Privacy Policy

PRIVACY COMMITMENT

At Regis, our purpose is to provide personalised and respectful care that embraces the experience of ageing. We do this with a relentless customer focus. Keeping your information safe is important to us. The purpose of this policy is to:

1. set out the Privacy Collection Notice;
2. ensure personal information is managed in a fair and reasonable way;
3. protect the privacy of personal information including health information of clients, care recipients and workers;
4. provide for the fair collection and handling of personal information;
5. ensure that personal information we collect is used and disclosed for legally permitted purposes only;
6. regulate the access to, correction of, or deletion of, personal information; and
7. ensure the confidentiality of personal information through appropriate storage and security.

In handling Your personal information, we will comply with the Aged Care Act 2024 (Cth) from its commencement date, the Privacy Act 1988 (Cth) (Privacy Act) and with the Australian Privacy Principles (APPs), as well as this policy. This policy may be updated from time to time.

WHO THIS POLICY APPLIES TO

This policy applies where We collect Personal Information from You and it sets out how We collect, use and protect that information.

‘You’ or ‘Your’ in this policy refers to individuals accessing funded aged care services and their Supporters, the person or entity that is using our services, engaging with our services (including Employee and Worker candidates) or visiting our website.

‘We’, ‘Us’, ‘Our’, in this policy refers to:

• Regis Healthcare Limited (ACN 125 203 054) together with its subsidiaries (Regis Group);
• direct employees (Employee) employed via an employment contract with the Regis Group, including Aged Care Workers and Responsible Persons; and
• to the extent they provide funded aged care services, indirect employees of the Regis Group, Associated Providers and employees of Associated Providers (Worker) including each of their contractors, sub- contractors, students, trainees or unpaid volunteers in a Regis Group workplace.

By interacting with Us and our Employees and Workers, You agree that We can use information about You in accordance with this policy. Please contact Us if You have any questions or concerns, or if You need help understanding this policy. We may also be able to help You to find support in making decisions that impact Your privacy.

DEFINITIONS

Personal information is any information that relates to, or opinion about, an individual or any information from which an individual could become reasonably identifiable. This includes technical information obtained from Your online behaviour which is unique to You and any personal information we need to collect about other individuals from You.

‘Person who is responsible’ may, depending upon the circumstances, be a parent, a child or sibling, a spouse, a relative, a member of the individual’s household, a Supporter, a statutory decision maker, guardian, an enduring power of attorney, a person who has an intimate and enduring personal relationship with the individual, or a person nominated by the individual to be contacted in case of emergency, provided they are at least 18 years of age.

Relevant Information is defined under the Aged Care Act and may also be protected information if it is Personal Information; or it is information (including commercially sensitive information), the disclosure of which could reasonably be expected to found an action by an entity (other than the Commonwealth) for breach of a duty of confidence AND it is obtainedor generated by a person in the course of or for the purposes of:

1. performing functions or duties, or exercising powers, under the Aged Care Act; or
2. assisting another person to perform functions or duties, or exercise powers, under the Aged Care Act.

Sensitive Information (a sub-set of personal information that is afforded a higher level of protection under the Privacy Act) includes information or an opinion about race or ethnic origin, political beliefs, religious beliefs or affiliations, sexual orientation, criminal record, health information, financial information including bank account details and genetic information. As we provide Health Services under the Privacy Act, all information we collect in providing, or to provide such services is classified as health information, and is therefore Sensitive Information. When You accept care and services from Us, You accept that Permitted Health Situations exist in providing health services to You, and We may collect, use and store Your Sensitive Information.

‘Service manager’ is a person employed by Us in a management capacity and who is responsible for the provision of appropriate care and treatment of an individual.

Unsolicited personal information is information provided to Regis in circumstances where We have not requested the personal information.

In this Policy, terms which are capitalised but not otherwise defined in the Policy shall be taken to have the definitions set out in the Aged Care Act 2024 or Privacy Act 1988. Permitted Health Situations are defined in s16B of the Privacy Act.

COLLECTION OF PERSONAL INFORMATION

We may collect Your personal information, including sensitive information:

1. if You make an enquiry regarding our services;
2. if You access Our website;
3. during the recruitment process;
4. during provision of funded aged care services.; and
5. during the discharge process.

We generally collect five kinds of information:

1. Personal Information provided by You, including your name, address, telephone number and email address;
2. Sensitive Information comprising demographic, health and financial information including both personally identifiable information and aggregated statistical information:
   1. when assessing Your application to receive Our services; and
   2. if You enter Our care;
3. government identifiers such as My Aged Care ID, Individual Healthcare Identifier (IHI), Medicare, Pension or Veteran’s Affairs numbers;
4. information that We obtain about You when You visit our website including Your internet protocol (IP) address, the date and time of Your visit to Our website, the pages You have accessed, the links on which You have clicked and the type of browser that You were using; and
5. aggregated statistical data which is information relating to Your use of Our website and Our services, such as traffic flow and demographics.

Who we collect personal information from

Personal information (including sensitive information), may be collected from You or:

1. a client or care recipient;
2. any person or organisation that assesses health status or care requirements, for example aged care assessors;
3. the health practitioner of a client or care recipient;
4. other health providers or facilities;
5. third party service providers including Associated Providers;
6. family members, supporters or attorneys of a client or care recipient;
7. a legal advisor of a client or care recipient;
8. a form (hardcopy and electronic) filled out by you in the course of delivering funded aged care services;
9. Our online platforms from Your online behaviour when You interact with Our website;
10. Your request to join our mailing or distribution lists or to be contacted for further information about our products and/or funded aged care services;
11. debt collection agencies if you default in a payment to us.

We also collect personal information in the usual course of our business. This includes in forming business relationships or entering contractual arrangements, or when hiring an Employee or Worker, or in relation to Our contractors, volunteers and students.

We will collect personal information directly from You unless:

1. We have Your consent to collect the information from someone else; or
2. We are required or authorised by law to collect the information from someone else; or
3. it is unreasonable or impractical to do so; or
4. such collection is fair and would reasonably be expected for Us to carry out Our usual functions and activities.

We only collect and handle Your Personal Information that is provided by You, with Your consent or where otherwise permitted by law. We will assume that You have consented to us collecting all information that is provided to Us in accordance with this Privacy Policy unless You tell Us otherwise at the time you provide it to Us. Once You have provided Your consent, You are able to withdraw it at any time by contacting us.

Please note that if You provide Us with Personal Information about a third party, for example Your legal personal representative or emergency contact, You represent to us that the person consents to Us collecting and handling their Personal Information in accordance with this Privacy Policy, and We will collect it on this basis.

HOW WE USE PERSONAL INFORMATION

In accordance with the Aged Care Act and the Privacy Act, We will only use Your Personal Information for the purpose for which the Personal Information was given by You or on Your behalf, or purposes connected to the delivery of funded aged care services by us, or where You (or Your attorney) have consented to such use of Your Personal Information. We will only use Your personal information in ways that a reasonable person would consider are fair and reasonable for a business of our type.

For care recipients, We may use Your personal information:

1. to assess Your application and to the correct level of funded aged care services, or in response to enquiries about Our services to communicate with You in relation to those services;
2. to provide and manage the delivery of aged care services to You;
3. to enable Associated Providers including allied health care providers, pharmacies and medical practitioners to provide care and services to You;
4. to enable external health agencies such as ambulance service, hospitals, the Australian Department of Social Services, the Aged Care Quality and Safety Commission, Medicare and relevant organisations or Government Departments to provide care and services to You as necessary;
5. to enable contact with and provide updates to a nominated person, Support Person, authorised representative or family member regarding Your health status or relevant updates to Your service;
6. to inform You of any other services that may be of interest to You;
7. to undertake research and surveys and analyse statistical information;
8. to obtain funded aged care services from our suppliers;
9. to deliver personalised content online and targeted online advertisements related to Our core business activities; and
10. to comply with any requirements imposed by the Aged Care Act and the Aged Care Rules.

For all persons (including care recipients) who have engaged with Us, we may use Your personal information:

1. to comply with legal, contractual, legislative and policy requirements including in relation to occupational health and safety and environmental matters;
2. to assess an application for employment with Us;
3. where You have given Your express consent;
4. to enforce agreements between You and Us;
5. for administration or business operations;
6. during marketing activities (to market services We think might interest You);
7. undertaking analytics and reaching insights about our market (to identify market segments, to carry out market research, to analyse how You and others engage with our services and content);
8. in relevant advertising (to deliver targeted advertising or content which may interest You. We may choose technology partners who use algorithms or profiling to produce content ); and
9. to comply with the law.

We will always act fairly and reasonably. We will never trade or sell Your personal information to a third party or use artificial intelligence in automated decision making in ways which would infringe Your rights.

Notification

We will at or before the time or as soon as practicable after we collect personal information from You, take all reasonable steps to ensure that You are made aware of:

1. Our identity and contact details;
2. the purpose for which We are collecting personal information;
3. entities or persons to whom We usually disclose personal information; and
4. Our privacy policy.

When We share information about a care recipient

We may collect, use or disclose Your personal information under “share by default” provisions under Australian laws, such as My Health Record. It is Your obligation to inform Us that you have opted out of My Health Record, or do not wish Your personal information to be uploaded, or to register for My Health Record where You have previously not participated. You acknowledge that some of Your key health (personal) information may be mandated at law to be uploaded to My Health Record, and that we will upload your personal information, if You have not previously opted out. We may obtain Your personal information from My Health Records, including Your Individual Healthcare Identifier (IHI).

We may not use or disclose personal information other than the primary purpose of collection, unless:

1. the secondary purpose is directly related to the primary purpose, and it would be reasonable to expect use or disclosure of the information for the secondary purpose; or
2. You have consented; or
3. the information is health information, and the collection, use or disclosure is necessary for research, the compilation or analysis of statistics, relevant to public health or public safety, it is impractical to obtain consent, the use or disclosure is conducted within the privacy principles and guidelines, and we reasonably believe that the recipient will not disclose the health information; or
4. We believe on reasonable grounds that the disclosure is necessary to prevent or lessen a serious and imminent threat to an individual’s life, health or safety or a serious threat to public health or public safety; or
5. We have reason to suspect unlawful activity and use or disclose the personal information as part of our investigation of the matter or in reporting our concerns to relevant persons or authorities; or
6. We reasonably believe that the use or disclosure is reasonably necessary to allow an enforcement body to enforce laws, protect the public revenue, prevent seriously improper conduct or prepare or conduct legal proceedings; or
7. the use or disclosure is otherwise required or authorised by law.

Managing health records of vulnerable people

Regis recognises that many in Our care experience vulnerability, such as cognitive impairment. We encourage supported decision making, and We will work with someone You have nominated to speak with Us on Your behalf. We may disclose personal information including health information about an individual to their authorised person if:

1. the individual is incapable of giving consent or communicating consent;
2. the service manager is satisfied that either the disclosure is necessary to provide appropriate care or treatment or is made for compassionate reasons or is necessary for the purposes of undertaking a quality review of Our services (and the disclosure is limited to the extent reasonable and necessary for this purpose); and
3. the disclosure is not contrary to any wish previously expressed by the individual of which the service manager is aware, or of which the service manager could reasonably be expected to be aware, and the disclosure is limited to the extent reasonable and necessary for providing care or treatment.

HOW WE PROTECT YOUR PERSONAL INFORMATION

Your Personal Information is stored in a manner and is protected by the appropriate security safeguards to, as far as is reasonable, protect it from misuse and loss and from unauthorised access, modification or disclosure. Those who work with Us are aware of the importance we place on protecting Your privacy and their role in helping Us to do so.

When the Personal Information that We collect is no longer required, We will take all reasonable steps to remove or de-identify the Personal Information. We may, however, retain Personal Information for as long as is necessary to comply with any applicable law, for the prevention of fraud, for insurance and governance purposes, in our IT back-up, for the collection of any monies owed and to resolve disputes. For example, under the Aged Care Rules, we are required to retain information regarding the vaccination status of individuals receiving residential care for a period of seven years.

Here are some specific examples of the things We do in our organisation to protect your information:

OTHER WAYS WE COLLECT, USE AND DISCLOSE PERSONAL INFORMATION

Quality Assurance Activity

We conduct internal quality assurance activities that involve using information about You that We collect as part of usual care. Generally, quality assurance activity outcomes are used for internal purposes and We consider aggregate data that does not identify You by Your name or date of birth. Sometimes, We determine that quality assurance activity outcomes are beneficial to share in the wider health care community. We do not report identifiable information such as Your name or date of birth when sharing quality assurance activity outcomes.

Research

Sometimes We conduct research and collaborate with recognised research providers to research issues of benefit to Us and/or the aged care sector. The relevant multidisciplinary research committee and ethics committee will consider impacts on Your privacy. Such research is usually anonymised, however, if it becomes possible for Your identity to be ascertained (for example if a case study were to be published), We will seek Your express consent.

Training

We conduct training with our Employees and Workers. You agree that Your personal information may be used to upskill those persons to improve how We deliver clinical care and services. Sometimes We might not be able to de-identify Your information (for example, during on-the-job training). However, We will make reasonable efforts to prevent You from being reasonably identified in training materials (for example, if an image has been taken of Your skin, We will remove from the image any identifying features such as Your face, jewellery or tattoos).

High Risk Privacy Activity

In limited circumstances We may collect, use or store Sensitive Information such as facial recognition or biometric information. If this occurs, We would treat this as a high privacy risk activity, and We won’t undertake that activity without obtaining Your express consent, or completing a Privacy Impact Assessment. An exception to this would be the emergency use of a geolocation tracking device (for example, to assist in locating a cognitively impaired individual at risk of harm during unexplained absence). We are likely to only undertake high risk privacy activity if it is in the public interest, or has a significant health or safety benefit.

Closed Circuit Television Surveillance (CCTV)

We use CCTV in the public areas at some of our residential aged care facilities and other business premises to maintain the safety and security of our care recipients, workers, visitors and all other people who enter our properties. Some of Our CCTV systems may collect and store personal information. On rare occasions this information may be shared with law enforcement officers, or to comply with government regulation (such as in incident management).

Employee Information

For regulatory and compliance reasons, Regis is required to keep records of current and past workers. These records are directly related to the employment relationship and are managed in accordance with workplace laws. Privacy laws may apply to employee personal information if the information is used for something that is not directly related to the employment relationship between the employer and Regis. We will maintain those records for a reasonable period, in accordance with our Record Keeping Policy, after which the information may be deleted.

Candidates

Regis will collect personal information from candidates to assess Your application or suitability for employment with Us. This information may be disclosed to Our related bodies corporate and service providers for purposes such as aptitude and psychological testing or other human resources management activities. You may be asked for Your consent to the use and disclosure of certain Personal Information about pre-employment testing and to those people who you nominated to provide references. A refusal to provide any of this information, or to consent to its proposed disclosure, may affect the success of the application. We may store information about unsuccessful applicants for a reasonable period, after which the information may be deleted.

New Technology

From time to time We may use new technology, such as new applications, to ease the way We interact with residents, families, staff and other people we do business with. Each platform has separate privacy settings. Where possible, We try to adopt (or request our business partners to set) ‘privacy by default’ settings. However, for some applications to work as intended, they may collect, use or store Your personal information. On occasion, an application may request Your Sensitive Information (such as a finger vein scan, in the case of staff log-in technologies). In any case, such activity will be brought to Your attention at the time of collection, and will not be done without Your knowledge or consent, and will be voluntary. Even after You provide consent, you can withdraw this at any time.

Our Online Platforms

We sometimes use cookie technology on our Online Platforms. Cookies are a necessary part of facilitating online transactions. Most web browsers are set to accept cookies. We use them to estimate Our number of visitors and determine overall traffic patterns through Our websites.

We may also collect statistical information regarding the use of Our Online Platforms, including the domains from which website users visit, IP addresses, the dates and times of visits, activities undertaken on our Online Platforms and other clickstream data. In addition, We sometimes use web beacon technology to monitor internet activity on our websites.

If You do not wish to receive any cookies You may set your browser to refuse cookies. However, this may mean You will not be able to take full advantage of the services on our Online Platforms. If You set your browser to refuse cookies, a web beacon may still be able to generate a notice of your visit but it will not be associated with the information contained in cookies.

Unsolicited Personal Information

If We receive Your Unsolicited Personal Information, We will consider whether or not We could have collected Your personal information under this policy and:

1. if We determine that We could not have collected the personal information, or that the information was not obtained lawfully, We will destroy or de-identify the information; or
2. if We could have collected the personal information under this policy, We will manage the information in accordance with this policy.

Commonwealth Home Support Program Clients – Your MyAgedCare ID

1. The Department of Health, Disability and Ageing (DoHDA) provides grant funding to providers of aged care services under the Commonwealth Home Support Program (CHSP).
2. CHSP providers must report on the delivery of CHSP services to DoHDA via the Data Exchange (DEX).
3. DEX is an IT system that is hosted by the Department of Social Services (DSS).
4. DSS collects information (including about the services received and an encrypted version of a client’s ‘My Aged Care ID’) from you and stores this information as a de-identified record in DEX.
5. With the exception of My Aged Care ID, DSS de-identifies and aggregates personal information that is stored on DEX to produce information for policy development, grants program administration, research and evaluation purposes, and this will not include information that identifies the client, or re-identifies the client, in any way
6. DSS’s privacy policy is published on its website. The website contains information about how the client may access or correct the personal information that is stored on DEX; complain about a breach of the APPs by DSS, and how DSS will deal with the client’s complaint. The privacy policy also contains information about the circumstances in which DSS may disclose personal information to overseas recipients

YOUR RIGHTS

How to access, correct or delete your personal information (Your Rights)

You may object to Our collection, use or disclosure of Your personal information. If You do not wish to have Your personal information used in any manner or purpose specified above, please contact Us. However, clients or care recipients should understand that by withdrawing Your consent, or by providing incomplete or inaccurate Personal Information, We may not be able to provide You with the funded aged care services You require.

You have a right to ask us for access to Your personal information, and if you do ask Us, We will:

• provide access to Your personal information;
• identify the source of Your personal information;
• explain or summarise what has been done with Your personal information;
• consult with You about the format of our response, aiming to ensure You are informed about what is being done with Your personal information (as far as is reasonable); and
• apply a nominal fee for responding to Your request (at our discretion).

You may also lodge a request to correct Personal Information We hold about You if You believe it is inaccurate, incomplete, irrelevant, misleading or out of date. There is no fee for doing this. To do so, please contact Us. Upon receiving such requests, We will take such steps as are reasonable in the circumstances to correct Your Personal Information to ensure that it is accurate, up-to-date, complete, relevant and not misleading.

We will acknowledge Your request within 7 days, and for simple requests can usually provide access to Your information within 30 days. More complex requests may take Us longer to locate, and We may charge You a reasonable administrative fee for the cost of providing access. If there is a charge, We’ll let You know beforehand, so that You can decide if You wish to go ahead.

In some cases, You may be able to request deletion of Your personal information held by Regis. Please note that sometimes it might not be possible to delete Your personal information, especially if We are legally required to hold it. If We cannot delete it, We will explain why.

Privacy Breaches

Please quickly inform us if You become aware of an interference in Your privacy originating from Us. If Your personal information is lost, stolen or subject to unauthorised access or disclosure, Regis will implement the Regis Aged Care Data Breach Response Plan. The faster You let us know of any privacy interference, the greater likelihood We may have in reducing any loss of privacy to You. Regis will also adhere to its obligations under the Privacy Act in relation to any required notifications to the Office of the Australian Information Commissioner (OAIC) and to those people whose personal information has been lost, stolen or subject to authorised access or disclosure.

How to contact us

For further information or for help taking steps about your personal information, please contact our Privacy Officer at privacy@regis.com.au

You can choose to deal with Us anonymously or use a pseudonym (in so far as this does not contravene any legal requirement), however We may not be able to provide You with the best service or effectively deal with any issues raised, without all Your personal information. If You wish to access, correct or update Your personal information We will require proof of Your identity before We can respond to Your request.

Privacy Requests

If You have a privacy complaint, or would like to make a request about Your personal information, please contact us. We will treat Your complaint or request seriously and confidentially, and a complaint will not alter our ongoing business relationship with You. We value Your input, and appreciate the opportunity to try to resolve Your concerns in the first instance.

We will:

1. acknowledge Your request within a reasonable time, and give You a timeframe for Our response;
2. provide reasonable assistance to You; and
3. take reasonable steps to respond in a reasonable timeframe (usually within 30 days).

Our Privacy Officer or their delegate will investigate complaints and respond in writing to privacy requests, and provide reasons for our decisions where We have refused Your request. If You are dissatisfied with the handling or outcome of Your complaint or request, You may directly contact the following: