Policy Attestation in Aged Care: What Providers Need to Know

Policy attestation is a foundational compliance requirement in aged care, yet it's frequently managed poorly — through paper forms filed away, or tracking spreadsheets that get lost in shared drives. When the ACQSC asks to see proof that all staff have read and understood the Code of Conduct, many providers scramble to find evidence.

Policy attestation serves two critical purposes: (1) it ensures workers understand the policies they're bound by, and (2) it creates documentary evidence of their acknowledgement. Under the Aged Care Act 2024 and Quality Standard 2 (The Organisation), this evidence is essential to demonstrate effective governance.

This guide covers what policy attestation is, which policies are mandatory, how it relates to the Code of Conduct, how to implement robust attestation workflows, and how to maintain compliance.

Policy attestation is a formal, documented acknowledgement by a worker that they have read, understood, and agree to comply with an organisation's policies. Attestation typically requires the worker to sign (or electronically confirm) a statement like: 'I have read and understood the [Policy Name]. I acknowledge that I will comply with this policy in my role at [Organisation Name]. I understand that breach of this policy may result in disciplinary action.'

Attestation serves multiple purposes:

• Legal compliance. The Aged Care Act 2024 and Code of Conduct requirements establish that workers must understand their obligations. Attestation creates documented proof that the worker was informed.
• Governance. The ability to demonstrate that all staff have attested to mandatory policies is evidence of effective governance — supporting compliance with Quality Standard 2.
• Risk management. If a compliance breach occurs (e.g., a worker breaches privacy by discussing residents on social media, or violates the Code of Conduct by being verbally abusive), the provider's documentation of prior attestation strengthens the case for disciplinary action and demonstrates the breach was not due to lack of awareness.
• Induction completeness. Policy attestation is typically part of the induction process. Tracking attestations ensures inductions are completed comprehensively rather than abbreviated.

Attestation should be distinguished from training. A worker might complete a 2-hour Code of Conduct training course, but that doesn't mean they've signed the policy. Ideally, both occur together during induction, but attestation is the critical compliance requirement.

The Code of Conduct is a new, mandatory requirement introduced in the Aged Care Act 2024. All workers — from cleaners and kitchen staff to nurses and executive leadership — must acknowledge the Code within 30 days of commencing their role.

The Code of Conduct establishes expectations for worker behaviour across five domains:

• 1. Respectful workplace conduct. Workers must treat colleagues with respect, work collaboratively, and maintain a workplace free from harassment, bullying, and discrimination. This extends to on-site social behaviour (how you speak to colleagues in the break room) and in some cases off-site conduct if it brings aged care into disrepute.
• 2. Treating care recipients with dignity. Workers must respect the privacy, preferences, autonomy, and cultural identity of residents and clients. This includes using appropriate language (using their preferred names and pronouns), involving them in decisions about their care, and protecting them from humiliation.
• 3. Protecting privacy and confidentiality. Workers must treat personal information about residents as confidential and comply with privacy laws. Common breaches include discussing residents with family or friends outside the facility, sharing stories on social media (even without names), and leaving residents' information visible to unauthorised people.
• 4. Reporting concerns. Workers have an obligation to report concerns about safety, misconduct, or non-compliance — to their manager, or to external agencies like the ACQSC or police if internal reporting is insufficient. Organisations cannot retaliate against workers for reporting in good faith.
• 5. Complying with laws and policies. Workers must comply with all applicable laws (Aged Care Act 2024, privacy laws, workplace health and safety, criminal law) and with their employer's policies.

Breaches of the Code of Conduct can result in disciplinary action up to termination. The ACQSC may also investigate Code of Conduct breaches and take regulatory action against the provider if systemic failures are identified.

Mandatory attestations vary slightly by state and role, but typically include:

• All workers: - Code of Conduct - Confidentiality and Privacy policy - Workplace Health and Safety policy - Anti-discrimination, harassment and bullying policy - Incident reporting obligations (including SIRS) - Induction completion checklist
• Care workers and managers: - Residents' rights and dignity policy - Infection prevention and control policy - Manual handling and body mechanics policy - Emergency procedures and evacuation policy - Responsible use of technology policy (email, internet, mobile devices)
• Clinical staff (nurses, allied health): - Clinical governance policy - Medication safety policy - Restrictive practices policy (if applicable to the role) - Mandatory reporting obligations (child safety, elder abuse)
• Management and supervisory staff: - Recruitment and selection policy - Performance management policy - Grievance and complaints handling policy - Governance and compliance policy

Best practice is to require attestation to ALL organisational policies that apply to a worker's role, not just mandatory legal requirements. This includes workplace-specific policies (uniforms, mobile device use, social media conduct) that support organisational culture and brand.

For contracted workers (cleaners, maintenance, catering contractors), minimum attestation should cover Code of Conduct, confidentiality, and incident reporting — even if they're not employed by the aged care organisation directly.

Attestation is most effective when integrated into induction as a structured process:

• Day 1–2 of induction: Worker reviews all applicable policies. This may be on-site (manager walks through key policies) or online (worker completes a policy review portal with knowledge checks).
• Day 2–3: Worker completes mandatory training relevant to their role (induction training, Code of Conduct training, safety training).
• Day 3–5: Worker formally attests to policies via signed form or digital acknowledgement. The attestation statement should explicitly reference the policy, the date, the worker's name, and include a statement like: 'I confirm that I have read, understood, and agree to comply with the [Policy Name] dated [date]. I acknowledge that breach may result in disciplinary action.'
• Digital attestation platforms are preferable to paper. A digital system creates timestamped records (automatically showing when attestation occurred), prevents loss or misfiling, enables bulk reminder notifications (upcoming attestations), tracks completion rates for reporting, and integrates with induction workflows.

For workers who are difficult to engage with written policies (low English literacy, cognitive impairment), verbal induction with a manager may be necessary, but it should still be documented — include a note in the induction record: 'Policy attestation discussed verbally on [date] with [manager name]. Worker confirmed understanding of key policies [list].' This is not as robust as written attestation but is better than no evidence.

For remote or home care workers, digital attestation is essential. Paper-based attestation for field-based staff creates unmanageable logistical delays.

Attestation is not a one-time induction activity. Ongoing attestation is required when:

• Policies are updated. If a policy is significantly changed, all affected workers must re-attest to acknowledge the changes. Minor updates (editorial changes, formatting) may not require re-attestation, but substantive changes (changes to procedures, new requirements) do.
• Workers move to new roles. A worker transitioning from care assistant to care coordinator may have different role-specific policy obligations and should attest to new policies relevant to the new role.
• Regulatory requirements change. If new mandatory policies are introduced (e.g., a new elder abuse prevention policy required by state legislation), all workers must attest to the new policy.
• Periodic re-attestation. Some organisations require annual Code of Conduct re-attestation to keep the obligation top-of-mind. This is best practice but not universally mandatory under the Act.
• After significant incidents. If a Code of Conduct breach occurs (e.g., a staff member is found to have breached confidentiality), the organisation may require all workers to re-attest to the confidentiality policy as a systemic response to prevent recurrence.

Tracking which policies have been updated and which workers need to re-attest is a governance function. Automated systems can flag when policy versions change, identify affected workers based on role, and send re-attestation reminders. Manual processes (spreadsheets tracking attestation dates) quickly become unreliable.

Despite best efforts, some workers will not complete attestation on time. Common reasons include:

• Induction delays. New workers may not start on the scheduled date, or inductions may be rescheduled. Tracking should flag overdue attestations.
• Workers refusing attestation. Rarely, a worker may refuse to attest to the Code of Conduct or a key policy. This is a disciplinary matter — the worker is refusing to meet a fundamental employment condition.
• Casual or agency workers. Casual staff may work infrequently and miss induction sessions. Agency workers may induct through the agency rather than the aged care provider.

Responses to non-compliance should be escalated:

• 1–7 days overdue: Reminder notification to the worker and their manager.
• 8–14 days overdue: Manager follows up directly with the worker. If there's a legitimate barrier (worker on leave, induction rescheduled), the manager documents this and adjusts the deadline. If the worker is avoiding attestation, the manager should discuss and encourage completion.
• 14+ days overdue: Escalation to HR or management. If a worker continues to refuse attestation after discussion, this may warrant formal performance management or disciplinary action. A worker cannot remain in post indefinitely without attesting to mandatory policies.
• For Code of Conduct specifically, the ACQSC expects 100% attestation within 30 days of commencement. A significant percentage of workers without Code of Conduct attestation is a governance failure that will be flagged during assessment.

Robust attestation compliance also requires that dismissals and resignations trigger prompt removal from attestation tracking — you don't want compliance reports showing non-compliance for workers who've already left.

The ACQSC assesses attestation compliance as part of Quality Standard 2 (The Organisation) — specifically, as evidence that the organisation has effective governance systems ensuring workers understand and comply with policies.

During assessment contacts, the ACQSC may request: - A list of all current workers with their Code of Conduct attestation dates - Copies of policies and the attestation forms used - Evidence of how the organisation ensures new workers attest within 30 days - Evidence of management responses to workers with overdue attestations - For any Code of Conduct breaches identified, evidence that the breach was addressed through disciplinary process

Providers who cannot readily produce these records (because attestations are paper-based and scattered across personnel files, or tracked in multiple spreadsheets) are demonstrating weak governance.

Providers with automated attestation systems can generate compliance reports within minutes: 'As of [date], 98.7% of all workers have current Code of Conduct attestation. 2 workers have overdue attestations (casual staff on leave); expected compliance date [date]. No overdue attestations >30 days.' This is the evidence the ACQSC expects.

Statura Care's Workforce module includes automated policy attestation management:

• Policy management. Organisations can upload and manage all policies in a centralised system, track version history, set activation dates for new policies, and automatically notify affected workers when policies are updated.
• Induction workflows. Attestation is integrated into the induction process. New workers' inductions include automatic policies based on their role, with knowledge checks to verify understanding before attestation.
• Attestation tracking. Real-time dashboards show attestation status by worker, role, and facility. Green = all policies attested. Amber = some policies overdue. Red = critical policies (Code of Conduct) overdue.
• Automated reminders. Workers receive automated reminders for upcoming and overdue attestations. Managers receive escalation notifications when workers have been overdue >7 days or >14 days.
• Audit-ready reports. One-click reports show all workers' attestation status as of any date, policy version and effective dates, workers with lapsed attestations, and timeline compliance against the 30-day Code of Conduct requirement.
• Integration with discipline. If a worker breaches a policy they've attested to, the system can generate a record showing attestation date and terms, supporting disciplinary action.

Policy attestation is one of 29 modules in Statura Care's aged care compliance platform covering the Aged Care Act 2024. Book a demo to see how attestation workflows integrate with your induction and workforce management processes.