  • a request for delivery of healthcare services from HCA
  • a healthcare service is provided directly by HCA
  • deal with us over the telephone
  • e-mail us
  • create an account with us
  • ask us to contact after visiting our web site.

We will collect personal information by lawful and fair means and not in an unreasonably
intrusive way.

Information Collected and Retained by HCA is generally but not limited to:

  • Personnel Records and Information
  • Medical Records and Information
  • Electronic Media and Communication
  • Criminal History Records and Information

HCA secures information from a variety of sources, but not limited to:

  • From the individual
    • Employment Application
    • HCA’s web site
    • eHCA web site
  • Recruitment companies
  • CrimTrac
  • Company Insurers
  • Regulators
  • Government Agencies eg Australian Tax Office, Social Security, Department of Foreign

Affairs etc

  • Law enforcement
  • Legal Firms
  • Business partners and Clients
  • Medical Practitioners and Medical Facilities (e.g. Hospitals)
  • Courts and Tribunals

APP 4 — Dealing with unsolicited personal information

‘Unsolicited personal information’ is personal information about an individual that HCA has unintentionally received. This is an uncommon occurrence, but when it does happen, we will protect the rights of the individual’s personal information with the same rigour as we treat personal information that we intended to collect. If we could not have collected this information through our normal processes, we will de-identify that information as soon as reasonably practicable, and forward the received information to the person or organisation that was the intended recipient.

APP 5 — Notification of the collection of personal information

HCA when collecting and collating personal information about an individual we ensure that the provider of such information is notified to ensure the individual is aware how HCA will deal with the information. Where applicable and reasonably practicable prior to collection or after collection,

HCA will:

  • confirm legal identity and contact information
  • the circumstances of collection
  • whether the collection is required or authorised by law
  • the purposes of collection
  • the consequences if personal information is not collected
  • provide its usual disclosures of personal information of the kind collected
  • information about HCA’s APP Privacy Policy
  • whether HCA is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.

Taking steps to notify the individual may not be reasonable where:

  • the individual (the owner of the information) is aware that personal information is being collected, the purpose of collection and other matters relating to the collection, for example, a doctor has informed a patient that a specialist to whom the patient is referred for treatment will obtain the patient’s health information from the doctor
  • HCA collects personal information from an individual on a recurring basis in relation to the same matter. However, if a long period of time has elapsed since the notice was provided and the individual may no longer be aware of, HCA may need to take steps to notify or ensure awareness. Similarly, if a change in circumstances as to how personal information is collected under the AAP, HCA shall take reasonable steps to ensure an individual is aware of those matters.
  • notification may pose a serious threat to the life, health or safety of an individual or pose a threat to public health or safety.
  • notification may jeopardise the purpose of collection or the integrity of the personal information collected and there is a clear public interest in the purpose of collection , for example, a private investigative company or police undertaking lawful covert surveillance of an individual in connection with a criminal or civil investigation
  • notification would be inconsistent with another legal obligation, for example, by breaching a statutory secrecy provision, a client’s legal professional privilege, or a legal obligation of confidence
  • the impracticability of notification, including the time and cost, outweighs the privacy benefit of notification. For example:
    • a) where HCA collects personal information about the individual’s next of kin for
      emergency contact purposes, it would generally be reasonable for the entity to
      take no steps to notify the next of kin of the collection of their personal
      b) where an individual provides unsolicited personal information to an entity
      about a third party for the purposes of a confidential alternative dispute
      resolution process, and the entity is not required to destroy or de-identify the
      information and would generally be reasonable for HCA to take no steps to
      notify the third party. This is especially so where HCA will not rely on the
      personal information in investigating or resolving the matter, or does not have
      the contact details of the third party.

Part C – Dealing with personal information

APP 6 — Use or disclosure of personal information

We use the personal information for purposes consistent with the reason it was provided, or for a directly related purpose. We may also use personal information where required or permitted by law. We may also use information where it has been provided to us with the express or implied consent of the owner of the information.

We do not share personal information with other organizations unless:

  • The owner of the personal information provides express consent, or
  • sharing is otherwise required or permitted by law, or
  • this is necessary on a temporary basis to enable our contractors to perform specific functions.

When we temporarily provide personal information to companies who perform services for us, such as specialist information technology companies, mail houses or other contractors to HCA we require those companies to protect your personal information as diligently as we do. Strict contractual and other quality assurance measures are used to ensure your personal information is protected.

We have a strict duty to maintain the privacy of all personal information we hold. However, certain exceptions do apply. For example, where disclosure of your personal information is:

  • authorised or required by law (e.g. disclosure to various government departments and agencies such as the Australian Taxation Office, CentreLink, Child Support Agency, or disclosure to courts under subpoena)
  • in the public interest (e.g. where a crime, fraud or misdemeanor is committed or suspected and disclosure against the customer’s rights to confidentiality is justified)
  • with your consent – your consent may be implied or express and it may also be verbal or written.

HCA can disclose personal information (excluding sensitive information) with its other companies and brands where the purpose for sharing is related to the reason the personal information was originally collected. This excludes companies operating outside Australia.

APP 7 — Direct marketing

From time to time we may use the personal information we collect to identify particular HCA products and services which we believe may be of interest to the owner of the information. We may then contact owner of the information to let you know about these products and services and how they may benefit you. We will generally only do this with your prior consent (where practical) and we will always give you a choice to opt out of receiving such information in future.

Direct Marketing from HCA generally takes the form of Direct Mail, Electronic Marketing or Telemarketing. Each of these channels is handled as follows:

Direct mail – Where we use personal information to send you marketing information via the post we may do so with your implied consent or, if this is impracticable, we will ensure that you are provided with an opportunity to opt out of receiving future such communications. By not ticking a clearly displayed “opt out” box, we will assume we have your implied consent to receive similar marketing communications in the future. We will always ensure that our opt out notices are clear, conspicuous and easy to take up.

Electronic marketing – Where we use your personal information to send you marketing information by e-mail, SMS, MMS or other electronic means we may do so with your express or implied consent. You may give us your express consent by, for example, ticking a box on an electronic or paper form where we seek your permission to send you electronic or other marketing information. Consent may be implied from our existing business relationship or where you have a reasonable expectation of receiving an electronic marketing communication. Every directly addressed marketing contact sent or made by HCA will include a means by which customers may unsubscribe (or opt out) of receiving further marketing information.

Telemarketing – HCA does not usually engage in telemarketing activities to our consumer customers. Generally, such marketing is only used in relation to our business customers. Should any consumer telemarketing be undertaken or authorised by HCA, we will, to the extent that it applies, comply with the relevant legislation (see above). Every directly addressed marketing contact sent or made by HCA will include a means by which customers may unsubscribe option in email (opt out) of receiving further marketing information.

Additionally, you may instruct us at any time to remove any previous consent you provided to receive marketing communications from us. Requests should be directed to the HCA Privacy Contact Officer via the channels provided under ‘How to contact us’.

APP 8 — Cross-border disclosure of personal information

HCA may transfer personal information to countries outside Australia (for example when you request work application to be lodged with one of HCA international office. We will only do so in compliance with all applicable Australian data protection and privacy laws and where the owner of the information is expressly informed and consented.

HCA will take reasonable steps to protect personal information no matter what country it is stored in or transferred to. Those reasonable steps may include ensuring the recipient does not breach the APP’s and or the recipient is subject to similar law or binding scheme.

Disclosing personal information to an overseas recipient as required or authorised by law where a permitted general sitwwwion exists:

  • Lessening or preventing a serious threat to life, health or safety
  • Taking appropriate action in relation to suspected unlawful activity or serious misconduct
  • Locating a person reported as missing
  • Necessary for a diplomatic or consular function or activity
  • Necessary for certain Defence Force activities outside Australia

AAP 9 — Adoption, use or disclosure of government related identifiers

HCA generally does not adopt, use or disclose a government related identifier unless an exception applies. The owner of the identifier is the issuing organisation and is personal information. The owner or user of the identifier cannot consent to the adoption, use or disclosure of their government related identifier.

Types of Government Identifiers include but not limited to:

  • Medicare Number
  • Tax File Number
  • Driver’s Licence Number
  • Driver’s Licence card number
  • Centrelink Reference numbers
  • Australian Passport numbers.

Healthcare providers are authorised by law, Healthcare Identifiers Act 2010, to adopt the individual healthcare identifiers of their patients as their own identifier. That is, they may organise the personal information of their patients by reference to the patients’ individual healthcare identifiers.

HCA employees working in the healthcare industry where the use of Government identifiers is legally permitted must comply with the following: Where a HCA employee is working with an authorised organisation may use or disclose the
government related identifier of an individual if the use or disclosure is reasonably necessary for the organisation to verify the identity of the individual for the purposes of the organisation’s activities or functions.

The Government related identifiers are usually contained in high-integrity documents, and are therefore likely to be highly reliable for verifying an individual’s identity such as Australia Passport or Drivers Licence.

Part D – Integrity of personal information

APP 10 — Quality of personal information

HCA will take all reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete, and the personal information it uses or discloses is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant. It is implicit that this requirement only applies to personal information ‘held’ by HCA.

Handling poor quality personal information can have significant privacy impacts for the owner of the information and can adversely affect the trust and confidence that the public and business partners has in HCA’s information handling practices.

HCA will ensure as it is reasonably practical, the quality of personal information at two distinct points in the information handling cycle. The first is at the time the information is collected. The second is at the time the information is used or disclosed.

Regular reviews, at other times, of the quality of personal information held by the APP entity may also assist in ensuring it is accurate, up-to-date, complete and relevant at the time it is used or disclosed.

Reasonable steps include but not limited to:

  • the implementation of policies, standards, procedures and systems to audit, monitor, identify and correct poor quality personal information (including training staff in these practices, procedures and systems) integrated into the Quality Management System.
  • implementing protocols that ensure personal information is collected and recorded in a consistent format. All information collected should be time stamped and relates to the purpose and point of time it was collected.
  • ensuring updated or new personal information is promptly added to relevant existing records
  • providing the owner of the information with a simple means or instruments to review and update their personal information on an on-going basis, for example eHCA’s online portal
  • reminding individuals to update their personal information each time the entity engages with the individual
  • contacting the individual to verify the quality of personal information when it is used or disclosed, particularly if there has been a lengthy period since collection
  • checking that a third party, from whom personal information is collected, has implemented appropriate practices, procedures and systems to ensure the quality of personal information through an enforceable contractual arrangement and through audit of the privacy standards applied by the third party organisation.
  • if personal information is to be used or disclosed for a new purpose that is not the primary purpose of collection, assessing the quality of the personal information having regard to that new purpose before the use or disclosure.

HCA does not need to take reasonable steps where:

  • We collect personal information from a source known to be reliable (such as the individual concerned) it may be reasonable to take no steps to ensure the quality of personal information. However, the onus is on HCA to prove that our actions qualify as reasonable in each individual circumstance.

APP 11 — Security of personal information

HCA is committed to maintaining the trust of person they deal with by protecting and securing personal information. We employ appropriate technical, administrative and physical procedures to protect personal information from:

  • unauthorised disclosure
  • unauthorised access
  • unauthorised modification
  • interference
  • loss
  • misuse, or
  • alteration.

We limit access to personal information to individuals with a business need consistent with the reason the information was provided.

Where we amend a personal record or information or add new personal information to a record any redundant information, or information history will be assessed for either destruction or deidentify the information, with the exception where the information is contained in a Commonwealth record or the entity is required by or under an Australian law, or a court/tribunal order, consideration for archiving as per the Archival legislation for records within the jurisdiction.

Reasonable steps could include taking steps and implementing strategies to manage:

  • governance
  • IS security
  • data breaches
  • physical security
  • personnel security and training
  • workplace policies
  • the information life cycle
  • standards
  • regular monitoring and review.

Where HCA has identified information that is to be destroyed or de-identified, we will take reasonable steps to destroy or de-identify all copies of that personal information, including copies that have been archived or are held as back-ups.

Where HCA has records in hard copy, disposal through garbage or recycling collection would not ordinarily constitute taking reasonable steps to destroy the personal information, unless the personal information had already been destroyed through a process such as pulping, burning, pulverising, disintegrating or shredding.

Where information is held in electronic form, reasonable step to dispose or destroy will vary depending on the kind of hardware used to store the personal information. In some cases, it may be possible to ‘sanitise’ the hardware to completely by remove stored personal information with the use of Drive Scrubbers.

For hardware that cannot be sanitised, reasonable steps must be taken to destroy the personal information in another way, such as by irretrievably destroying it the drive or disk the information is stored on, and may include secure shredding of the hard drive or other storage device.

Where it is not possible for HCA to irretrievably destroy personal information held in electronic format, we will take reasonable steps to de-identify the personal information or disable the application or put the information beyond use by taking but not limited to the following steps:

  • ensuring the information is not able to, and HCA will not attempt, to use or disclose the personal information
  • will not give any other entity access to the personal information
  • isolates the personal information with appropriate technical and organisational security.
  • This should include, at a minimum, access controls together with log and audit trails, and
  • take reasonable steps to irretrievably destroy the personal information if, or when, this becomes possible.

Where such information is on a third party’s hardware, such as cloud storage, where the organisation has instructed the third party to irretrievably destroy the personal information, reasonable steps would include taking steps to verify that this has occurred.

Remember the AC-ESIMS Hierarchy of controls, if you cannot “Eliminate” the electronic information (irretrievably destroy the information), then you must:

“Substitute” – the information by writing over the information with text eg X

“Isolate” – physically or electronically remove the information and store in a secure area.

“Modify” – de-identify the information by deleting personal descriptors and information.

“Shield” – use both physical (masking) and electronic security protocols to restrict access.

One of more of the controls can be implemented.

De-identification of personal information may be more appropriate than destruction as deidentified information could provide further value or utility to HCA or a third party as part of it business analysis.

We keep personal information only for as long as it is required for business purposes or by the law. HCA protects your personal information by complying with Information Security Standards, Industry Schemes and Statutory obligations. We regularly conduct targeted internal and external audits on our security systems to validate the currency of our security practices.

APP 12 — Access to personal information

A person who is able to confirm their identity has the right to request access to the personal information we hold about them. This right is subject to certain exceptions allowed by law.

HCA will, upon your request, and subject to applicable privacy laws, provide you with access to your personal information that is held by us. However, we ask that you identify, as clearly as possible, the type (or types) of information requested. HCA will deal with your request in a reasonable time – usually within 30 days.

Depending on the breadth of your request, we may recover from you our reasonable costs incurred in supplying you with access to this information.

Exceptions – Your right to access your personal information is not absolute. In some circumstances, the law permits us to refuse your request to provide you with access to your personal information, such as circumstances where:

  • access would pose a serious threat to the life or health of any individual
  • access would have an unreasonable impact on the privacy of others
  • the request is frivolous
  • the information relates to a commercially-sensitive decision-making process
  • access would be unlawful
  • access may prejudice enforcement activities, a security function or commercial negotiations.

Freedom of information laws – In addition to privacy laws, you may have rights to access your personal information contained in certain HCA documents. Details on how to apply for access to these documents are contained in the Freedom of Information Act 1982 (FOI Act).

APP 13 — Correction of personal information

It is inevitable that some personal information which we hold will become out of date. We will take reasonable steps to ensure that the personal information which we hold remains accurate. Where the owner of the information advises us of a change of details, we will amend our records accordingly.

Agency personnel records that have been inactive for a period of excess of 12 months, will not be actively checked or audited to ascertain their accuracy. The records will be frozen in time as at their last update. When an Agency Worker has not been engaged in a contract for in excess of 12, a fresh application or update of details will be required prior to recommencing agency work.

Personnel Records held in the Booking System that have been inactive for a period of 7 years are archived in the Booking System with the records tagged as hidden. Where an agency worker recommences casual work with HCA after the 12 month period, the record can be reactivated and updated upon receipt of a fresh application.

For clients, with whom HCA has an ongoing relationship with, personal information will be checked (and updated accordingly) at least annually on reviews, or when prompted by the client. Where your information has been disclosed to a third party, HCA will take reasonable steps to notify the third party of the correction.

Where we are unable to update your information, we will provide an explanation in writing as to why the information cannot be corrected.

General Considerations when applying the Australian Privacy Principles.

Taking reasonable steps – When considering what are reasonable steps when applying the APP’s, HCA considers the following criteria:

  • the sensitivity of the personal information. More rigorous steps may be required if the information collected, used or disclosed is ‘sensitive information or other personal information of a sensitive nature
  • the nature and size of HCA’s business.
  • the possible adverse consequences for an individual if the quality of personal information is not ensured.
  • the practicability, including time and cost involved.

HCA is cognisant that it will not be excused from taking particular steps by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take particular steps, will depend on whether the burden is excessive in all the circumstances.

Loss of personal information

Despite our every effort to protect your personal information, there remains the possibility that a breach of our security could occur. In the event of loss of personal information HCA will:

  • seek to rapidly identify and secure the breach to prevent any further breaches
  • engage the appropriate authorities where criminal activity is suspected
  • assess the nature and severity of the breach including the type of personal information involved and the risk of harm to affected individuals
  • notify the affected individuals directly if appropriate and where possible
  • if appropriate, put a notice on our website advising our customers of the breach
  • notify the Privacy Commissioner (at the OAIC) if the breach is significant.

The Complaint Process

If you have a complaint about the way HCA has managed your private information, contact HCA’s Authorised Privacy Officer, our HR Director to lodge the complaint. HCA will investigate the complaint and consult with you to find a resolution to the mater. The lodgement of the complaint does not restrict you at any time to lodge a complaint with the Office of the Australian Information Commissioner (OAIC) or the Health Practitioner the National Health Practitioners Privacy Commissioner.

HealthCare Australia – HR Department

Phone: +61 2 9024 3241

Email: foirequest@healthcareaustralia.com.au

Under the Privacy Act 1988 (Privacy Act) you can make a complaint to the OAIC about the handling of your personal information by HCA.

The OAIC complaints process:

  • It is free to lodge a complaint.
  • You do not need a lawyer. However if you do decide to hire a lawyer, you must pay for the lawyer yourself.
  • The OAIC investigates privacy complaints from individuals about Australian, ACT and Norfolk Island government agencies, and private sector organisations covered by the Privacy Act. The Privacy Act does not cover State and Northern Territory government agencies.
  • The OAIC aims to resolve complaints as quickly as possible. Some complaints are resolved within weeks, but more complex complaints may take longer. You can find more information about what you can expect in our Client Service Charter.
  • Complaints are generally resolved through conciliation.
  • You can choose to withdraw your complaint at any time.

If you are looking for information about how to manage a privacy complaint against HCA, you should access the Office of the Australian Information Commissioner to access the following information:

  • Privacy fact sheet 9: Guide to internal investigations
  • Privacy fact sheet 11: How will the OAIC handle a complaint against my organisation?
  • How to make a complaint – Information about how you can make a privacy complaint to the OAIC, what you can complain about, who you can complain about, possible outcomes and what you should include with your complaint can be found on the Making a complaint page.

If you are unsure that the Commissioner will deal with your complaint, access to the Privacy Complaint Checker to assess whether the OAIC can deal with your complaint by answering a series of simple questions.

What happens to your complaint – OAIC will deal with your complaint as quickly as possible and keep you informed of its progress. The OAIC is independent and impartial in dealing with your complaint. More information about the OAIC complaints process can be found on the “What happens to your complaint” page.

Privacy appeal rights – If you are not satisfied with a decision the OAIC has made, you can ask the OAIC to review the decision. More information about your rights can be found on the Privacy appeal rights page.

Office of the Australian Information Commissioner

Phone: 1300 363 992

Teletypewriter (TTY) 133 677 then ask for 1300 363 992.

Speak and Listen users 1300 555 727 then ask for 1300 363 992

Where the complaint relates to a registered Health Practitioner, privacy complaints may also be lodged with
that body.

National Health Practitioners Privacy Commissioner

Phone 03 9674 0421

Email: complaints@nhpopc.com.au

Medical Records and Information

HCA collects medical “sensitive” information about its employees where it is lawful to do so. The information may relate to compulsory and or elective inoculations, medical restrictions, medical reports, sick leave absenteeism, and workers compensation reports from medical practitioners and or agents of the respective regulator.

HCA collects medical “sensitive” information about its clients directly related to HCA’s function or activities (e.g. direct care – medical, allied, personal care). This information may relate to current and past medical history, medications, past surgeries/operations, medical reports, current level of functioning and support/assistance required.

In concert with HCA general standards that apply to Private Information, more rigorous controls of the collection, holding and disclosure of sensitive medical information is required.

Medical Information Collected and Retained

The information collected and held includes, but not limited to:

  1. Identifying information
  2. Residential information
  3. Medical history/records
  4. Medications and regimes
  5. Medical certificates
  6. Certificates of Capacity
  7. Medical Reports and Assessments
  8. Summaries of claim information
  9. Claim reports

What is not collected is the individuals Medicare number.

How HCA collects and holds personal medical information

For employees – The information is in the first instance provided by the employee through an application for employment, as part of ongoing certification and through an application for compensation.

For Clients – The information is in the first instance provided via a referral and directly from the client through an initial consultation. If further information is required from other sources (e.g. the client’s General Practitioner), with the client’s consent, this information is sought. Records that relate to their employee’s employment are maintained in personnel records, with physical or electronic. Electronic personnel records and medical information is held in the Booking system, Elumina and in certain instances a physical file.

Sources of medical Information

HCA sources and or receives medical information from, but not limited to

  • the owner of the information
  • insurers
  • regulators
  • business partners and clients
  • medical practitioners
  • hospital records
  • courts and tribunals

Collection, Retention and Disclosure of Medical Information (Purpose)

For Employees – Information obtained and retained generally relates to the individuals

  • professional requirement in the declaring of certain medical information eg inoculations
  • Notifiable diseases
  • where the individual has permanent medical restriction that impacts on their employment
  • a claim for compensation of injury at work
  • a claim of bullying and harassment

Only that information that is required for the individual employment and or managing a claim of injury is disclosed to those who the information was intended for and the release of the information is authorised by the individual. In respect to workers compensation claims the application for workers compensation has the declaration and authorisation to exchange information between HCA, the individual, their medical practitioners, rehabilitation providers, the insurers and the regulators.

The purpose of why the information collected is to manage the individuals: –

  • recruitment processes
  • employment
  • managing a claim of injury
  • managing adverse actions
  • required by law

For clients – Information obtained and retained generally relates to the individuals

  • Health, medical and functional status
  • Level of impairments and impact
  • A claim for compensation or allowance (e.g. Lifetime Support Authority, Workers Compensation, National Disability Advisory Scheme)
  • Notifiable or communicable diseases
  • Functional status and level of impairment

Only information necessary for the direct delivery of services is disclosed to those who the information was intended for and the release of the information is authorised by the individual (e.g. personal care workers to undertake necessary care).

The purpose of why the information collected is to manage the individuals:

  • direct delivery of services
  • manage and support overall health and wellbeing
  • monitor clients’ wellbeing and heath and identify any areas for concern/follow-up
  • determine the impact of service delivery of client outcomes
  • required by law

Access to Medical Information

The owner of the information is at all times, with certain exceptions (see APP 12 Exceptions), where identity is confirmed, may at any time request the production of their personal information. They may access their personal information through a personal request and or Freedom of Information request. Information relating the identity of another person who has not authorised the release of the information to the applicant, the information will be de-identified.

HCA employees are authorised to collect, collate, retain and disclose sensitive personal information where it is part of their function. Access to sensitive personal information is restricted to those who are acting within the purpose of why the information was provided and have authorisation to access the information.

Medical information held in the Booking system is only accessible to those that are acting within the purpose of the provision of why the information was provided Medical information held in Elumina system is restricted to persons who have authorised access to the system.

Release to third parties is determined by authority given by the owner of their information, the release is required by law, the relates is required by a Court or Tribunal. All applications for the disclosure of information from a third party must be through a freedom of Information request, unless the disclosure is:

  • authorisation by the owner of the information
  • required by law,
  • required by a court or tribunal.

Electronic Media and Communication Privacy Statements

Healthcare Australia has developed the following Statement to be included in our External websites. The application of the Act and the APP’s is specific to the operations of website and the way information is handled by such sites. The following statement guideline should be amended to reflect how each web site manages information and how HCA deals with such information.

Privacy Statement

Healthcare Australia (HCA) understands the importance of protecting clients’ and staff members’ privacy. We are committed to complying with the Privacy Act 1988 and the Australian Privacy


The group prides itself on its ISO 9001 accreditation and its best practices through the Quality Assurance process. Integration of the Australian Privacy Principles into ISO 9001 strengthens our quality assurance claim.

The group principal business is the provision of casual care staff and the delivery of related education and training through its Registered Training Organisation, Education and Training Services.

How and why we collect your personal information

HCA collects personal information when and individual accesses our online intranet and web sites. Accordingly, we have systems in place to ensure our online dealings with the individual are as secure as dealings with HCA in person, or on the telephone.

In those instances where we secure your personal information in transit to us and upon receipt, we  use the industry standard encryption software, Secured Socket Layer (SSL) 128 bit encryption. The URL in your browser will change to “HTTPS” instead of “HTTP” when this security feature is invoked.

Your browser may also display a lock symbol on its bottom task bar line to indicate this secure transmission is in place. For site security purposes and to ensure this service remains available to all users, we employ software programs to monitor network traffic in order to identify unauthorised attempts to upload or change information, or otherwise cause us damage. Except for authorised law enforcement investigations, no other attempts are made to identify individual users or their usage habits other than those uses identified in this policy. Unauthorised modification or misuse of information stored in this system will be investigated and may result in criminal prosecution.

We collect personal information from you when you use our products and services. We collect it so we can:

  • Give you information to which you are entitled as a client or staff member
  • Supply to you, and administer, the products and services you require, and
  • Conform to various legislative and government reporting requirements

We also collect it so that we can provide you marketing information, with your consent (see below).

If your personal information is not provided

If you do not provide us with all of the information we request we may be unable to supply to you the product or service that you require.

Marketing information

Under no circumstances will information be sold to external agencies for marketing purposes. We may, with your consent, use your personal details to give you information that may be of interest to you, about the other products and services that are available from us, from our related entities, and from other businesses with which we or our related entities have relationships. Your consent will be implied unless you notify us that you do not consent to your information being used for this purpose. You can elect to alter your consent at any time.

When we may give personal information to other Organisations.

Sometimes we may need to give some personal information about you to other organisations who provide services that assist us in supplying to you, or in administering, the products and services you require, or assist us in giving you the information that you are entitled to.

Personal information collected by HCA is treated as confidential and is protected by the Privacy Act 1988. Personal information is information relating to an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion provided.

This site is operated by HCA without the use of an external service provider. When visiting this site, a record of your visit is logged. The following information is recorded for statistical purposes and is used by HCA to help improve the site. The following information is supplied by your browser:

  • the user’s server address
  • the user’s operating system (for example Windows, Mac etc)
  • the user’s top-level domain name (for example .com, .gov, .au, .uk etc)
  • the date and time of the visit to the site
  • the pages accessed and the documents downloaded
  • the previous site visited
  • the type of browser used.

No attempt will be made to identify users or their browsing activities except in the unlikely event of an investigation, where a law enforcement agency may exercise a warrant to inspect the Internet Service Provider’s logs.

Collection of Personal Information

When you e-mail us:

  • we will record your e-mail address
  • we will only use your e-mail address for the purpose for which you provided it
  • it will not be added to a mailing list
  • we will not use your e-mail address for any other purpose
  • we will not disclose it without your consent except where HCA may be required by law to disclose certain information.

Should you decide to use an online form, such as one used by HCA Enquiries:

  • we will record your name, e-mail address, street address, telephone number, occupation, company, area of interest and other personal information provided
  • we will only use this information for the purpose for which you provided it
  • the information will not be added to a mailing list
  • we will not disclose this information without your consent except where HCA may be required by law to disclose certain information.
  • We will, at your request, provide you with access to any information which we have collected about you through this website in accordance with Information Privacy Principle 6, Privacy Act 1988 (Cth). To gain access to this information you should contact us (see details below). If you believe that any information is inaccurate, incomplete or out of date, please contact us and we will revise the relevant information in accordance with Information Privacy Principle 7, Privacy Act 1988 (Cth).


A cookie is a text string that is included with Hypertext Transfer Protocol (HTTP) requests and responses. Cookies are used to maintain state information as you navigate different pages on a web site or return to the web site at a later time. Cookies cannot be used to execute code (run programs) or deliver viruses to your computer.

Persistent vs. Session Cookies – Cookies are either stored in memory (session cookies) or placed on your hard disk (persistent cookies). HCA does use a persistent cookie for saving the login id (if the user selects this option) on the login screen. All cookies, whether persistent or session based are encrypted using SSL.

  • Log-on and log-off administration – Persistent cookies help with the log-on and log-off processes for those users who have decided to register to use one of our online services. The cookies enable us to recognize your user ID when you log on so that you do not have to re-type your user ID each visit.
  • Transactions and site usability – We use session cookies to improve how you navigate through our website and conduct transactions. As examples, session cookies are used to maintain your online session as you browse over several pages; to store and prepopulate information so that you do not have to re-enter the same information twice.

How to Access Cookies Settings in your Browser – You have the ability to enable or disable cookies, or have Internet Explorer or Opera prompt you before accepting cookies. Note that disabling cookies may prevent some web services from working correctly, and disabling cookies does not make you anonymous or prevent web sites from tracking your browsing habits. HTTP requests still include information about where you came from (HTTP Referrer), your IP address, browser version, operating system, and other information (see Site Visit Data above).

You can configure your internet browser to accept all cookies, reject all cookies or notify you when a cookie is sent. Most browsers accept cookies by default. To learn more about cookies, including how to refuse cookies on your computer, click these links:

  • Microsoft Internet Explorer (External link)
  • Mozilla FireFox (External link)
  • Google Chrome (External link)
  • Apple Safari (External link)
  • Opera (External link)

Links to other sites

The HCA site contains links to other sites. We are ultimately not responsible for the privacy practices or the content of such web sites. We encourage you to read and understand the privacy policies on those websites prior to providing any information to them.

Some of the content appearing on the HCA website may be supplied by third parties, for example, by framing third party web sites or the incorporation through “framesets” of content supplied by third party application service providers. In such cases HCA will ensure that our contractual arrangements with these third parties protect your personal information in compliance with privacy laws.


Search terms that you enter when using our search engine are collected, but are not associated with any other information that we collect. We use these search terms for the purpose of aggregated statistical analyses so we can ascertain what people are looking for on our website, and to improve the services that we provide.

We may use external companies to provide us with detailed aggregate statistical analyses of our website traffic. At no time is any personal information made available to these companies, nor is the aggregate information ever merged with personal information such as your name, address, email address or other information you would consider sensitive or would compromise your privacy

Security of Information

Your personal information will not be released unless the law requires or permits it or your permission is given. We provide a secure environment and a reliable system but you should be aware that there may be inherent risks associated with the transmission of information via the Internet. For those who do not wish to use the Internet, HCA provides alternative ways of obtaining and providing information.


Where you believe that the security of your information has been managed inappropriately by HCA, you may lodge a complaint with either with HCA’s Authorised Office or the Office of the Australian Information Commissioner.

HealthCare Australia – HR Manager

Phone: +61 2 9024 3241

Email: complaints@healthcareaustralia.com.au


Office of the Australian Information Commissioner

Phone: 1300 363 992

Teletypewriter (TTY) : 133 677 then ask for 1300 363 992.

Speak and Listen users: 1300 555 727 then ask for 1300 363 992

National Health Practitioners Privacy Commissioner

Phone: +61 3 9674 0421

Email: complaints@nhpopc.com.au

AHPRA Framework

The Australian Health Practitioner Regulatory Agency (AHPRA) has adopted the APP framework in the management of personal information. However, one of AHPRA’s functions is the  establishment of up-to-date and publicly accessible national registers of registered health practitioners for each health profession. Any information we obtain from AHPRA is subject to the Privacy Act 1988 provisions APP Guidelines.

Personal information that is included in the National Registers includes:

  • registered health practitioner’s gender
  • suburb and postcode of the registered health practitioner’s principal place of practice
  • registration number or code given to the registered health practitioner by the National Board
  • date on which the registered health practitioner was first registered in the health profession in Australia, whether under the National Law or a corresponding prior Act
  • date on which the registered health practitioner’s registration expires
  • type of registration held by the registered health practitioner, including, where relevant:
  • the division in which the registered health practitioner is registered
  • the recognised specialty in which the registered health practitioner is registered, and
  • if the registered health practitioner holds limited registration, the purpose for which the practitioner is registered.
  • if the registered health practitioner has been reprimanded, the fact that the registered health practitioner has been reprimanded
  • relevant information in relation to any condition which has been imposed on the registered health practitioner’s registration or any undertaking which the National Board has entered into with the registered health practitioner
  • whether the registered health practitioner’s registration is suspended and, if the suspension is for a specified period, the period during which the suspension applies
  • if the registered health practitioner’s registration has been endorsed, details of the endorsement
  • details of any qualifications relied on by the registered health practitioner to obtain registration or to have the registered health practitioner’s registration endorsed
  • if the registered health practitioner has advised the Board the practitioner fluently speaks a language other than English, details of the other language spoken, and
  • any other information the Board considers appropriate.

Exceptions for the disclosure of personal information in AHPRA’s public registers are

  • A student register is not to be open to inspection by the public.
  • A Board may decide not to include certain information on the public register if it isnecessary to protect the practitioner’s privacy and there is no public interest in disclosure of the information on the public register.

Caution Note – The information contained in the public registers, albeit “Public Information”, HCA employees should exercise caution in the use and dissemination of AHPRA’s public registers information, as HCA does not have the legal authority to collect, hold and disclose any personal information from the public records without the information owner’s permission as the purpose of disclosure to AHPHRA may be different. Implied or tacit consent may not be suffice when dealing with information that is the subject of the Privacy Act 1988.

NHMRC Framework

HCA employs some of its Agency staff into Medical Research Organisations as researchers and research assistants. The manner in which they deal with personal information has stricter guidelines under Section 95 of the Privacy Act 1988.

The Privacy APP’s apply to any personal information held by the research organisations and as such, applies to HCA agency staff working within the facility, managing the collection, holding and disclosure of information.

Key considerations for HCA agency staff working within such organisations are, where developing a proposal for the conduct of each such research project, the researcher should state:

  • the aims of the research;
  • the credentials and technical competence of the researcher;
  • the data needed and how it will be analysed;
  • the source of the data;
  • the study period;
  • the target population;
  • the reasons why identified* or potentially identifiable* information is needed rather than de-identified* information, and the reasons why it is not proposed to seek consent to the use of personal information. [Note: Any genetic research should be conducted in accordance with the principles in ’16. Human Genetic Research’ of the National Statement on Ethical Conduct in Research Involving Humans (1999) when considering the release of personal information, and genetic testing.]
  • the specific uses to which the personal information used during the study will be
  • the proposed method of publication of results of the research;
  • the estimated time of retention of the personal information;
  • the identity of the custodian(s) of the personal information used during the research;
  • security standards to be applied to the personal information. In particular, that personal information will be retained in accordance with the Joint NHMRC/AVCC Statement and Guidelines on Responsible Conduct of Research Practice and in a form that is at least as secure as it was in the sources from which the personal information was obtained unless more stringent legislative or contractual provisions apply;
  • a list of personnel with access to the personal information;
  • the standards that will be applied to protect personal information
  • disclosed by a Commonwealth agency. These should include the:
    • (i) terms of any disclosure agreement between the agency and the researcher to
      govern the limits on use and disclosure of that personal information; and/li>
    • (ii) proposed methods of disposal of the personal information on the completion
      of the research, and that these are in accordance with the Archives Act, 1983
      for Commonwealth records and legislative requirements of a State or Territory;
    • (iii) standards that will be applied to protect privacy of personal information where it
      is made available to other researchers or third parties if that is proposed.

A researcher should provide to the agency from which personal information is sought written notification of the decision of an Human Research Ethics Committee (HREC) made in accordance with these guidelines.

If a researcher uses personal information obtained from a Commonwealth agency in accordance with these guidelines to contact a person, the researcher must inform that person:

  • that personal information has been provided by that Commonwealth agency in accordance with these guidelines; and
  • how that information will be used; and
  • that he or she is free at any time to withdraw consent for further involvement in the research [See ‘1. Principles of Ethical Conduct’; subheading ‘Consent’, National Statement on Ethical Conduct in Research Involving Humans (1999)]; and
  • of the standards that will apply to protect the privacy of that person, and
  • of existing complaint mechanisms to HRECs and the Commonwealth Privacy Commissioner.

The researcher must immediately report to the HREC anything that might warrant review of ethical approval of the research proposal [Human Research Ethics Committees’; subheading ‘Monitoring’, National Statement on Ethical Conduct in Research Involving Humans (2007)].

CRIMTRAC Framework

Criminal History Records and Information

Australian Privacy Principles (APP) and the National Criminal History Record Checks (NCHRC) Privacy Framework is applied to the management of criminal history records and information managed by HCA.

The National Criminal History Record Check (NCHRC) Policy ensures that all relevant staff employed within, and engaged by, Healthcare Australia (HCA) meets legislative standards relating to past criminal convictions.

This policy applies to all casual and locum employees and candidates for permanent recruitment where client Agreements require, criminal history checks. NCHRC are required for all health practitioners who are registered with the Australian Health Practitioner Regulation Agency (AHPRA).

This policy also covers unregulated HCA staff such as casual personal carers/care workers/Assistants in Nursing (however titled), support and technical staff placed by HCA whose duties require them to interact or may have unsupervised contact with patients and/or residents.

The NCHRC Policy was revised in February 2014 to reflect the changes made to the Privacy Amendment (Enhancing Privacy Protection) Act 2012, and the implementation of the thirteen (13) Australian Privacy Principles (refer Section 3: Standards).

CHI cannot be copied or distributed to anyone

  • The Criminal History Information (CHI) must NOT be copied and given to the Applicant under any circumstances.
  • The information from the check must be kept confidential and not disclosed to any other person, other than the individual Applicant.
  • You may only disclose the nature of the CHI in a personal interview with the Applicant,
  • thus giving them the opportunity to agree with or dispute the information disclosed. The Applicant may make notes, however you may not provide a copy of the outcome to the
  • Applicant

Authorised Agency Support Contact

HCA staff nominated to coordinate and provide access to the CrimTrac secure area of the HCA Booking System, once competed their own NCHRC consent and clearance form for Authorise Personnel, ensure signed “Deeds of Confidentiality” are completed by Authorised Personnel, maintain Register of Authorised Personnel updated quarterly and advise the HCA Authorised Officer of any issues pertaining to the management and administration of CrimTrac contract.

Authorised Personnel

HCA staff nominated to initiate the request for the NCHRC from CrimTrac, seek consent from employees and candidates and completes the NCHRC process. Authorised Personnel sign a “Deed of Confidentiality” in relation to the process and collection of NCHRCs.


It is the responsibility of Management (State Managers, Recruitment and Allocators) to ensure compliance to NCHRC Privacy Policy and Standards.


It is the responsibility of all HCA employees to familiarise themselves with the NCHRC Policy and to comply with the NCHRC process as required. It is the responsibility of all staff to use ONLY the forms specifically authorised for the
implementation of this subset of the policy.


  • Privacy Act 1988 (Cth)

Related Documents

  • Quality Management System – Core Standards
  • HCA Code of Conduct
  • HCA Disciplinary Policy
  • HCA EEO, Bullying and Harassment Policy
  • Australian Privacy Principles Guidelines
  • Schedule of Quality System Authorised Offices

Related Forms

  • National Police Checking Service (NPCS) Application/Consent Form
  • Medical Release Form
  • Information Release Form
  • FOI Request Form

Get in touch

Whatever questions you have, we're here to answer them.

Call 1300 422 111 Enquire online

If you’re a support worker, visit our job site’s page for opportunities.