Data Security Requirements for Aged Care Providers

Aged care providers hold some of the most sensitive personal information in Australia: residents' names, dates of birth, medical histories, financial information, and contact details for families and support persons. A data breach — whether through cybercriminal attack, employee negligence, or system failure — can expose residents to identity theft, fraud, or harm, and exposes the provider to regulatory action and reputational damage.

The Aged Care Act 2024 and the Australian Privacy Act establish data security and privacy obligations. Beyond these, providers must comply with My Aged Care data governance requirements and should implement security standards aligned with the Australian Government's Information Security Manual and industry best practice.

Information governance is the structure and accountability for how an organisation creates, uses, stores, and disposes of information. A robust information governance framework includes: a data inventory (what information do we hold, where, for how long), a privacy policy that explains how resident data is used, a data retention schedule specifying how long different types of information are kept, roles and responsibilities for data management, and training for all staff on data handling.

The Australian Privacy Act 1988 applies to aged care providers. It establishes the Australian Privacy Principles (APPs), which include collection of only necessary information, use of information only for the primary purpose (and related purposes with consent), data security obligations, and the right of individuals to access and correct their information.

For aged care, the critical privacy obligations are: collect only information necessary for the care plan and management of the service; use resident information only for care and service management (not for marketing or other purposes without consent); ensure information is accurate and up-to-date; store information securely; and allow residents (or their representatives) to access their information.

Providers must have a process for responding to privacy complaints and data access requests. The ACQSC may receive privacy complaints from residents or families, and providers should be prepared to demonstrate compliance.

If a data breach occurs that is likely to result in serious harm to an individual, the Privacy Act requires providers to notify affected individuals as soon as practicable. Notification should include what information was breached, what happened, what steps the individual can take, and what the provider is doing in response.

Providers should also notify the Office of the Australian Information Commissioner (OAIC) if the breach is serious and affects a significant number of individuals. Internal procedures should specify who is responsible for breach detection, escalation, notification, and investigation.

Providers who participate in My Aged Care (the government's referral system for aged care services) must comply with My Aged Care data governance requirements. This includes using My Aged Care credentials securely, reporting any suspected security incidents to the My Aged Care operator, and maintaining audit trails of access to My Aged Care data.

Many providers treat My Aged Care as a simple referral system, not realising that failure to secure My Aged Care access can result in unauthorised access to resident contact information and care assessment data. Staff should be trained on secure password practices, multi-factor authentication where available, and escalation of security concerns.

Aged care providers increasingly use cloud-based systems for clinical records, care planning, and administrative functions. When selecting these systems, providers should verify that: the system is hosted in Australia (not offshore), the hosting provider is security-certified (ISO 27001 or equivalent), data is encrypted in transit (using TLS/HTTPS) and at rest, access is controlled through role-based permissions, and audit trails capture all access.

For particularly sensitive information (such as financial details, enduring powers of attorney), additional security controls — such as multi-factor authentication, additional encryption, or offline storage — should be considered.

Providers should also maintain secure practices for less obvious systems: email servers, shared drives, backup systems, and paper files. A breach can occur through any of these channels.

Sensitive data should be encrypted using standards recognised by cybersecurity agencies (AES-256 for data at rest, TLS 1.2+ for data in transit). Encryption keys should be managed securely and backed up appropriately.

Systems should be configured securely: default passwords changed, unnecessary services disabled, security patches applied regularly, and firewalls appropriately configured. Providers should implement a patch management process that ensures security updates are applied promptly across all systems.

Multi-factor authentication should be required for staff access to clinical and financial systems. This is a relatively simple control that significantly reduces unauthorised access risk.

Many data breaches result from human error — staff clicking phishing links, sharing passwords, or accidentally sending information to the wrong recipient. Annual security awareness training for all staff is essential.

Training should cover: recognising phishing and social engineering, secure password practices, appropriate handling of resident information, incident reporting procedures, and consequences of data breaches. Creating a security culture where staff understand that data security is everyone's responsibility helps embed secure practices.

Data security includes ensuring that data is protected against loss. Providers should have a backup and disaster recovery plan that ensures clinical and financial data can be recovered if systems fail or are compromised. Backups should be tested regularly to ensure they can actually be restored.

For aged care, loss of clinical data (resident care plans, medication records) is not just a security issue — it is a safety issue. Redundancy and recovery planning should be proportionate to the criticality of the data.

Statura Care is hosted in Australia with ISO 27001 security certification. For full details, see the Security & Data Protection page. All resident data is encrypted in transit and at rest using AES-256. Access to resident information is role-based and audit-trailed — every view, edit, or export of resident data is logged with timestamp and user details.

The platform includes privacy settings allowing residents (or their representatives) to control who can view different types of information, supports multi-factor authentication for staff access, includes automated data retention and secure deletion, and generates audit reports showing data access patterns. The Data Governance module provides templates for privacy policies, data retention schedules, and breach response procedures, enabling providers to demonstrate privacy and security compliance to residents and regulators. Data security is built into every layer of Statura Care's aged care compliance software.