When reporting incidents online under the Serious Incident Response Scheme (SIRS), aged care providers must confirm that they have met the Collection Notice requirements under the federal Privacy Act. What is a Collection Notice and what are the associated requirements? Here’s what you need to know.

Privacy requirements and the Serious Incident Response Scheme (SIRS)

As mentioned in a previous Aged Care Essentials article, the SIRS is a national framework for incident management and reporting of serious incidents in residential aged care. From 1 April 2021, the SIRS required aged care providers to report Priority 1 incidents. From 1 October 2021, providers must also report certain less serious “Priority 2” incidents.

To meet your obligations under the SIRS, you will have to investigate incidents. This may involve collecting information from the people involved in, or affected by, the incident. Some of that information may be “personal information” or “sensitive information”. Personal and sensitive information is protected by privacy laws, and so, when you collect and use this information, you must meet certain requirements.

In the context of the SIRS, the SIRS Guidelines set out the key privacy requirement as follows:

“As part of your online notification of a SIRS reportable incident, you are required to confirm that you have provided a notice of collection (where appropriate) to any person affected by the incident for whom you have recorded personal or sensitive information.”

In other words, if you collect personal or sensitive information from a person as part of your SIRS investigation, you must take reasonable steps to provide the person with a collection notice.

What is “personal or sensitive information”?

The Privacy Act defines “personal information” as “information or an opinion about an identified individual, or an individual who is readily identifiable”. This is a very broad definition and includes just about any kind of written, spoken, photographed or other information about a particular person.

For example, in your facility you have a resident named Nancy Smith. The following things would qualify as “personal information” about Nancy:

• a photograph that clearly shows Nancy’s face
• a written record that says “Nancy Smith is 87 years old”
• a comment from a care worker that “Nancy has five grandchildren.”

The following things would NOT qualify as “personal information” about Nancy:

• a photograph in which Nancy is a blurry, unidentifiable figure in the background
• a report that says “Most of our residents are over the age of 85”
• a comment from a care worker that “some of our residents had a lot of visitors today”.

“Sensitive information” has a narrower definition than “personal information”. Sensitive information is a type of personal information that includes information about a particular person’s health, ethnicity, political opinion, sexual orientation or criminal record. The Privacy Act, and some state and territory legislation, usually require that this type of information be treated more carefully, in particular by letting people know exactly how this information will be used and to whom it will be disclosed.

What is a collection notice?

When you collect personal or sensitive information from a person you have to tell them what information you are collecting and why. This is known as a “collection notice”.

How and when do I give someone a collection notice?

By now you may be wondering, “Do I have to issue a collection notice every time I record someone’s name or take a photo of them?” The answer to that is: not quite.

When it comes to collecting personal information, you are only required to take reasonable steps to issue a collection notice. In some circumstances, this means you can issue a general notice to all of your residents in advance of collecting any information.

According to the Office of the Australian Information Commissioner, a notice may be issued “through a variety of formats, provided the matters are expressed clearly.” For example, you may be able to issue your notice of collection via signs, emails, pamphlets or through the conversations that staff have with residents. But bear in mind that you may need to be able to prove that you have issued a collection notice, so a written notice may be preferable.

Finally, note that when it comes to collecting most personal information which is required by law, such as SIRS information, you do not have to get a person’s consent. You must tell them that you are collecting their personal information, why you are collecting it and who (in broad terms) will have access to it, but you do not have to get their permission.

This can be different, however, when collecting information where it is not required by law and so the person has a choice as to whether to agree to it being collected. For example, taking someone’s image to put on your website would require their consent, while taking a photo of their injury for the purposes of writing a legally-required incident report usually would not. For sensitive information, the privacy requirements are more onerous, and you may have to get a person’s consent before you can use their information where there is no law requiring it to be collected or disclosed.

What should I include in the collection notice?

According to the Office of the Australian Information Commissioner, a collection notice will need to include important information such as:

• your contact details
• the facts, circumstances and purpose of collection (e.g., “we are collecting information about incidents to ensure we can fix problems and improve quality of care” or, more specifically, “we are collecting information about reportable incidents for the purposes of the SIRS”)
• if the collection was required or authorised by law (e.g., “collection of this information is required under the SIRS”)
• the consequences if personal information is not collected (e.g., “Without this information we may not be able to meet our SIRS obligations, keep track of incidents and make the necessary changes to fix problems and improve the quality of care”)
• guidance on how a person can make a complaint or access their personal information, (usually by referring to your privacy policy, e.g., “For more information about our privacy practices, including how to access or correct your personal information or make a privacy complaint, see the privacy policy available on our website or contact us by phone on….”)
• how and where to access your privacy policy.

What do I need to do now?

With the new requirement to report Priority 2 incidents commencing 1 October 2021, it is important to ensure that you have issued a collection notice to your residents. The notice should clearly explain what information you are collecting and why. The notice can be issued in advance of collection to all your residents however keep in mind that you may need to be able to prove that you have issued a collection notice, so a written notice is preferable.

Also note that collection notice requirements apply to many other areas outside of the SIRS context. For example: COVID-19 related data and investigation, complaints reporting and investigation.

Further Resources

• Department of Health: Serious Incident Response Scheme
• Serious Incident Response Scheme – Guidelines for residential aged care providers
• Effective incident management systems: Best practice guidance
• Quick Reference Guide: How to access and use the Serious Incident Response Scheme (SIRS) portal
• Aged Care Quality and Safety Commission: Frequently Asked Questions
• SIRS Learning Module on ALIS
• SIRS Guidelines for Residential Aged Care Providers
• APP 5 – Notification of the collection of personal information
• Aged Care Quality and Safety Commission Notice of Collection (Note: this is not guidance; it is the ACQSC’s own Notice of Collection in regard to how they treat the private information they get from others. It won’t tell you what is required in your Notice of Collection, but it is a useful example of what a Notice of Collection looks like).