Skip to content
LegalVision

What are the Data Protection and Privacy Laws in Aged Care?

By Danielle Pedersen
Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn | Share on Reddit

Summary

  • Aged care providers must handle personal and sensitive client information in line with the Privacy Act 1988 (Cth) and the Australian Privacy Principles, including obtaining consent before collecting or using data.
  • The Aged Care Act imposes specific obligations to use personal information only for aged care purposes, restrict disclosure without written consent, and apply reasonable security measures.
  • Serious or repeated privacy breaches can result in civil penalties running into millions of dollars, as well as significant reputational and commercial damage.
  • This article is a plain-English guide to data protection and privacy law obligations for aged care providers in Australia, written by LegalVision’s business lawyers.
  • LegalVision specialises in advising clients on privacy compliance and data protection obligations.

Tips for Businesses

Get express consent before collecting sensitive information and review ongoing consent arrangements regularly. Train staff on privacy obligations as part of routine operations, not just onboarding. Have a data breach response plan ready before you need it. If you are unsure about your obligations, get legal advice early.

Summarise with:
ChatGPT logo ChatGPT Perplexity logo Perplexity

Open now
On this page

Aged care providers handle some of the most sensitive personal information that exists: health conditions, financial details, living arrangements and vulnerabilities that clients rarely share outside a care relationship. Australian privacy law sets clear rules around how you collect, use and protect that information, and the consequences for getting it wrong are serious. This article delves into data protection and privacy laws for you as an aged care provider and also addresses key issues.

What Does Data Privacy Cover?

Data privacy involves protecting individuals from unwarranted intrusions on their autonomy. For you, as an aged care provider, privacy is crucial due to the sensitive nature of the information you possess about your clients.

Services like nursing homes and in-home care collect data, such as:

  • clients’ addresses;
  • living arrangements;
  • health and financial statuses; and 
  • vulnerabilities. 

Sharing this information without consent could lead to legal consequences, as you are obligated to safeguard personal data.

In the Privacy Act 1988 (Cth), “personal information” refers to data or opinions about an identifiable or reasonably identifiable individual. This includes “sensitive information“, such as details about an individual’s health or ethnicity.

What Are Your Responsibilities?

The Charter of Aged Care Rights acknowledges that care recipients have the right to safeguard their information. As an approved aged care provider, you are responsible for taking reasonable steps to protect your client’s personal information. Being careless with this information could undermine a client’s dignity.

In general, the Aged Care Act recognises three critical obligations:

  1. use personal information solely for providing aged care or other designated purposes;
  2. do not disclose personal information without written consent, except when necessary for providing aged care. For instance, if you’re required by a government funding agreement to report incidents, you can share information to meet that requirement; and
  3. safeguard personal information with reasonable security measures to prevent loss or misuse.

The Australian Privacy Principles (APPs) in the Privacy Act are also incorporated, with modifications, in the aged care sector. For instance:

  • collect personal information reasonably necessary for your activities and using lawful methods (APP 3); and
  • ensure personal information is up-to-date (APP 10) and allow individuals to correct their personal information (APP 13).

In case of a significant data breach that could cause harm, you must report it to the affected parties and the Office of the Australian Information Commissioner.

Continue reading this article below the form
Need legal advice?
Call 1300 544 755 for urgent assistance.
Otherwise, complete this form, and we will contact you within one business day.

To lower your risk of breaching data protection laws, you can take practical steps. These steps are not necessarily costly to put into practice.

The first step is simple: always get consent before collecting or using personal information. When it comes to sensitive data, individuals should expressly and clearly give consent. To reduce risk, it is  important that:

  • people are well-informed before giving consent;
  • consent is given willingly; and
  • individuals have the ability to understand and communicate their consent.

Moreover, the consent you receive should be current and specific, not outdated and unclear. For instance, if there’s an ongoing agreement for using personal data, make sure to renew it at reasonable intervals.

Imagine you work at an aged care provider, and someone from the media contacts you to enquire about a celebrity resident of your facility. Should you share personal information? No, because that would violate purpose and disclosure restrictions. You should only use information for its intended purpose unless there is a valid exception. Sharing information with the media breaches privacy.

Another crucial step is to conduct regular staff training on data protection and privacy responsibilities. This training will help your team apply these practices in their daily work. For best results, consider using videos, modules, and quizzes to reinforce their understanding.

Thirdly, it is essential to have a privacy management and data breach response plan in place. Developing such a plan is often most effective when done with the guidance of a legal professional.

Front page of publication
Six Key Requirements to Become an Approved Aged Care Provider

This factsheet will outline the six key requirements you need to meet to become an approved aged care provider in Australia. These requirements are set by the Aged Care Quality and Safety Commission.

Download Now

Breach Consequences

When you breach data protection and privacy obligations, it can have significant consequences, both for individuals and entities. Apart from legal consequences, the adverse impact can lead to a substantial loss of income. 

If you breach privacy laws, a court could make you pay civil penalties. The Australian Information Commissioner has the authority to request the Federal Court or Federal Circuit Court to order your company to pay fines to the Australian Government if you are found guilty of breaking penalty provisions. The penalties for serious or repeated privacy breaches are substantial and could amount to millions of dollars, depending on the situation.

When You Must Report a Data Breach

If a data breach occurs, you need to act quickly. Under the Notifiable Data Breaches scheme in the Privacy Act, you must notify the Australian Information Commissioner and any affected individuals as soon as practicable. In practice, this means within 30 days of becoming aware that an eligible breach has occurred.

An eligible breach involves 3 elements: personal information was lost or accessed without authorisation, a reasonable person would conclude the breach is likely to cause serious harm, and you have not been able to prevent that harm.

Serious harm includes financial loss, physical harm, reputational damage or psychological distress. For aged care clients, the threshold is often met quickly given the sensitivity of the information involved.

You should document every breach, even those that do not meet the notification threshold. This creates an audit trail and demonstrates that your organisation takes privacy seriously. If you are unsure whether a breach is notifiable, seek legal advice before deciding not to report it.

Key Statistics

  1. 28%: Aged care providers represented 28 per cent of notifiable data breaches in the Australian health sector from July to December 2024.
  2. 65%: Sixty-five per cent of aged care organisations faced major barriers to secure data sharing and privacy compliance in 2025.
  3. 87%: Aged care services achieved only 87 per cent compliance with information management and privacy standards in 2026.

Sources

  1. OAIC Notifiable Data Breaches Report – July to December 2024 (February 2025)
  2. CSIRO AEHRC – Australian Aged Care Data Landscape Report 2025 (March 2025)
  3. Productivity Commission – Report on Government Services 2026: Aged Care Services (February 2026)

Key Takeaways

In an aged care setting, compliance with data protection laws is essential to maintain trust. An ethical approach involves ensuring that you use personal information for the purpose for which you collect it and that information is adequately secured. You should train your staff to respect privacy in their everyday activities. Remember, data integrity is a commitment to the well-being of those you serve.

If you have any questions about data protection and privacy laws, LegalVision provides ongoing legal support for businesses through our fixed-fee legal membership. Our experienced privacy lawyers help businesses manage contracts, employment law, disputes, intellectual property, and more, with unlimited access to specialist lawyers for a fixed monthly fee. To learn more about LegalVision’s legal membership, call 1300 544 755 or visit our membership page.

Frequently Asked Questions

Does the Privacy Act apply to all aged care providers?

The Privacy Act 1988 (Cth) applies to aged care providers with an annual turnover above $3 million. However, providers handling health information may be covered regardless of turnover. Check whether your organisation meets the threshold or falls under a specific exemption before assuming the Act does not apply to you.

What counts as a notifiable data breach in aged care?

A notifiable data breach occurs when personal information is lost or accessed without authorisation, and the breach is likely to cause serious harm. You must notify the Australian Information Commissioner and affected individuals as soon as practicable after becoming aware of an eligible breach.

Can you share a client’s personal information with their family members?

Not without consent. Unless the client has authorised disclosure, sharing personal information with family members may breach the Privacy Act. You should obtain written consent from the client or their authorised representative before disclosing any personal or health information to third parties, including family.

How long should you retain personal information in aged care?

You must retain personal information only as long as necessary for the purpose it was collected, or as required by law. Once no longer needed, you should securely destroy or de-identify the information to reduce the risk of unauthorised access or misuse.

Register for our free webinars

The Cost Squeeze: What Employers Need to Know About Restructuring and Redundancies

Online
Minimise your legal and reputational risk when undertaking restructuring and redundancies. Register for our free webinar.
Register Now

Bolt-on Acquisitions: Tips for Cost-Effective M&A

Online
Learn practical tips to run cost-effective bolt-on acquisitions from start to finish. Register for our free webinar.
Register Now

Hiring Overseas Talent: Employer-Sponsored Visa Options for Regional Businesses

Online
Learn your regional employer visa options, and build a pathway to retaining overseas talent long-term. Register for our free webinar.
Register Now

You’ve Been Hacked: Strengthening Your Contracts and Operations Against Cyber Risk

Online
Reduce contractual exposure from cyber attacks and understand key obligations before an incident occurs. Register for our free webinar.
Register Now
See more webinars >

Danielle Pedersen

Lawyer | View profile

Danielle is a Lawyer at LegalVision in the Commercial team. She regularly assists clients in understanding key legal documents required for their businesses and their regulatory obligations.

Qualifications: Bachelor of Laws, Graduate Diploma of Legal Practice, Bachelor of Commerce, University of New South Wales.

Read all articles by Danielle

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

How to Ensure Your Aged Care Services Agreement is Compliant

I Am a Health Service Provider. What Are My Privacy Obligations?

Privacy Laws: Your Obligations as a Business

Mandatory Reporting Obligations for Aged Care in Australia

LegalVision is an award-winning business law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards