PRIVACY POLICY
PRIVACY POLICY
Protecting your personal information
Purpose
Under the Privacy Act, we are required to comply with the Australian Privacy Principles. For Identified Services, we are also required to comply with the Information Privacy Act and the Queensland Privacy Principles.
Those Principles set out the manner in which organisations may collect, store, use, and disclose Personal Information and how a person can access and/or correct records containing their Personal Information.
Additionally, as a registered provider of funded aged care services, we are also required to comply with the obligations under the Aged Care Act relating to the handling and protection of Personal Information and upholding an Individual’s right to have their privacy respected.
Mercy Community is committed to protecting your privacy and upholding our obligations under the Privacy Act, Aged Care Act and the Information Privacy Act. Handling information appropriately supports us in building and maintaining the trust of Individuals, their supporters and Mercy Community People in the provision of services.
As part of this commitment, we:
- are transparent about the Personal Information we collect;
- only collect Personal Information that is necessary for the services we provide;
- ensure Personal Information is handled in accordance with the law;
- take reasonable steps to keep all Personal Information secure;
- provide privacy training to Mercy Community People;
- build privacy considerations into our contractual and other arrangements, including where other organisations or contractors are used to deliver services on our behalf;
- monitor activities to ensure compliance and identify areas for improvement; and
- notify affected individuals and the Australian and/or Queensland Information Commissioner in the event of a data breach, when required to comply with our regulatory obligations.
This policy outlines the types of Personal Information that we usually collect, the purposes for which we collect it, to whom we disclose it, how we hold and keep it secure and your rights in relation to your Personal Information, including how to complain and how we deal with complaints.
Mercy Community is committed to ensuring that this policy is accessible, understood, and embedded in everyday practice. We do this by having the policy available on our website, intranet and in our offices and facilities for anyone to access.
Definitions
In this policy, the capitalised terms have the following meanings:
Aged Care Act means the Aged Care Act 2024 (Cth).
APPs means the Australian Privacy Principles.
Identified Services means the services provided by the Families and Young Peoples division of Mercy Community which are funded by the Queensland Government.
Individual means any individual who receives services delivered by Mercy Community and includes a person who prospectively receives services.
Information Privacy Act means the Information Privacy Act 2009 (Qld).
Mercy Community means Mercy Community Services SEQ Limited ABN 51 166 477 318, Mercy Health and Aged Care Central Queensland Limited ABN 34 096 724 033 and Mercy Community Services North Queensland Limited ABN 80 154 512 026.
Mercy Community People means all employees (including Board Directors and the Executive), students, volunteers, contractors, agency workers and consultants engaged by Mercy Community.
Personal Information means information or an opinion (including written and verbal information or an opinion forming part of a data base), whether true or not, and whether recorded in a material form or not, about an identified individual or an individual who is reasonably identifiable.
It may include, for example, basic identifying information such as name and address, health information, financial information, or employment information such as job title or work schedule.
Personal Information may include Sensitive Information.
Privacy Act means the Privacy Act 1988 (Cth).
QPPs means the Queensland Privacy Principles as set out in Schedule 3 of the Information Privacy Act.
Right to Information Act means the Right to Information Act 2009 (Qld).
Rules means the Aged Care Rules 2025 (Cth).
Sensitive Information means a type of Personal Information that requires higher protection due to its sensitive nature.
It may include, for example, racial or ethnic origin, religious or philosophical beliefs, health records, criminal record, or any other Personal Information that is ‘Sensitive Information’ as defined in the Privacy Act.
For Individuals, this may look like:
- health and medical information;
- racial or ethnic origin and religious beliefs or affiliations.
For registered providers and associated providers, this may look like:
- payment information; or
criminal history checks for the purposes of determining if Mercy Community People are suitable to provide aged care services as required by the Aged Care Act.
Scope
This policy applies to:
- Individuals and their relatives, supporters and authorised representatives; and
- Mercy Community People.
The Privacy Act and this Policy do not apply to employee records, such as salary details, performance reviews, medical records, and disciplinary actions where the collection, use, or disclosure is directly related to a current or former employment relationship with us.
Types of Personal Information we collect
We collect Personal Information from Individuals, their families and supporters, job applicants, students on work placement, contractors, service providers, donors, and other people when they choose to engage with us.
The type of Personal Information we collect and why we collect it depends on your relationship with us. The Personal Information we collect may include (but is not limited to):
- Individuals: name, address, date of birth, occupation and qualifications, details of next of kin, emergency contacts, registered supporters, family history, financial information (such as banking details) and sensitive information such as health and medical information (including disability information), child protection information, racial or ethnic origin, religious beliefs or affiliations;
- Mercy Community People: name, address, date of birth or emergency contact information, identification information, qualification and licencing details and probity check information;
- Job applicants: employment history and qualifications, information provided in resumes and cover letters, information from interviews, reference checks, and health information such as medical assessments, superannuation fund details, personal alternative contact details, identification documents such as licences and passports, qualifications and criminal history record;
- Students on work placement: academic history, placement agreements, probity verification, contact details, and emergency information;
- Donors: donation records, contact details, and preferences for communication; and
- Other people: any information provided in the course of interacting with us, such as through registration to attend our premises, feedback forms, surveys, or event participation.
We collect Personal Information from you to provide services and to operate our business. We may also collect Sensitive Information from you. If we are unable to collect Personal Information, we may be unable to provide the services required or continue our relationship with you.
Where possible, individuals may choose to remain anonymous or use a different name when dealing with us. However, this may not be possible if:
- it is impracticable to proceed without identification; or
- identification is required by law, a court, or tribunal.
How we collect Personal Information
We will generally collect Personal Information directly from you, using forms and documents (including in electronic form) you submit to us (such as signing up for an electronic newsletter), such as when you are applying for services, when we undertake health assessments or care planning, or when you enter into a contract with us or provide feedback or complaints via our various processes.
We also collect Personal Information through:
- publicly available sources, including social media;
- correspondence, telephone calls, or meetings;
- online interactions through our website;
- closed circuit television (CCTV) or other monitoring systems at our premises; and
- photography or videography in the course of providing services, such as during consultations or provision of clinical services.
Information from third parties
We also collect Personal Information from third parties depending on your relationship with us, including:
- Individuals: from relatives, supporters or other authorised representatives, health service providers (such as general practitioners, hospitals or allied health professionals or placement agents), or relevant government agencies (such as a Court or Tribunal, the Department of Child Safety, Qld Police Service, MyAgedCare, Services Australia, My Health Record, Australian Immunisation Register, the National Disability Insurance Agency; and the Department of Health, Disability and Ageing);
- Job applicants and contractors: we may collect details of any existing criminal record from police agencies or agencies completing police checks on our behalf, information from your references and previous employers; and
- Students: we may collect details of any existing criminal record from police agencies or agencies completing police checks, as well as information about the student from educational institutions.
Unsolicited information
If we receive unsolicited information (for example, an email sent to us by mistake), we will check if we could have lawfully collected it. If not, we will destroy or anonymise the information as soon as possible, unless it’s reasonable and lawful to keep it. If we do keep it, we will handle it according to this Policy.
Handling government identifiers
Tax file numbers and other government identifiers such as Medicare, Pension or Veterans Affairs numbers will only be handled in accordance with relevant legislation, if applicable.
Purposes for which we collect, use and disclose Personal Information
We collect, use and disclose your Personal Information to:
- assess eligibility for services, tailor services or provide the appropriate care or support to Individuals;
- enabling better co-ordination between us and other providers involved in an Individual’s care and treatment;
- manage and conduct our business, including matters such as payment for services, funding, service monitoring, planning, evaluation and complaint handling, insurance or legal services;
- provide reminders for appointments or follow-up care;
- undertake and maintain quality assurance processes, accreditation, audits, risk, client/patient satisfaction surveys and staff education and training;
- comply with legal and regulatory obligations, resolve any disputes and enforce our agreements and rights with third parties;
- to offer or promote our products and services;
- to obtain feedback;
- to help us manage, develop and enhance our services, including our websites and applications;
- assess suitability and eligibility for employment, or work placement roles;
- manage, train and develop our employees and representatives;
- manage funding or donations and communicate with donors; and
- improve our services, programs, and communication with stakeholders.
We will use and disclose your Personal Information for a secondary purpose related to a purpose for which we collected it, where you would reasonably expect us to use or disclose your personal information for that secondary purpose or where another exception applies under the relevant privacy legislation.
In certain circumstances, including those contemplated by the Aged Care Act, we disclose your Personal Information to third parties, including the following types of individuals or entities:
- medical or healthcare and allied health professionals, health funds, pharmacies and those providing services to our Individuals;
- relatives or authorised representatives;
- contractors, consultants, associates, volunteers, students, and related entities who are subject to confidentiality obligations;
- our professional advisers, including lawyers, accountants and auditors;
- customer, service, business or strategic research and development organisations;
- industry bodies, tribunals, courts, or others, in connection with any complaints made;
- government departments or funding agencies, police agencies and agencies who complete criminal history checks (such as CrimCheck and MyAgedCare);
- a purchaser of our business, or part of our business, as a going concern;
- other entities with the required consent or as permitted or required by law;
- our related entities who are providing services and third-party service providers so that they can provide services to Mercy Community. These contracted services might include support with business processes, information technology support or programming, hosting services, telephony services, security services, mailing or sending of documentation digitally or otherwise;
- if one of the entities of Mercy Community collect your personal information, that information will be shared with the other Mercy Community entities. Any of the entities of Mercy Community may use and disclose your personal information for the purposes described in this policy;
- a third party with whom we have contracted to provide services/products, administrative or other business services – for example, information technology providers, administration or business management services, consultancy firms, auditors and business management consultants, marketing agencies and other marketing service providers, print/mail/digital service providers, imaging and document management services, data warehouses, strategic learning organisations, data partners, analytic consultants, networks where people create, share or exchange information, accounting or finance professionals and advisers, government, statutory or regulatory bodies and enforcement bodies, document issuers and official record holders to verify your identity, any other external dispute resolution body, debt collection agencies; and
- any other organisation or person where you have authorised them to provide your Personal Information to us or authorised us to obtain personal information from them (e.g. your partner, spouse, parent or guardian).
Some of these organisations may be located Instances when we will do this include:
- when you have asked us to do so or we have your consent;
- when we are authorised or required by law or a Court/Tribunal to do so; or
- when we have outsourced a business activity or function to an overseas service provider.
Personal Information may be transferred to other countries, which may not have similar privacy or data protection laws, and may in certain circumstances compel the disclosure of personal information to a third party such as an overseas authority for the purpose of complying with foreign law or regulatory requirements.
We will disclose personal information overseas but only to the extent it is reasonably necessary to perform our functions or activities.
We may disclose the Personal Information of members of Mercy Community People, if required, to:
- health services providers;
- other employees in the course of conducting referee checks;
- the Australian Tax Office;
- workplace regulators, including for workplace health and safety, and workers compensation purposes;
- superannuation and insurance bodies; or
- external auditors or regulators.
We may aggregate or de-identify statistical information so that people cannot be identified, for our internal purposes or for sharing with government agencies or research organisations.
How we keep your Personal Information safe
Storing your Personal Information
- We store Personal Information in both paper form and electronically. Electronic records may be stored on local and/or cloud-based platforms. Our cloud storage providers are contractually required to handle Personal Information securely and in accordance with privacy laws.
- We take all reasonable and appropriate steps (including organisational and technological measures) to protect your personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
How we protect your Personal Information
- We have strict security measures in place to protect Personal Information from misuse, interference, loss, and unauthorised access, modification, or disclosure. These measures include:
- policies and procedures: clear security protocols for Mercy Community People to follow;
- secure storage: physical files are stored in secured facilities both on our premises and at offsite locations;
- restricted access: only authorised members of Mercy Community People and contractors, who need access for their role, can view certain Personal or Sensitive Information;
- secure transmission: electronic information is transmitted using secure networks or encryption. However, despite our best endeavours, it is important to note that no internet transmission is completely secure; and
- device and network protection: security tools such as authentication controls, firewalls, virus scanning and intrusion detection help safeguard our systems.
How we handle data breaches
- We take data breaches seriously and in compliance with our data breach policy. If a data breach occurs, we will notify the affected individuals and the Australian Information Commissioner and/or the Queensland Information Commissioner if required in accordance with our regulatory obligations.
How long we keep Personal Information
- We retain Personal Information only as long as necessary for the primary purpose of collection or a lawful secondary purpose.
- Generally, records are kept for at least seven years from the date of the last record. When no longer needed, Personal Information is securely destroyed or de-identified.
How we destroy Personal Information
- When Personal Information is no longer required for our functions, activities, or legal obligations, we securely destroy or permanently de-identify it to protect privacy and prevent unauthorised access.
- We follow all legal and regulatory requirements when destroying information, ensuring compliance with the Privacy Act and other relevant laws.
Cookies and websites
Cookies are small data files stored on a person’s computer, mobile phone or other device when visiting a website. They help track pages visited and improve website functionality, and may remember your preferences.
Our website uses cookies. Browser settings can be adjusted to block cookies, however, this may limit website functionality.
Whilst we do not use browsing information to identify you personally, we can record certain information about your use of our website, such as which pages you visit, the time and date of your visit, search engine referrals and the internet protocol address assigned to your computer.
Our web pages can contain electronic images, known as web beacons. These electronic images enable us to count users who have visited certain pages on our website. Web beacons are not used by us to access your personal information, they are simply a tool we use to analyse which web pages are viewed, in an aggregate number.
We are not responsible for third-party websites, platforms, or applications linked to, or associated with our services. Their privacy policies should be reviewed before use. Some third-party platforms may offer tools to manage privacy settings and opt out of personalised ads.
Direct Marketing
We can use your Personal Information to identify a product or service that we believe you are or may be interested in or to contact you about an event or promotion. We can, with your consent, use the Personal Information we have collected about you to contact you from time to time whether by phone, email, SMS to tell you about new products or services and special offers that we believe are of interest to you.
You can withdraw your consent to receiving direct marketing communications from us at any time by contacting the Privacy Officer.
CCTV
We use CCTV systems at our sites. We collect your Personal Information via CCTV for the purpose of:
- monitoring the safety and security of Individuals, Mercy Community People and suppliers, and completing incident investigations;
- detecting and deterring unauthorised access to, or unwelcome or criminal behaviour at, our venues; and
- implementing and enforcing our policies and procedures.
CCTV footage may be disclosed to third parties, such as:
- law enforcement agencies;
- third party service providers; or
- our third party claims management provider in connection with incidents. The claims manager may provide CCTV footage to its related entities as part of its ordinary claims management practices.
Accessing and Correcting your Personal Information
You can request access to or correction of the Personal Information we hold about you, by contacting us using our details in the “contact us” section below, or by completing a Request for Information Form, and providing it to a Mercy Community Person.
We will address such requests as soon as practicable, and usually within 28 days.
For Identified Services, under the Right to Information Act, you can also make a formal application to:
- access documents that contain your personal information
- amend documents that contain your personal information if you consider the information to be inaccurate, incomplete, out-of-date or misleading.
We may require you to verify your identity or the authority you have to request information if the information relates to someone other than yourself, before the access to Personal Information is granted.
Access may be denied in certain circumstances, such as where releasing the information would impact another person’s privacy or where legal restrictions apply. If we decide to refuse your request, we will tell you why in writing and how to complain.
Making a complaint
If there are concerns about a possible breach of the Privacy Act, APPs, QPPs or any related privacy code, a complaint can be made:
- verbally;
- in writing to the Privacy Officer using the contact details below.
If you have concerns about a possible breach of the Aged Care Act, a whistleblower disclosure can be made through our whistleblower process.
Upon receiving a complaint, we will confirm how we intend to address the issue as soon as reasonably practicable.
If the response is unsatisfactory, complaints can be escalated to the Office of the Australian Information Commissioner (OAIC). More information on lodging a complaint is available at oaic.gov.au/privacy/privacy-complaints.
For Identified Services, if the response is unsatisfactory, or you do not receive notification of the outcome of your complaint within 45 business days, the complaint may be referred to the Office of the Queensland Information Commissioner. More information on lodging a complaint is available here: Make a privacy complaint | Office of the Information Commissioner Queensland
Contact us
For any privacy-related queries, please contact:
Email: privacy@mercycommunity.org.au
Mail: ATTN: Privacy Officer
Mercy Community
PO Box 508
Lutwyche QLD 4030
Variation
We may update this policy, from time to time, to take account of changes to law or regulations and changes to our services or business operations.
Related documents
This policy should be read in conjunction with the following documents, legislation and other instruments:
- our Whistleblower Policy;
- Information Privacy Act;
- Right to Information Act;
- the Privacy Act; and
- the Aged Care Act and Rules.
