Everyone who works in the aged care system manages some kind of information. For example, information about:
- an older person’s health
- a provider’s finances
- a complaint to the Complaints Commissioner.
The Act explains when information is protected, and how and when it can be used and disclosed. This is referred to as an authorised use or disclosure under the Act.
The type of information someone manages and how they can use and disclose it depends on their role.
- General authorisations to use and disclose relevant information apply to any person who handles relevant information under the Act.
- Entrusted persons are people who hold specific authorisations – in addition to general authorisations – to help them manage the aged care system.
- The System Governor, the Commissioner and the Complaints Commissioner have further authorisations to make sure they can perform their functions under the Act.
Registered providers have specific requirements and responsibilities in how they can use and disclose information, which are explained in Chapter 3.
Types of information
[Chapter 1 – Part 2 – Division 1, Division 2]
The Act refers to 3 main types of information: relevant, protected and personal.
Relevant information
Relevant information is any information someone might gain or create while doing their duties or using powers under the Act. This includes information a person might gain or create while supporting someone else who is performing duties or using powers under the Act.
A piece of relevant information might be authorised for use for one purpose, but not for another purpose.
Protected information
Some relevant information is also protected information. Relevant information is protected information if it is:
- personal information, or
- certain confidential information, including commercially sensitive information such as business pricing or contracts.
Personal information
The Privacy Act 1988 defines personal information as:
“Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.”
Unauthorised use or disclosure of protected information
[Chapter 7 – Part 2 – Division 1]
It is an offence under the Act to use or disclose protected information without authorisation. The maximum penalties are:
- 2 years in prison, or
- a fine of 120 penalty units, or
- both.
De-identifying information
De-identification means removing or changing details so that someone can’t be ‘reasonably identified’ from the data. De-identified information is no longer protected information, because it’s no longer personal information.
De-identification will likely require removing or changing someone’s name, address or age, but may also mean removing or changing other information.
De-identifying information also requires changing or removing information that might be used to identify someone if it’s cross-referenced with another source.
For example, “a woman, aged 75-80, who lives in Woden, ACT” could be cross-referenced with another source to identify the individual. Instead, “a woman, aged 75-80, who lives in a metropolitan area” uses the category name of the area the woman lives in instead of the specific suburb name. This information now can’t be cross-referenced to another source to identify the person.
In general, someone using or disclosing information should check if the task can be done using de-identified information.