| Document Reference | 2025/0010 |
| Document Owner | Board of Directors |
| Approval Authority | Board of Directors |
| Responsible Officer | Chief Executive |
| Business Area | Corporate Services |
| Next Review Date | 30 October 2028 |
Recommended by: Interim Chief Executive Date: 30 October 2025
Approved by: Board of Directors Date: 30 October 2025
1. Purpose
ECH recognises that privacy is important. This Privacy Policy outlines how ECH collects, uses, handles, stores and discloses personal information consistent with ECH’s obligations under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Aged Care Act 2024 (Cth) and other relevant privacy laws.
2. Scope
This policy applies to all Responsible Persons, residents, clients, employees (non-employment information), potential employees and their referees, contractors involved in collecting, using, disclosing, handling or storing Personal Information and others having contact with ECH.
This policy does not apply to employee information and records exempted from the APPs.
3. Definitions
| Term | Definition |
| AI | Artificial Intelligence is technology able to perform tasks normally needing human intelligence including decision making and speech recognition. |
| Cookies | Cookies are small files that store information on your computer, TV, mobile phone or other device that enable us to recognise you across different websites, services, devices and/or browsing sessions. You can disable cookies through your internet browser, or by opting out if offered, but our websites may not work as intended. |
| Eligible data breach | Unauthorised access to, or unauthorised disclosure of, or a loss of personal information that ECH holds that is likely to result in serious harm to one or more individuals the information relates to and ECH has not been able to prevent the likely risk of serious harm with remedial action. |
| Necessary information | Information reasonably necessary for one or more of the ECH’s functions or activities. |
| Personal Information | Information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether true or not; and (b) whether recorded in a material form or not and includes names and contact numbers, date of birth, certain financial details, medical insurance details, driver’s licence details, family history, names, addresses and contact number of family or friends, contact information about a person’s doctor and medical treatment, emergency contact details, internet protocol or server address. |
| Primary Purpose | The purpose for which ECH collects Personal Information for a specific function or activity. |
| Responsible Person | A person who: – is a Board member – is responsible for executive decisions at ECH (Chief Executive Officer and Executive Team members) – has authority or responsibility for (or significant influence over) planning, directing or controlling the activities of ECH delivered under the Aged Care Act 2024. |
| Secondary Purpose | Any other related purpose for which ECH collects uses or discloses Personal Information other than the Primary Purpose. |
| Sensitive information | A subset of Personal Information afforded higher protection under Privacy Laws and includes: (a) information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record if the information also meets the definition of personal information or (b) health or genetic information about an individual or (c) some biometric information and biometric templates used to identify a person. |
| Unsolicited information | Data, facts or personals details given to ECH without asking for or expecting it including: (a) Unsolicited job applications (b) Emails sent in error (c) Extra information or attachments. |
4. Types of information
The types of information we collect and why depends on your relationship with ECH.
- Personal information
We collect and hold Personal Information about clients, relatives or supporters of clients, job applicants and their referees, employees, contractors and prospective contractors, students on work placement with us, volunteers and other individuals in contact with us (you).
- Sensitive Information
We may also collect Sensitive Information about you, including details of your health/mental health and medical history, race or ethnic origin, religion, nationality and details of any criminal record you may have.
If you are a job applicant or prospective or current contractor, we may also collect your tax file number or ABN and information about your work history and professional qualifications and/or memberships.
- Unsolicited information
If we receive unsolicited information we check if we could have lawfully collected it. If not, we will destroy or de-identify the information as soon as possible. If it is lawful and reasonable to keep it or we would have been entitled to collect the information if we had solicited it, we will handle the information as outlined in this policy.
More information about the types of information we collect about you and why is listed in Appendix 1.
5. Anonymity and Pseudonymity
You can deal with us anonymously (without identifying yourself) or under a pseudonym (fictitious name) unless it is impractical or we are legally required to identify you, for example to provide you with services or if you are applying for employment with us. If it isn’t possible to deal with you anonymously, we will explain why and only collect Necessary Information.
6. How we collect Personal Information
In most cases we collect Personal Information directly from you including when you ask us to provide you with services, during care planning and service delivery, in person or by phone, photos taken at events or during service delivery, when you browse our website or you send us job applications.
We may also collect information from third parties depending on your relationship with us. If you apply for employment with us, we may collect Personal Information about you from nominated referees or from social media sites with your consent.
We may also collect information not specifically listed if it is needed for our business functions or if required or permitted by law and may also issue data collection notices that explains how personal information is handled.
We only collect Necessary Information and handle it consistent with this policy.
There is no obligation for you to provide us with Personal Information except if required by law. If you choose not to provide us with Personal Information we need, or you provide incomplete or incorrect information, we may not be able to respond or update you about services or things relevant to you, provide you with our full range of services or consider you for employment.
7. Use and Disclosure
We use, store and disclose Personal Information for the purpose we collected it (Primary Purpose) or for a related purpose (Secondary Purpose) if:
- you consent;
- you would reasonably expect us to use or disclose (share) it for a Secondary Purpose that is related to the Primary Purpose or (in the case of Sensitive Information) directly related to the Primary Purpose;
- we are required to or authorised by law;
- a permitted general situation exists;
- a permitted health situation exists; or
- we believe it is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body (for example, to comply with occupational health and safety, industrial relations or taxation laws).
This means that while we usually ask for your consent to use or share it, there are times when we are legally required or authorised by law to use or share your Personal Information without your consent, for example if there is a serious incident we must report or if we need to respond to a regulator about a complaint.
Common purposes for which we may use or disclose Personal Information include:
- to develop and deliver tailored care that meets your individual needs and preferences and with your health professionals and other care team members about your services including ensuring continuity of care
- engaging or consulting with you about retirement living
- engaging with your representatives or supporters including legal guardians, persons holding powers of attorney and any Supporter registered under the Aged Care Act
- invoicing and debt recovery
- considering an individual for employment
- quality assurance, accreditation, improvement and training
- to contractors, advisors and other persons including information technology providers who are subject to confidentiality obligations
- with lawyers during legal proceedings
- handling feedback and complaints and
- communicating and engaging with your or your Supporters by sending newsletters, magazines, updates about our services, invitations to events and meetings or to notify you about changes.
Overseas Recipients
In general, we do not disclose Personal Information we collect and hold about you to any overseas recipients, except where our third-party service providers use cloud-based systems which are located offshore or our software vendor support desks operate from overseas offices. In these cases, Personal Information might be disclosed overseas because it is stored or accessed through these systems.
If a member of your family or legal representative or person you have authorised to receive information is overseas, we may transfer information to them by email, mail or phone.
8. Artificial Intelligence
ECH may use AI technologies including machine learning models to enhance our services and provide you with personalised experiences.
We do not use personal information or sensitive personal information to train AI without obtaining your consent unless you would reasonably expect it or it is related to the reasons we collected your Personal Information.
We acknowledge the potential benefits of using AI to enhance efficiency, innovation and service delivery. Employees may use AI tools for work-related purposes provided any use complies with ECH’s Generative AI Procedure that means:
- Only AI platforms approved for use by ECH are used
- No Personal Information, Sensitive Information about clients, employees, contractors or any other individuals or stakeholders is entered into non-approved AI platforms
- AI-generated content is reviewed for bias, accuracy, relevance and compliance before being used for decision-making, any external communications or official documentation.
9. Direct Marketing and promotions
We may send you marketing material and communications about our services, opportunities or events that we believe align with your needs and interests. This could include ECH’s magazine, newsletters, invitations to community events and programs or retirement village events and programs. These marketing communications could be sent by mail, email, SMS, phone or App.
When you engage with us, we ask you to opt in. You can update your preferences or unsubscribe at any time by contacting [email protected] or follow any opt-out instructions contained in marketing communications. When you opt out, we will stop using your information for direct marketing. If you do opt out, we will still send you essential communications including invoices, notices about fee or service changes and other things part of our service duty or legal obligations such as surveys required by the Aged Care Act.
10. Storage and retention
We store Personal Information as part of our business records, in a combination of hard copy documents in locked storage in secure offices and electronic formats including digital records in secure databases and cloud systems which are securely monitored and maintained.
We retain Personal Information for as long as necessary for the purpose it was collected or as required by law and consistent with ECH’s Records Disposal Schedule. Specific record keeping rules apply depending on the information. When Personal Information is no longer required or past any mandatory retention period, we take reasonable steps to securely destroy or deidentify it.
Some data may be stored in system back up or contact logs to ensure data integrity and business continuity. These are held securely and only accessed if needed for recovery or audits. Records in backup files that may be retained for longer periods after active system deletion continue to be subject to security safeguards.
11. How we protect Personal Information
Our security measures to protect Personal Information from misuse, loss, interference, unauthorised access, modification or disclosure include:
- mandatory training for employees about privacy and privacy laws
- policies, procedures and security protocols
- restricted access
- device and network protection.
While we strive to protect Personal Information transmitted via our website or email using secure networks, we cannot guarantee the security of information that you send us over the internet or by email during transmission and you should be aware that there is some inherent risk when sending information electronically.
12. How we manage Data Breaches
A notifiable data breach scheme operates in Australia. ECH is committed to the scheme and takes privacy breaches seriously. If we suspect an eligible data breach has occurred our priority is to assess and contain the breach and we will notify the Office of the Australian Information Commissioner and all affected individuals as soon as possible or if not possible, issue a public notice of the breach without identifying affected individuals.
13. Using our website and cookies
This policy extends to information collected through the ECH website or via other channels, including customer service interactions, social media and any other online interaction or electronic communication. By using our website and/or providing your information to us, you acknowledge that we will handle your Personal Information consistent with this Privacy Policy.
We may collect personal information about you when you use and access our website.
When you access our website, we may record certain information about your use for user experience, business purposes, security or statistics including pages visited, the time and date of your visit and the internet protocol address assigned to your computer.
We use ‘cookies’ or other similar tracking technologies on our website that help us track your website usage and remember your preferences.
We may also use cookies to enable us to collect data that may include Personal Information, for example, where a cookie is linked to your account. We may also use cookies for marketing and analytical purposes through online tool. We will handle any personal information collected by cookies in the same way that we handle all other personal information as described in this Privacy Policy.
Any links on our website to third party websites, platforms or applications or that ECH is linked from, are not subject to our privacy policy or controlled by us and we are not responsible for the content and privacy practices of other sites. We recommend you review the privacy policies of any third party sites you visit. Inclusion of any third party links on our website does not mean we endorse the linked site, it’s products or services or imply any relationship.
14. Access to and correction of Personal Information
You have a right to request access to Personal Information we hold about you. We may ask you to complete a Request for Information Form to help us identify the information requested. We will also need to verify your identity or the identity of any third party asking for you and may need to check if you consented.
After we have verified the request we will endeavour to respond within a reasonable timeframe. We may charge you a fee to cover our reasonable costs to provide a large number of photocopies but we will not charge you for updating or varying your personal information.
In some circumstances we need to refuse access to Personal Information we hold about if it would have an unreasonable impact on the privacy of others or because we are otherwise prevented by law from releasing the information or it might prejudice negotiations with you. If we refuse access, we will tell you why and how to complain.
We take reasonable steps to ensure that Personal Information we collect is accurate, complete and up to date. If you believe any information about you is incorrect or incomplete, you can ask us to correct it by discussing it with your ECH contact person or contacting our Privacy Officer at the address below. If we refuse your request, we will tell you why and, if reasonable, make a note in our records about your request.
15. Complaints about how we handle your information
We take privacy concerns seriously. If you have a complaint about how we collect, store, use or disclose your Personal Information we encourage you to speak to us first by talking to your ECH contact or by calling them on 1300 275 324. You can also use our website contact form https://www.ech.asn.au/contact or write to ECH’s Privacy Officer by email to [email protected] or by mail to Privacy Officer, at 174 Greenhill Road, Parkside SA 5063.
We acknowledge receipt of complaints within 48 hours and investigate and notify you within 30 days about how we propose to resolve the issue. Complex issues may take longer and we will keep you updated. If after our attempt to resolve the issue you are dissatisfied, you can escalate your complaint to the Office of the Australian Information Commissioner (www.oaic.gov.au) using the online form found at Lodge a privacy complaint with us | OAIC (https://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us) or by printing a form available on the OAIC’s webpage and mailing it to GPO Box 5288, Sydney NSW 2001.
16. Changes to this Policy
We may amend this privacy policy from time to time to reflect changes in the law, our services, technology or privacy practices and we encourage you to read our policy periodically. If you continue to use our services and provide us with Personal Information, we will deem you have accepted any changes. We will seek your consent when required by law.
17. Roles and Responsibilities
Board of Directors
Ensure obligations and requirements under the Australian Privacy Laws are met.
Chief Executive and Executive
Ensure resources available and allocated to support ECH compliance.
Privacy Officer
Responds to and manages privacy breach complaints and oversees requests for access to or correction of Personal Information promptly
All employees, contractors including associated providers, volunteers and students
Ensure privacy, confidentiality and security of personal information is maintained.
- Related Documents and Resources
External
- Aged Care Act 2024 (Cth)
- Aged Care Code of Conduct
- Aged Care Rules 2025
- Privacy Act 1988 (Cth) and the Australian Privacy Principles
- Strengthened Aged Care Quality Standards
Internal
- Operational Governance Policy
- Information and Data Management Framework
- Information Sharing Guideline Procedure
- Mandatory Reporting Guideline
19. Feedback
Contact the Policy Officer with feedback on this document at: [email protected]. Feedback includes but is not limited to broken hyperlinks, updated processes and additional related documentation and resources.
Any updates identified prior to the review date can be forwarded to [email protected] for actioning.
20. Document History
| Version | Review Date | Description of Change |
| 1.0 | August 2022 | Document developed. Supersedes D16/28932 |
| 2.0 | August/October 2025 | Document reviewed and updates made including for Privacy Law updates and Aged Care Act 2024 provisions |
Appendix 1 – Types of Information and why collected (not exhaustive)
| Relationship | Types of Personal or Sensitive Information collected | Why |
| Clients | · Personal information including name, date, place of birth, gender and contact information (email, address, phone) · Legal and representative or supporter information, next of kin and emergency contacts · Financial and billing information including information about finances if relevant e.g. residential tenancies · Government identifiers including My Aged Care ID or Veteran’s Affairs ID · Marketing preferences and website usage data · Health and other Sensitive Information including treating practitioner names · Consent and permissions · Safety and incident reports · Funding arrangements | To ensure we: · Can communicate and coordinate service delivery safely and when relevant with your treating team and ensure client wellbeing · Can verify the authority of people acting for clients · Have details necessary for processing payments and managing accounts · Can respect client preferences and meet client needs and goals · Track requests, concerns and changes in needs over time · Meet our compliance obligations including under privacy and aged care laws · Continuously improve and meet reporting obligations |
| Client relatives, representatives or Supporters | · Personal Information including name and contact information (email, address, phone) · Appointment details including copies of legal documents e.g. Advanced Care Directives, Power of Attorney · Record of interactions including communications by letter or emails or notes of phone calls or meetings | To ensure: · Decisions and consents are valid · We can communicate when input is needed and notify any issues or concerns and support client wishes and needs · Continuity so that ECH team members know what has been discussed and agreed |
| Volunteers and students | · Personal Information including name and contact information (email, address, phone) · Demographic or professional background information purposes · Legal and compliance checks e.g. National Police Checks or other screenings or reference checks · Health information (where relevant) | To ensure we can: · Communicate about schedules, responsibilities or incidents · Meet legal requirements including duty of care or for statistical or inclusion · Comply with public health directives or mandatory vaccination requirements · Confirm whether qualified, suitable and able to undertake roles with specific physical requirements |
| Contractors, Associated Providers, suppliers, consultants, | · Contact details including names, business names and addresses, phone numbers, emails, key personnel details · Professional credentials including information about qualifications, certifications, licences, registrations and relevant experience · Health information if relevant for safety including vaccination information if relevant · Compliance checks, National Police Checks or other required background checks · Financial information or bank account details · Legal and regulatory or supplementary information including ABN and Company Numbers, insurance details, drivers licence numbers or other information needed to ensure safety | To ensure: · We can communicate, engage and coordinate service delivery · That any qualifications, standards or regulatory requirements are met · Our obligations of safety to clients and employees will be met · We can invoice or pay on invoice |
| On site visitors | · Premises may be monitored by security cameras collecting footage of visitors and attendees · Personal Information including name and contact information (email, address, phone) | · To maintain security of premises and safety of people including employees and village residents |
| Prospective Employees | · Personal Information including name and contact information (email, address, phone) · Background checks including results of reference checks and pre-employment checks e.g. National Police Checks or other screenings · Employment history and qualifications including CVs, education and professional qualifications and other information related to prior employment · Health and safety information required to assess whether | · To make contact and verify rights to work, · To confirm whether qualified, suitable and able to undertake roles with specific physical requirements · To ensure ECH can provide a safe workplace and make any necessary adjustments |
| Other individuals who come into contact with us | · Personal Information including name and contact information (email, address, phone) · Reason for the interaction · Marketing preferences and website usage data · Communication records by letter or emails or notes of phone calls or meetings | · To communicate and respond to enquiries or deal with the interaction · To improve our services · To meet compliance and regulatory obligations including under privacy and aged care laws |