Privacy Policy

 

Approved by: General Counsel and Chief Privacy Officer
Date last updated: 30 June 2025
Next review date: 30 June 2026 (or earlier if legislative changes occur)

Table of Contents

1. Purpose and Scope

2. Application

3. Regulatory obligations and guidance material

4. Types of information we collect
4.1. For residents
4.2. For residents receiving services under the NDIS
4.3. For prospective residents
4.4. For relatives or representatives
4.5. For volunteers and students
4.6. For service providers, suppliers, contractors and consultants
4.7. For prospective employees
4.8. Employees
4.9. On site visitors and attendees

5. Methods of collecting information

6. Collection of additional Personal Information

7. Use and disclosure of Personal Information

8. Promotions and marketing

9. Storage and security

10. Notifiable Data Breaches

11. Overseas disclosure

12. Accessing your Personal Information

13. Updating or correcting your information

14. Anonymity and pseudonymity

15. Our Website and online interactions

16. Contacting us

17. Complaints about how we handle your information

18. Changes to this Policy

19. Dictionary

1. Purpose and Scope

Estia Health recognises the importance of your privacy. This Privacy Policy outlines how we collect, use, disclose, store, and otherwise handle your Personal Information and acknowledges Estia Health's obligations under the Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles (APPs) and other relevant privacy laws and regulations (Privacy Laws), as well as under applicable aged care laws, including the Aged Care Act 2024 (Cth).

Our aim is to provide transparency regarding our data handling practices. This Privacy Policy is intended to provide an overview of our practices for the handling of your Personal Information in the course of providing our services, such as residential aged care and allied health services. Our privacy practices also support your rights under the Aged Care Act 2024 (Cth), including your right to personal privacy, dignity and to have your Personal Information handled in a respectful way.

Other policies may apply in addition to this Privacy Policy.  For example, a data collection notice made available to you, that explains our Personal Information handling practices relevant to our dealings with you.

2. Application

This policy applies to all Responsible Persons, all Aged Care Workers, all individuals receiving funded aged care services (FACS), their Supporters, potential employees and all employees and contractors involved in the collection, use, disclosure, handling, or retention of Personal Information. This Policy also applies to individuals receiving services funded under the National Disability Insurance Scheme (NDIS), including residents of Estia Health who are NDIS participants.

This Policy does not apply to certain information relating to our own employees as the Privacy Act includes an employee records exemption for private sector employees. This means our handling of current or former employee records (where related to the employment relationship) is generally exempt from the APPs. We remain committed to protecting all Personal Information, but different arrangements (and in some cases separate internal policies) apply to employee records as permitted by law. This exemption does not apply to job applicants, volunteers, or contractors. Their Personal Information is handled in accordance with this Privacy Policy and the APPs. 

3. Regulatory obligations and guidance material

This Policy has been developed with reference to the following regulatory obligations, Quality Standards, and guidance material:

(a) the Aged Care Act, particularly Chapter 3, Part 4 and Chapter 7, Part 2;

(b) the Aged Care Rules, particularly Chapter 4, Part 7, Division 1 and 2;

(c) the Aged Care Quality Standards;

(d) the Revised Explanatory Memorandum relating to the Aged Care Act;

(e) The National Disability Insurance Scheme Act 2013 (Cth) and the NDIS Practice Standards and Code of Conduct (to the extent applicable to Estia Health’s provision of NDIS-funded supports);

(f) the Privacy Act, particularly Schedule 1; and

(g) the OAIC's Guidelines to the Australian Privacy Principles.

4.   Types of information we collect

The types of Personal Information we collect about you are tailored to our relationship with you, whether you are a resident in our care, a relative or representative of a resident, someone exploring our offerings or applying for a job or engagement with us. Below is an overview of the types of information we may collect:

4.1   For residents

  • Personal Identification- Including your name, date of birth and place of birth, gender and contact information such as address, phone numbers, and email.
  • Health Information- Comprehensive health and medical details covering your care needs, assessments, clinical and hospital records, medications, medical history, test results and contact information of your general practitioner and other health professionals involved in your care. We may also collect photographs for clinical and identification purposes, and disability status to ensure all care requirements are met.
  • Legal and Representative Information - Details of your family status, relatives, carers and visitors and any individuals authorised to act on your behalf (for example, your next of kin, any person holding power or attorney, guardianship, or any Supporter you have in place). This may include copies of relevant legal documents like advance care directives, guardianship orders, or power of attorney instruments so that we understand and can verify the scope of authority of those acting for you.
  • Financial and Billing Information- Information about your assets and income (when relevant for determining fees), billing details, government identifiers such as your Medicare, pension, or DVA (Department of Veterans' Affairs) numbers, and bank account or payment details, necessary for processing payments and managing accounts.
  • Personal Preferences and Lifestyle Information - Insights into your religious or cultural background, personal likes and dislikes, dietary requirements, hobbies, interests, and social preferences. We gather this to enhance your living experience with us and to respect your preferences in daily life and care (for example, respecting religious dietary needs or arranging activities you enjoy).
  • Technology Usage- Information on your use of digital devices and services within our homes (e.g. Wi-Fi or shared computers), to ensure we support your connectivity and access needs while maintaining IT security.
  • Interaction Records - Documentation of communications and interactions you have with Estia Health, which may include notes from meetings or care consultations, emails, or letters you send us and recordings or summaries of phone calls (for example, if calls to our customer service line are recorded for quality assurance). These records help us track requests, concerns, or changes in your needs over time.
  • Consent and Permissions-   records of consents you provide (or refuse) for various activities or services, such as consent to medical treatments, consent to share information with family or representatives, photography consent, or preferences regarding participating in research or surveys. Keeping a clear record of your consents helps us uphold your rights and choices. This also supports compliance with APP 3 and APP 5 by ensuring transparency in our handling of Sensitive Information.
  • Safety and Incident Reports-Information about any accidents, injuries, incidents, or hazards involving you while in our care. This may include incident descriptions, witness statements and outcomes of investigations. We collect this information to ensure we respond appropriately, meet our reporting obligations (for instance, reporting reportable incidents to authorities as required by the Aged Care Act), and to improve ongoing safety and care quality.

4.2   For residents receiving services under the NDIS

In addition to the categories of information collected from all residents. We may collect further information when a resident receives services funded through the NDIS. This information is collected to support care delivery, meet NDIS registration and reporting requirements, and ensure our services align with individual NDIS Plans.
The additional types of Personal Information we may collect include:

•    NDIS Participation Details – Your NDIS participation number, plan dates, plan manager and support co-ordinator details, and your stated goals or outcomes under the Plan.
•    Funding Arrangements – Details of funding allocated to specific support types, including core, capacity building and capital supports. We may also record service bookings and claims made to the NDIS portal. 
•    Service Agreements – Copies of your Estia Health NDIS Service Agreement or other agreements with allied or third-party providers funded under your NDIS plan, where relevant to the delivery of services at our homes. 
•    Support Delivery Records – Notes, logs or observations relating to supports delivered under your NDIS plan (e.g. social participation, personal care, behavioural supports), including any assessments or outcome tracking relevant to NDIS reporting.
•    NDIS Audit and Quality Compliance Information – As an NDIS-registered provider, we may be required to share or retain specific documentation to demonstrate compliance with the NDIS Practice Standards. This may include participant files, progress reports, and consent forms, all handled securely in accordance with this Privacy Policy. 
•    Support Team Communication – Contact and correspondence records with your support coordinator, plan nominee, or other NDIS-funded support professionals. This ensures a coordinated approach to your care and supports informed consent processes. 
We only collect this information with your consent or where authorised by law, and we apply the same stringent protections to NDIS-related information as we do to other health and sensitive information under the Privacy Act 1988 (Cth). Where we act as a provider of NDIS supports, we also comply with the NDIS Code of Conduct and NDIS Quality and Safeguards Commission obligations. 

4.3   For prospective residents

When you inquire or request information about becoming a resident at an Estia Health home (either yourself or via someone acting on your behalf) we collect information to assist with your inquiry and assess your needs:
•    Contact Information - names and contact details (phone number, email address, and/or postal address) of the prospective resident and any individuals making inquiries on their behalf. This allows us to follow up with information or to arrange tours and assessments.
•    Personal Details- The prospective resident's name, date of birth, and place of birth which helps us to identify and tailor information to their situation (for example, understanding age-specific eligibility for certain funding or services)
•    Health Information-Initial health and care related details that your or your representative provide- for example, whether you have an Aged Care Assessment (such as an ACAT/ACAS approval) and the outcome of that assessment, any particular care needs or medical conditions we should be aware of, and any preferences for location or type of care. This helps us determine what services or vacancies might be suitable.  
•    Vaccination Status- Information regarding the vaccination status of prospective residents, (for example, COVID-19 and influenza vaccinations). We collect this to ensure the safety and well-being of our community, as up to date vaccinations may be required or recommended (in line with public health guidance).

4.4   For relatives or representatives

When you act as an authorised representative or decision maker for an existing or prospective resident of Estia Health (for example, as a next of kin, Supporter, enduring power of attorney, guardian or financial manager) we collect and use information about you to facilitate care and services for the resident and to ensure decisions or consents are valid:
•    Identification and Contact Details: Your name and how to reach you (including your address, phone numbers, and email). This enables us to keep you informed about the resident’s well-being, seek your input or consent when required, and notify you of any issues (such as incidents or changes in health status) in a timely manner. 
•    Details of Appointment- Information concerning your authority and relationship to the resident- for instance, copies of or reference to the legal document appointing you (such as a power of attorney document, guardianship order, or evidence of relationship if you are next of kin without formal appointment). We also note the scope of your decision-making powers (e.g. personal/health matters, financial matters or if you are a Supporter) so we can understand what decisions you are entitled to make on the resident’s behalf
•    Interaction Records- Records of communications with you as the representative, including correspondence (emails, letters) and notes of phone calls or meetings. This helps ensure continuity – so all our team members know what has been discussed or agreed with you regarding the resident’s care and services. 

4.5   For volunteers and students

If you offer your time as a volunteer or are a student on placement with Estia Health, we may collect:
•    Personal and Contact Information- Such as your name, address, postcode, telephone, and email addresses, so we can communicate with you about schedules, responsibilities, or any incidents. 
•    Demographic Details- including your age, date and place of birth and gender. We may use these for statistical purposes and to ensure we meet any legal requirements and promote inclusion and diversity in our volunteer programs. 
•    Professional Background – information on your qualifications, skills, and any relevant experience. If you are a student, this might include details of your course and institution. If you are a volunteer, it might include past volunteer roles or relevant training. We collect this to match you with suitable roles and ensure you have the appropriate background for certain types of engagement (for instance, working with elderly residents with dementia).
•    Legal Compliance Checks- results of any necessary background checks – for example, a National Police Check, NDIS Worker Screening Check and other checks required in the aged care sector. These checks are mandated by law or policy to ensure the safety of our residents.
•    References and Additional Information – any information obtained from referees or provided by you in connection with your application or placement – for example, reference letters, interview notes or preferences you have expressed about volunteer duties. 
•    Health Information- specifically pertaining to vaccination status (such as evidence of COVID-19 and influenza vaccinations) or other health clearances. Aged care providers are required to ensure employees and volunteers meet certain vaccination requirements for the protection of residents, employees, and visitors. We collect this to comply with public health directives and our duty of care. (Any health information collected in this context is handled sensitively and only used for compliance and safety purposes)

4.6   For service providers, suppliers, contractors and consultants

If you (or your organisation) provide goods or services to Estia Health – such as medical services, allied health, maintenance, or consultancy – we may collect Personal Information about individual service providers or their personnel: 
•    Contact Details- Names, business addresses, postcodes, telephone and fax numbers, and email addresses of key contacts or personnel. This enables effective communication and coordination with you regarding service delivery (e.g. scheduling visits, sending purchase orders or contracts etc)
•    Professional Credentials- Information about your qualifications, certifications, licences, registrations, and relevant experience. For example, if you are a contracted physiotherapist, we will record your professional registration number and any specialisations; if you are a maintenance contractor, we might record licences or certifications you hold. We verify these to ensure you meet industry standards and regulatory requirements.  
•    Health Information – where relevant for safety, we may collect your vaccination status (e.g. COVID-19 and influenza) since government health directives or our own policies might require all personnel entering aged care homes to have certain vaccinations during outbreaks or flu season. 
•    Compliance Checks – evidence of any required background checks (e.g., police checks, NDIS worker checks) for contractors who will be on site or may have unsupervised contact with residents.
•    Supplementary Information – Any additional Personal Information you or your referees provide that is relevant to your role or service. For instance, if you are a consultant this might include your ABN and insurance details; if you are a supplier’s representative, it might include your role title or areas of responsibility. 
•    Financial Information – where we need information from sole traders or individuals for payment purposes- e.g., bank account details for remittances. 
•    Legal and Regulatory Compliance - Any other Personal Information necessary for us to fulfil legal obligations or our internal risk management policies. For example, we might need to collect your driver’s licence details if you will be driving our vehicles, or evidence of indemnity insurance if required by contract. Such information is used only for contract management, legal compliance and to ensure the safety and well-being of our residents and employees when working with external parties.  

4.7   For prospective employees

If you apply for a job or express interest in working with Estia Health, we collect the information necessary to evaluate your application and suitability:
•    Personal Identification – your name, contact details (address, phone, email), date of birth, and any other identifying info you provide (such as a copy of your identification documents or immigration/work visa status if applicable) We need these to contact you and verify your identity and right to work. 
•    Background Checks – results of reference checks (notes of conversations with your referees), and any other pre-employment checks required for aged care roles. This typically includes a National Police Check and may include a NDIS Worker Screening Check and working rights verification. For certain roles, there may be additional checks (e.g. verifying professional registration for nurses or allied health staff). 
•    Employment History and Qualifications- details about your prior employment (e.g. resumes/CVs, a history of positions held, duties, length of service), education and any professional qualifications or licences (like nursing registration, food handling certificate etc).  Job titles, employment history, qualifications, certifications/licences, and any other information related to your prior employment history.
•    Health and Safety Information- any health information you volunteer, or which is required to assess your capacity to perform the job safely (for example, if the role has specific physical requirements, or to consider reasonable adjustments in case of disability). We may also record your vaccination status (COVID-19, influenza) at the application stage, since proof of certain vaccinations is a condition of employment in aged care ins some roles. This information is only used in accordance with equal opportunity and occupational health laws. i.e. to ensure we can provide a safe workplace and make any necessary accommodations. 

4.8   Employees

This Privacy Policy  does not apply to our handling of information about our employees. Our handling of employee records is exempt from the APPs under the Privacy Act if the act or practice is directly related to either a current or former employment relationship between us and the individual; and an employee record held by us relating to the individual.
For information about our practices relating to employee records, please contact us at the contact details listed in the “Contacting us” section below.

4.9   On site visitors and attendees

For the purpose of maintaining a secure environment at our homes and Estia Health offices, we have security measures including CCTV (closed circuit television) cameras are operational at various locations. If you visit or attend an Estia Health site (including as a resident, visitor, employee, contractor, or any other entrant), please be aware: 
•    Our premises are monitored by security cameras in certain areas, such as entrances, exits, hallways, communal areas and car parks. These areas are signposted to alert you to the presence of CCTV.
•    The primary purpose of CCTV monitoring is to maintain a safe and secure environment for residents, visitors and employees. Cameras help us to deter and detect unauthorised access and enable us to respond to incidents (for example, if there is a security concern).
•    Recorded footage is stored securely and is generally retained for a limited period (e.g. up to 90 days, though it may vary). We use this footage strictly for reviewing events in the case of incidents, emergencies or alleged misconduct.
•    Security camera footage that identifies individuals is treated as Personal Information. We will only view or disclose this footage for legitimate purposes such as security investigations, incident analysis, and as required by law. For example, footage may be provided to law enforcement or regulators if needed for an investigation or court order. We do not use CCTV to monitor private areas (like bathrooms) and do not use footage for any general surveillance of employees beyond ensuring security (in line with workplace surveillance laws). 
•    Any authorised external party (e.g. police, Aged Care Quality and Safety Commission, coroner) may be given access to footage only as permitted by law or with proper authority. We ensure any disclosure is properly documented and lawful.
By entering our premises, you acknowledge that your image may be captured on our CCTV for the purposes outlined above. 

5.   Methods of collecting information

In most cases, we collect Personal Information directly from you. You might give us information through application forms, admission forms, agreements, face to face meetings, telephone calls, emails or via our Website. We may also collect information when you participate in surveys, provide feedback or during assessments and care planning discussions.

Sometimes, it may be unreasonable or impracticable to obtain information directly from you. In such cases – and typically with your knowledge or consent – we might collect Personal Information from third party sources. Examples include:

•    Authorised Representatives - Information from people legally authorised to act on your behalf, such as a guardian, Supporter, person holding power of attorney, or a public trustee/financial manager
•    Family and Friends or Support People- Information from those closely involved in your care. For example, a family member share details of your care needs or routines during the admission process, or a friend assisting you might provide updated contact details. 
•    Healthcare and Service Providers – We may collect information from other professionals involved in your care or from partner organisations. This could include hospital discharge summaries, information from your GP or a specialist or notes from a physiotherapist or other allied health providers who have treated you.
•    My Aged Care and Government Sources – For residents entering care we might receive information through the My Aged Care system, ACAT/ACAS. Similarly, we might verify details with government bodies such as Medicare, Centrelink/Department of Human Services, Department of Veterans’ Affairs or the Department of Health, Disability and Ageing.
•    Professional Registration or Accreditation Bodies – Particularly for employees, contractors or health practitioners, we might validate information via external databases – for example, checking a nurse’s registration on the AHPRA public register. 
•    Estia Health Group Entities - If you have dealt with another entity in our corporate group (i.e. you inquired at one of our homes previously, or you were a resident at another Estia Health facility in the past), information may be shared within the Estia Health Group as needed for operational purposes, continuity of care, or to streamline services. 
•    Employees/Applicants – If you are applying for a role or working with us, we may collect Personal Information from your nominated referees or past employers (to obtain references), educational institutions (to verify qualifications, or professional associations.  
•    Public and Social Media Sources – We generally do not actively seek your information from public sources, but in some cases, it may be necessary- for example, if we need to locate a next of kin, we might use public records or social media to obtain current contact details. Additionally, if you have publicly shared a testimonial or concern on social media and we need to address it, we may collect that information.
 In any indirect collection, we will ensure that we have a lawful basis (such as your consent or a legal requirement) and we will take reasonable steps to inform you of the collection (for example, by noting it in this Policy)

6.   Collection of additional Personal Information

Estia Health may, from time to time, collect additional Personal Information not specifically listed in this Privacy Policy, where it is necessary for our functions or activities or as otherwise permitted or required by law. For instance, this may occur if you engage with us in a new way or we provide a new service. If you communicate with us via new channels (for example, a new messaging platform) or provide information we did not ask for (such as by sending a detailed letter or email), we will handle that information in accordance with this Policy. We will only collect what is reasonably necessary.

If we seek to collect significantly different Personal Information from you for a new purpose (for example, participating in a research project or pilot program), we will provide you with a relevant privacy notice or seek your consent as required.

In all cases, if we cannot collect the Personal Information that we require to fulfil a function or activity, or if you provide us with information that is incomplete or incorrect, there may be implications, such as:

•    We may not be able to provide our services to you, or the same level of care e.g. if we cannot obtain key health information, we might not be able to safely admit you or tailor your care appropriately
•    We may be limited in keeping you informed about company updates, service changes or offerings that might be relevant to you.
•    We may not be able to consider you for employment (for example, if you choose not to provide required background 
•    We may not be able to adequately respond to an inquiry or request you make.

7.   Use and disclosure of Personal Information

We use and disclose your Personal Information for the purposes for which it was collected, or for related purposes that you would reasonably expect, or as otherwise permitted by law. 
While we may ask for your consent to collect, use or share your Personal Information, there are times when we are legally required to use or disclose your information even without your consent – for example, if there is a serious incident that must be reported to the government or if we are responding to a complaint.

Below is a non-exhaustive list of common purposes for which we may use or share Personal Information:
•    Delivering and Managing Care and Services – We use your information to develop and deliver tailored care and services that meet your individual needs, preference, and health conditions. This includes creating care plans, administering medications, providing clinical and personal care, and making adjustments as your needs change. We also use information to coordinate multidisciplinary care – ensuring that staff and visiting health professionals (GPs, physiotherapists, pharmacists etc) have the relevant information to care for you. Where you receive NDIS-funded service, we use and disclose your information to deliver those supports, make claims and engage with your support co-ordinator, plan manager or NDIS representative to ensure continuity of care and compliance with the NDIS Practice Standards. 
•    Engaging with your Representatives and Supporters – We will share relevant information about your care with your authorised representatives – such as your legal guardian, person holding power of attorney, or any Supporter you have under the Aged Care Act. For instance, if you have a Supporter who is helping you make decisions, we will provide them with the information they need to support you (with your consent), like updates on your health or explanations of care options. Similarly, if you have an Independent Aged Care Advocate involved, and you have consented for them to be involved in a complaint or decision process, we may disclose relevant information to that advocate to assist in resolving the issue. 
•    Mandatory Reporting and Government Requirements – We use and disclose Personal Information as needed to comply with our legal obligations in the aged care sector. We may report to:
•    Police or Law Enforcement- in situations such as if a resident is unexpectedly missing (unexplained absence), if there is suspected elder abuse or a crime committed on premises, or other emergencies. 
•    Aged Care Regulators – such as the Aged Care Quality and Safety Commissioner (for reportable incidents like unlawful sexual assault or serious injury, or complaints), or the Department of Health, Disability and Ageing when required. 
•    Other Government Agencies – like the Department of Veteran’s Affairs or state health departments, if we must report certain data (for example, reporting outbreaks of infectious diseases or submitting data for quality indicators).
•    Ensuring Safety and Security in our Homes – we use Personal Information to keep our environment safe. For instance, we maintain visitor logs to know who is on site.
•    Sharing Information with Care Team Members and Health Professionals - we routinely share relevant personal and health information with members of your care team to facilitate and co-ordinate high quality care. For example, nurses, carers, and allied health professional at Estia Health will share notes and updates between shifts via our clinical software or handover meetings. External visiting health professionals (like your GP, a physiotherapist, pharmacist, podiatrist etc) will be given access to your relevant health records or informed on your current status so they can provide informed treatment. If you transfer to or from another care setting (hospital, another aged care home, respite facility), we will also share necessary information to ensure continuity of care.
•    Quality Improvement and Training – We use information (often in de-identified form where possible) for quality assurance activities – such as internal audits, satisfaction surveys, incident reviews and service evaluations. In some cases, regulators require us to collect and report data for quality indicators (like the number of falls or pressure injuries) – this data, while relating to individuals, is handled confidentially and often reported in aggregate. We may also use real case scenarios (with identifying details removed) in staff training to illustrate best practices or areas for improvement.
•    Regulatory and Funding Compliance – We provide necessary personal and health information to Government departments, funding bodies, and oversight agencies to meet our obligations. This includes data submissions for Medicare or subsidy claims, documentation for quality assessment by the Aged Care Quality and Safety Commission, and information requested by the System Governor for compliance checks. All such disclosures are either required or allowed by law and often protected by confidentiality provisions in the Aged Care Act (for example, the concept of protected information limits how these bodies can further use the data).

Disclosures to External Third Parties – We may share information on a need-to-know basis with external parties in various situations:
•    With regulatory authorities or law enforcement when investigating an incident, handling a complaint or responding to enforcement action. 
•    With medical or legal experts for obtaining independent opinions e.g. if there is a complex care issue, we might seek a medico-legal opinion and share necessary parts of your record (with confidentiality measures)
•    With our insurance providers or legal advisors, if an incident occurs that could lead to a claim or liability. For example, after an adverse incident, we might share information with our insurers to notify them and seek guidance. These partners are bound by privacy and confidentiality obligations as well.
•    With lawyers or representatives of involved parties during legal proceedings (existing or anticipated). If you or your family initiate legal action, or we need to engage in legal proceedings (for example, guardianship hearings, subpoenas, coronial inquests), we will use and disclose relevant information as required by those proceedings. We do so carefully and typically under legal privilege or court direction. 
•    Business Operations and Service Management – We share limited information with third parties who support our business operations, strictly for agreed purposes. Examples include:
•    Billing and Debt Recovery – If you are a resident and fees are payable; we may share necessary details with our accounting system providers or debt collection agencies if needed to recover outstanding amounts. This would include your contact information and amount owed, but not sensitive health data, unless required for the specific process.
•    Information Technology Providers – We use external vendors for IT systems (e.g. cloud data storage, electronic medical storage systems, communication tools). Personal Information may be stored on or transit through these systems. We ensure these vendors are bound by confidentiality and data security obligations. Some data (like backups) might be stored on secure servers which could be located overseas.
•    Quality Assurance and Accreditation – we might disclose relevant data to auditors or accreditation agencies. For example, auditors may review a sample of residents’ files to assess compliance with the Strengthened Quality Standards. 
•    Feedback Handling – if you lodge feedback or a complaint, internally we will review and share your information with those who need to respond. If an external dispute resolution body or government complaints agency (like a health care complaints entity) is involved, we may share information with them to resolve the complaint. 
•    Communication and Engagement – We use your contact information to keep you (and where appropriate your representatives) informed. For example, we maintain mailing lists to send out newsletters, updates on our services, invitations to events (like resident meetings, community events at the home), or notifications of any changes (such as new policies, emergency updates like a COVID outbreak status). We might also send satisfaction surveys of feedback requests to continually improve our services. You can opt out of non-essential communications at any time. 

8.   Promotions and marketing

From time to time, we may use your Personal Information to inform you (and /or your nominated representative) about our services, new developments or related opportunities or events that we believe align with your interests or needs. This could include newsletters about life in our homes, invitations to community events or announcements from our partners in aged care and wellness. These marketing communications could be via mail, email, phone, through the Estia Health Connect App or SMS.

When you engage with Estia Health (for example, as a resident or by making an enquiry) you consent to us using your information for these direct marketing purposes, unless you opt out. If you prefer not to receive marketing communications, you can let us know at any stage by contacting us using the details on the “Contacting Us” section below or using the functional opt out mechanism in one of our communications.

Once you opt out, we will stop using your information for direct marketing. There is no charge for opting out, and opting out will not affect the care or services we provide to you. Please note, even if you opt out of marketing, we may still send you essential communications (for instance, a letter about changes to fees or a notice of a COVID outbreak at the home, etc, which are not marketing but part of our service duty).

We do not give your Personal Information to other organisations for their own direct marketing without your express consent. If we ever promote a third- party service, those communications will typically come from us, and you can respond to us or the third party as you choose. 

9.   Storage and security

We hold Personal Information in a combination of electronic and hard copy formats. This may include digital records in our secured databases and cloud systems, as well as physical documents stored in locked cabinets in secure offices Estia Health takes all reasonable steps to keep the Personal Information we hold secure and protected from misuse, interference, and loss and from unauthorised access, modification, or disclosure.

We may retain Personal Information for as long as necessary to fulfil the purposes for which it was collected, or as required by law. In the aged care context, there are specific record-keeping rules – for example, health and care records might need to be kept for a minimum number of years under health regulations or for medico-legal reasons. We also consider insurance and governance requirements. When Personal Information is no longer required and is past any mandatory retention period, we take reasonable steps to destroy it or deidentify it in a secure manner. Some data (like basic contact logs) may persist in secure archives for a time until they are cycled out, but we maintain protection for those as well.

We also note that some personal data may be stored in system backups. Our IT systems perform routine backups (including offsite or cloud backups) to ensure data integrity and business continuity. These backups are securely held and only accessed if needed for data recovery or audits. Individual records might remain in backup files for a longer duration even after deletion from the active system, but they remain subject to confidentiality and security safeguards.

Despite our robust measures, it is important to acknowledge that no method of data transmission over the internet or electronic storage is 100% secure. For example, while we strive to protect Personal Information transmitted via our Website or email, we cannot guarantee absolute security during transmission. You should be aware of this when sending us information electronically (e.g. if you email us sensitive details, there is some inherent risk). We encourage you to use discretion and contact us if you have concerns.

10.   Notifiable Data Breaches

A notifiable data breach scheme is currently in place in Australia. We are committed to adhering to this scheme as an important step in preventing and managing serious privacy breaches. 
We, including all our people, take breaches of privacy very seriously. If we suspect a Data Breach has occurred, our priority is to contain and assess the suspected breach. In doing so, we will:

(a)    Take any necessary immediate action to contain the breach and reduce the risk of harm;

(b)    determine the cause and extent of the breach;

(c)    consider the types of information involved, including whether the Personal Information is sensitive in nature;

(d)    analyse the nature of the harm that may be caused to affected individuals;

(e)    consider the person or body that has obtained or may obtain Personal Information as a result of the breach (if known); and

(f)    determine whether the Personal Information is protected by a security measure.

If we believe an Eligible Data Breach has occurred, we will, as soon as practicable, notify the OAIC and all affected individuals or, if it is not possible to notify affected individuals, provide public notice of the breach (in a manner that protects the identity of affected individuals). 

11.   Overseas disclosure 

In general, Estia Health does not routinely disclose Personal Information to overseas recipients during our care activities. Our residents’ personal and health information is primarily used and stored in Australia. However, there are a few scenarios where data might be stored with or accessible by overseas entities:

•    Some of our third-party software or cloud service providers might utilise servers or technical support teams located overseas (for example, a cloud data backup stored in another country, or a software vendor’s support desk operating from an overseas office). In such cases, the Personal Information might be “disclosed” overseas by virtue of being stored on or accessed through those systems. 
•    If a resident’s family or legal representative is overseas, with the resident’s consent we might transfer necessary information to them (e.g. emailing a care update)

Whenever we engage an overseas service provider or need to send information abroad, we take reasonable steps to ensure the overseas recipient will protect your information in line with Australian standards (APP 8). This includes using reputable providers with strong security measures and contractual cluses that mirror our privacy obligations. If we propose any new overseas disclosure that is outside of these scenarios, we will seek your consent or otherwise it is ensured by law. 

12.   Accessing your Personal Information

You have a right to request access to Personal Information that Estia Health holds about you. To request access, please contact us using the details provided at the end of this Policy. For security and clarity, we may ask that you put your request in writing, specifying the information or records you seek. This helps us identify the exact data and process your request efficiently. We also need to verify your identity (or authority, if you are requesting on behalf of someone else) before releasing information, to ensure that we do not inadvertently provide it to an unauthorised person. For example, if a family member requests records on a resident's behalf, we will check that we have the resident’s consent or that the family member has legal authority (like power of attorney or guardianship) to access that information.

Once your request is verified, we will endeavour to respond within a reasonable timeframe. We will either provide the information, arrange a mutually suitable way for you to access it (such as an inspection of records at our premises or providing an electronic or hard copy), or explain any legal reason why we cannot give you some or all the information. In some circumstances, we may need to refuse access as permitted by law. For instance, we might decline or limit access if:

•    Granting access would unreasonably impact another person’s privacy (e.g. the information contains references to another individual who has not consented)
•    The request is frivolous or vexatious.
•    The information relates to existing or anticipated legal proceedings and would not be accessible via discovery in those proceedings.
•    Giving access would reveal our intentions in negotiations with you in a way that prejudices those negotiations.
•    Given access could pose a serious threat to the life, health or safety of any individual or to public health or safety.
•    Denial of access is required or authorised by law (for example, under certain provisions of the Aged Care Act or other legislation)
•    The information is subject to legal professional privilege or some form of confidentiality that we are not lawfully able to break.

If we refuse access to any part of your request, we will provide written reasons explaining the refusal (except where it would be unreasonable to do so).

We will not charge you just for making an access request. However, in some cases we may charge a reasonable fee to cover our costs in providing the information – for example, if a large volume of photocopying is required or if we need to spend significant time compiling and summarising information. Any such charge will not be excessive and will be in line with regulations or guidelines. We would inform you of any proposed charge before proceeding so you can decide to continue with the request or refine to reduce cost.

If you have difficulty understanding information we provide (for example medical abbreviations in a health record), you can ask us, and we will try and assist or explain terms. 

13.   Updating or correcting your information

To enable us to provide you with the best possible service, it is important that the information we hold about you is accurate.

We take reasonable steps to ensure that the Personal Information we collect, use and disclose is accurate, complete, and up to date. If you believe any information, we hold about you is incorrect, incomplete, or not up to date, you may ask us to correct it. If we refuse your request for access or correction (say, we disagree that it’s wrong, or we need to keep a historical record of the original information for legal reasons), we will notify you in writing and provide the reasons for our decision (unless it would be unreasonable to do so). If you are not satisfied with our response, you may request an internal review or lodge a complaint with the Office of the Australian Information Commissioner (OAIC). 

14.   Anonymity and pseudonymity

You may choose to remain anonymous or use a pseudonym when interacting with us, unless it is impracticable or we are legally required to identify you (for example, to provide health care or comply with aged care regulations).

If anonymity is not possible due to legal or care obligations, we will explain why and only collect the information necessary for the purpose. Please speak with us if you are unsure- we are happy to clarify when you can remain anonymous. 

15.   Our Website and online interactions

This Policy extends to information collected through our Website, or via other methods including social media channels, customer service interactions, including verbal, written or electronic communications and any other engagements with Estia Health.  By using our Website and/or providing your Personal Information to us, you acknowledge that we will handle your Personal Information in a manner consistent with this Privacy Policy.

When you access our Website (www.estiahealth.com.au)  from a computer, mobile phone, or other device, we may make a record of your visit and logs for statistical, security, user experience and business purposes and we may collect information including: the user’s server address, the user’s domain name, IP address, the date and time of visit, the pages accessed and documents downloaded, the previous site visited, the operating system used and the type of browser used. We may also track some of the actions you take on the Website such as when you provide information or content to us.

We use "cookies" (small pieces of data we store for an extended period on your computer, mobile phone, or other device) and other tracking technologies on our Website to improve your experience and understand how you use our site. We also use them to know when you are interacting on the Website. You can remove or block cookies through your browser settings, but in some cases that may impact your ability to use some areas on the Website. If you use an external source to publish information on the Website (such as a mobile application or a Connect site), you should check the privacy setting for that post, as it is set by that external source.

We use third party analytics, such as Google Analytics, consistent with APP 1.4, to collect anonymised statistics about how our Website is used. These features collect data via advertising cookies and anonymous identifiers in order to provide ads to users based on certain characteristics. You may opt out of the use of Google Analytics through Google Ads Settings. For more information about Google Analytics, click here.

Additionally, we partner with tools like Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioural metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement

Our Website contains links to external websites for your convenience or reference (for example links to government sites like the OAIC or MyAgedCare). Please note that those sites are not controlled by Estia Health. We do not control those websites, and we are not responsible for the privacy practices or the content of such websites. We do not take responsibility for the content in, or currency of, any externally linked sites. We encourage you to review the privacy policies of any third-party sites you visit via links from our site. The inclusion of any link within our Website does not imply endorsement by us of the linked site or its products/services, nor does it suggest any relationship with the organisation linked.

We may also maintain profiles on platforms like Facebook, LinkedIn or others. If you interact with us via those platforms (e.g. messaging us through Facebook or commenting on one of our posts), the information you provide is also subject to those platforms’ privacy settings and terms. We will use any Personal Information obtained from social media interactions in accordance with this Policy. We advise not sharing Sensitive Personal Information in public comments on social media; instead, use private channels or contact us directly. 

By using our Website or online services, you acknowledge that your Personal Information may be collected and used as described above. We aim to be transparent about online data practices and if you have any concerns about Personal Information collected online, please contact us. 

16.   Contacting us

If you would like to access your Personal Information, correct or update your information, or if you have any questions, feedback, or complaints about how we handle your Personal Information, you can contact us in the following ways:

Call us at 1300 682 833 (9am-5pm, Monday to Friday, AEST)

Email us at privacy@estiahealth.com.au

Write to us at Estia Health, Attn: Chief Privacy Officer, Level 9, 227 Elizabeth Street, Sydney, NSW 2000.

17.   Complaints about how we handle your information

Estia Health takes your privacy concerns seriously and is committed to the transparent and respectful handling of your Personal Information. If you have a complaint about how we have collected, used, disclosed, or otherwise handled your Personal Information, we encourage you to contact us directly (using the contact details above) to try and resolve the matter first. Explain the situation and your concerns as clearly as possible, and any outcome you seek. This will give us the opportunity to address the issue promptly and hopefully resolve it to your satisfaction.  In some cases, we may need to investigate the matter first and we will keep you updated as to the progress of such an investigation.

If, after our attempts to resolve the issue, you remain dissatisfied with our response or the outcome, you have the right to escalate your complaint to the Office of the Australian Information Commissioner (OAIC). The OAIC can independently investigate privacy complaints about private organisations. You can contact OAIC by calling 1300 363 992 or visiting their website at oaic.gov.au.

Before the OAIC investigates, generally they will expect that you have tried to resolve the matter with us first (which is why contacting us directly is important). The OAIC may advise you if there other more appropriate avenues as well (for example, if the complaint overlaps with health records laws in a particular state).

If your concern relates to some aspect of aged care service delivery beyond privacy – for example, care quality or staff conduct – you may also consider contacting the Aged Care Quality and Safety Commission (ACQSC) by visiting their website at agedcarequality.gov.au or by calling 1800 951 822.

18.   Changes to this Policy

Estia Health reserves the right to amend this Privacy Policy from time to time to reflect changes in legal requirements, our services, or our privacy practices. When we make changes, we will upload the revised Privacy Policy to our Website. The updated version will be effective from the time it is posted (unless stated otherwise). We will include a “last updated” date on the Policy for reference.

We encourage you to review our Privacy Policy periodically to stay informed about how we protect your information. If you have any questions or concerns about any changes, please contact us.

Your continued use of our services or provision of Personal Information to us after any changes to this Policy will be deemed as acceptance of those changes. However, if we were ever to fundamentally change the way we handle personal data (in a manner requiring consent by law), we would seek your consent where required. 

19.   Dictionary

Within the context of this Privacy Policy, references to "Estia Health" and "we," "us" and "our" are references to entities in the Estia Health Group.  These include:

Estia Health Pty Ltd, Estia Investments Pty Ltd, Estia Finance Pty Ltd, Estia Health Residential Aged Care Pty Ltd, Estia Health BidCo Pty Ltd, Estia Health HoldCo Pty Ltd, Estia Health MidCo Pty Ltd and Estia Health TopCo Pty Ltd.

The terms "you" and "your" refer to any natural person whose Personal Information we collect.

“Aged Care Act” refers to the Aged Care Act 2024 (Cth), the federal law governing Commonwealth-funded aged care services, which imposes certain privacy and information handling obligations on providers.

“Aged Care Worker” means an individual employed or otherwise engaged (including as a volunteer) by us to deliver FACS or an individual who is employed or otherwise engaged (including as a volunteer) by an associated provider; and is engaging in conduct under the associated provider’s arrangement with us relating to the Registered Provider’s delivery of FACS; or an individual who is a Registered Provider.

“APPs” means the means the Australian Privacy Principles under the Privacy Act which govern:
a.    the standards, rights and obligations around the collection, use and disclosure of Personal Information;
b.    privacy governance and accountability;
c.    integrity and correction of Personal Information; and
d.    the rights of individuals to access their Personal Information

“Data Breach” means unauthorised access to, or disclosure, alteration, loss, or destruction of, Personal Information—or an action that prevents us from accessing Personal Information on either a temporary or permanent basis.

“Eligible Data Breach” means a data breach that is likely to result in serious harm to any of the individuals to whom the information relates and we are unable to prevent the likely risk of serious harm with remedial action.

“Funded Aged Care Services” (FACS) refers to aged care services delivered by us that are subsidised or funded under the Aged Care Act (for example, government funded residential care services).

“Health Information” – a type of Sensitive Information that relates to a person’s health or disability, health services provided to them, or other Personal Information collected in providing a health service. In our context, that can include medical records, progress notes, clinical notes, care plans, and any information about your physical or mental health.

“Independent Aged Care Advocate” refers to an independent advocacy individual or service (such as those available through OPAN) that is authorised to support and represent older people in relation to their aged care rights. Under the Aged Care Act, older persons (or their decision makers) may involve an independent aged care advocate to assist them with complaints or decision making. We will engage with and may share relevant information with an independent advocate where you have consented to their involvement and as permitted or as required by law.

“NDIA” means the National Disability Insurance Agency, the statutory agency responsible for implementing the NDIS.

“NDIS” means the National Disability Insurance Scheme established under the National Disability Insurance Scheme Act 2013 (Cth), which funds supports and services for individuals with disability.

“NDIS Commission” means the NDIS Quality and Safeguards Commission, an independent body responsible for regulating the NDIS market and provider conduct, including compliance with the NDIS Practice Standards and Code of Conduct.

“Personal Information” means any information or opinion (whether true or not, and whether recorded in material form or not) about an identified individual, or an individual who is reasonably identifiable. This includes, for example, a person’s name, address, date of birth, contact details, as well as Sensitive Information such as health or financial details.

“Privacy Act” refers to the Privacy Act 1988 (Cth), the principal legislation governing Personal Information handling, including the APPS.

“Protected Information” for the Purpose of this Policy (and as defined in the Aged Care Act 2024), means Personal Information obtained or generated for the purpose of providing aged care. In other words, most personal or health information you provide to us in connection with your care will be treated as Protected Information. We are legally restricted in how we use or disclose Protected Information and will only do so in accordance with the Aged Care Act.

“Relevant Information” a broader category of information, is governed under the Aged Care Act. Relevant Information is information obtained or generated by a person in the course of or for the purposes of:
•    performing functions or duties, or exercising powers, under the Aged Care Act; or
•    assisting another person to perform functions or duties, or exercise powers, under the Aged Care Act.
Relevant Information is Protected information if it is Personal Information; or it is information (including commercially sensitive information) that the disclosure of which could reasonably be expected to found an action by an entity (other than the Commonwealth) for breach of a duty of confidence.
Personal Information is defined as having the same meaning as under the Privacy Act. 

“Responsible Person” means:
(a)    any person who is responsible for executive decisions (including members of the governing body);
(b)    any other person who has authority or responsibility for (or significant influence over) planning, directing or controlling our activities;
(c)    any person who has responsibility for overall management of the nursing services delivered by us, or overall management of the nursing services delivered at one of our approved residential care homes, and who is a registered nurse;
(d)    any person who is responsible for the day-to-day operations of an approved residential care home or service delivery branch.

“Sensitive Information” means a subset of Personal Information that is afforded higher protection under the Privacy Laws. It includes information or an opinion about an individual’s racial or ethnic origin, political beliefs, religious or philosophical beliefs, sexual orientation, criminal record, membership of professional trade associations or unions, and health information, genetic information and biometric information (among other categories defined in the Privacy Act).

“Supporter” refers to an individual registered as a supporter under section 37 of the Aged Care Act to support an older person in making decisions and exercising their rights. In practice, this typically means someone formally appointed under State or Territory law to make decisions on behalf of an individual (such as a legally appointed guardian or someone holding an enduring power or attorney), whose appointment can be registered with the Aged Care System governor as a supporter. A Supporter’s role is to assist an older person to the extent necessary for them to make their own decisions; as part of their role, supporter have the power to request or receive information and documents relevant to the individual’s care. Importantly, a Supporter cannot make care decisions on your behalf unless that authority is granted under applicable law – their function is to help you understand information and communicate your own decisions, ensuring your will and preferences are respected.

“System Governor” means the Secretary of the Department of Health and Aged Care.

“Website” represents our online presence, accessible at www.estiahealth.com.au, through which we provide information about our services and homes.

For more information about how Estia Health might use, store, or otherwise handle your personal information and how to access or correct your personal information, please visit our Data Privacy Library