Home | Databases | WorldLII | Search | Feedback Australian Parliamentary Joint Committee on Human Rights

Aged Care Quality and Safety Commission Amendment (Code of Conduct and Banning Orders) Rules 2022 [F2022l01457] [2023] AUPJCHR 24 (8 March 2023)

Aged Care Quality and Safety Commission Amendment (Code of Conduct and Banning Orders) Rules 2022 [F2022L01457]^[1]

2.67 The committee requested a response from the minister in relation to the legislative instrument in Report 1 of 2023.^[2]

Information gathering powers and other compliance action powers

2.68 This legislative instrument amends the Aged Care Quality and Safety Commission Rules 2018 to establish the Code of Conduct for Aged Care (Code of Conduct).^[3] The Code of Conduct establishes minimum standards of conduct for approved providers and their aged care workers and governing persons (such as treating people with dignity and respecting their rights, providing appropriate care and supports and acting with integrity).

2.69 It also provides (section 23BD) that the Aged Care Quality and Safety Commissioner (the Commissioner) may take certain actions in relation to compliance with the Code of Conduct, including in relation to compliance by an individual who is, or was, an aged care worker or a governing person of an approved provider. The Commissioner may take various actions, including: discussing compliance issues with any person; requesting information or documents from any person; carrying out an investigation; referring information about the compliance to another person or body; and taking any other action considered reasonable in the circumstances.^[4] It appears the Commissioner's powers under section 23BD of this instrument may not be enforceable under this instrument – but the Aged Care Quality and Safety Commission Act 2018 makes it an offence for a person to fail to comply with a notice given by the Commissioner to answer questions or provide information or documents.^[5]

Summary of initial assessment

Preliminary international human rights legal advice

Right to health; rights of persons with disability; and right to privacy

2.70 Insofar as taking action in relation to compliance with the Code of Conduct helps to ensure that aged care workers provide care, support and services in accordance with the Code, this measure appears to promote the rights to health and, as many people in aged care live with disability, the rights of persons with disability. The right to health is the right to enjoy the highest attainable standard of physical and mental health. The right to health requires available, accessible, acceptable and quality health care. The right to be free from all forms of violence, abuse and exploitation in article 16 of the Convention on the Rights of Persons with Disabilities requires that States Parties shall take all appropriate legislative, administrative, social, educational and other measures to protect persons with disabilities, both within and outside the home, from all forms of exploitation, violence and abuse. Further, '[i]n order to prevent the occurrence of all forms of exploitation, violence and abuse, States Parties shall ensure that all facilities and programmes designed to serve persons with disabilities are effectively monitored by independent authorities'.

2.71 However, by providing that the Commissioner may take compliance action that includes carrying out an investigation and requesting information or documents, this measure also engages and limits the right to privacy. The right to privacy includes respect for informational privacy, including the right to respect for private and confidential information, particularly the storing, use and sharing of such information. It also includes the right to control the dissemination of information about one's private life.

2.72 The right to privacy may be subject to permissible limitations which are provided by law and are not arbitrary. In order for limitations not to be arbitrary, the measure must pursue a legitimate objective and be rationally connected to (that is, effective to achieve) and proportionate to achieving that objective.

2.73 Protecting the safety of vulnerable aged care recipients is a legitimate objective for the purposes of international human rights law, and taking action to enforce the Code of Conduct appears to be rationally connected to (that is, likely to be effective to achieve) that objective. The key question is whether the information gathering measures are proportionate.

Committee's initial view

2.74 The committee considered that taking action to ensure compliance by aged care workers and providers with the Code of Conduct promotes the rights to health and, as many people in aged care live with disability, the rights of persons with disability. The committee considered that establishing broad information gathering and sharing powers for the Commissioner to enforce the Code also engages and limits the right to privacy, and sought the minister's advice in relation to:

(a) whether and how these information gathering powers would be circumscribed;

(b) what threshold would be required to be met before the Commissioner may exercise these powers;.

(c) what safeguards would apply to protect information that has been collected and shared (including what happens once personal information has been collected and shared, how it is required to be stored, and whether it is required to be destroyed after a certain period); and

(d) whether other, less rights-restrictive alternatives would be effective to achieve the same objective.

2.75 The full initial analysis is set out in Report 1 of 2023.

Minister's response^[6]

2.76 The minister advised:

Whether and how these information gathering powers would be circumscribed
The Code of Conduct for Aged Care (Code) began on 1 December 2022. The Code, contained within the Code and Banning Orders Instrument, sets out the minimum standards of behaviour for approved providers, their aged care workers and governing persons in order to help build confidence in the safety and quality of care for older Australians. The Commission is responsible for monitoring and compliance of the Code.
As the committee notes, protecting the safety of vulnerable aged care recipients is a legitimate objective for the purposes of international human rights law, and taking action to enforce the Code is rationally connected to that objective.
The Aged Care Quality and Safety Commissioner (Commissioner) may become aware of issues relating to compliance with the Code through a range of different mechanisms, including complaints processes, SIRS reportable incident notifications and referrals from other regulators (for example the National Disability Insurance Scheme Quality and Safeguards Commission (NDIS Commission) and the Australian Health Practitioner Regulation Agency).
Once a decision has been made that a particular action, such as the use of information gathering powers, is appropriate in the circumstances to deal with compliance with the Code, the Commission will, as always, ensure that all relevant legislative requirements are adhered to in exercising powers or functions. This includes having due regard to procedural fairness, in accordance with section 23BG of the Code and Banning Orders Instrument and administrative law principles, to ensure that any action can be effectively taken and is legally defensible. For example, decision makers will make their decisions based on relevant considerations, will act in a manner that affords procedural fairness to those affected by a decision, and will explain those decisions in a clear way that people can understand.
The Department has advised that Section 23BG was inserted following consultation on the exposure draft of the Code and Banning Orders Instrument and explicitly states that the Commissioner must have due regard to the rules of procedural fairness in taking action under Division 3 of the Code and Banning Orders Instrument.
These provisions provide acceptable legislative safeguards for approved providers, their aged care workers and governing persons throughout a Code compliance investigation and any other regulatory action that may be taken as a result of the outcome of such an investigation. This is supported by the Commission's internal operational policies and processes, which outline what decision-makers should consider in deciding whether to exercise a power or function, as well as any mandatory requirements or preferred/expected policy positions relating to the exercising of a specific power or function.
Section 76(1B) of the Aged Care Quality and Safety Commission Act 2018 (Commission Act) provides that the Commissioner must not delegate a function or power to a person under section 76(1) or (1A) unless the Commissioner is satisfied that the person has suitable training or experience to properly perform the function or exercise the power. Having regard to the requirement in section 76(1B) of the Commission Act, the Commissioner has delegated their power under section 23BE of the Aged Care Quality and Safety Commission Rules 2018 (Commission Rules) to Senior Executive Service Band 1, Executive Level 2 and Executive Level 1 Commission staff only. Through appropriate recruitment and performance management processes, there is ongoing oversight to ensure officers at these levels have suitable training and experience to perform their function.
The Commissioner's information gathering powers are also circumscribed by the Commission's statutory obligations under the Privacy Act 1988 (Privacy Act) and the Australian Privacy Principles (APPs). The Commission's Privacy Policy (Privacy Policy) states that the Commission will only collect the information it needs for the function or activity being carried out, in accordance with APP 3. Further, in compliance with APP 6, the Privacy
Policy provides that the Commission will generally only use and disclose personal information for the particular purpose for which it was collected and will not otherwise use or disclose personal information for another purpose unless the person's consent has been obtained, or the use or disclosure is permitted under the Privacy Act.
What threshold would be required to be met before the Commissioner may exercise these powers
The Commission manages non-compliance and potential non-compliance with the Code in accordance with the Commission's Compliance and Enforcement Policy. Consistent with this policy, the Commission takes a risk-based approach and responds in a way that is proportionate to the risks that the non-compliance or potential non-compliance poses to the safety, health, wellbeing and quality of life of aged care recipients.
The Commission's Compliance and Enforcement Policy notes that when potential noncompliance is identified, there may not initially be enough evidence to determine whether there is compliance or non-compliance, the extent of the non-compliance and/or the appropriate compliance response. In such circumstances, it may be necessary and appropriate for the Commission to use its information gathering powers, including those under section 23BD of the Code and Banning Orders Instrument, to obtain further information to be able to make a determination about non-compliance with the Code. This process supports procedural fairness as the worker will be offered an opportunity to respond to the matter. Decision-makers are responsible for determining all material questions of fact and basing each finding of fact on relevant supporting material.
Disclosure by the Commission of personal information relating to compliance with the Code may be necessary and appropriate, for example, because the personal information:
• promotes the safety and rights of other persons
• relates to the regulatory functions of another entity (for example another regulator
• such as the NDIS Commission) and is required by the other entity to exercise their powers or perform their functions
• is required by an approved provider to take appropriate action in relation to compliance with the Code by their aged care worker or governing person (as authorised by section 23BD(3)(a) of the Code and Banning Orders Instrument).
What safeguards would apply to protect information that has been collected and shared (including what happens once personal information has been collected and shared, how it is required to be stored, and whether it is required to be destroyed after a certain period)
The Commission has statutory obligations that it must comply with in relation to the collection, use, storage and disclosure of personal information under the Privacy Act, the APPs and the Archives Act 1983. The Privacy Policy outlines the personal information handling practices and expectations.
As noted above, the Privacy Policy states that the Commission will generally only use and disclose personal information for the particular purpose for which it was collected. The Commission also states in its Privacy Policy that it will not otherwise use or disclose personal information for another purpose unless it obtains the person's consent, or the use or disclosure is permitted under the Privacy Act. This is all in accordance with APP 6.
In relation to the storage and security of personal information, the Privacy Policy outlines the safeguards implemented by the Commission to protect personal information in its holdings against misuse, interference and loss, and from unauthorised access, modification or disclosure. The Privacy Policy also notes that when no longer required, the Commission destroys or archives personal information in a secure manner and as permitted by relevant legislation, including the Privacy Act and the Archives Act 1983. These personal information handling practices of the Commission are in compliance with its obligations under APP 11.
Further, as noted in the explanatory statement, the Commission and its staff are bound by legislative provisions in the Commission Act that regulate handling of 'protected information' collected by the Commission in carrying out its functions. All personal information, including sensitive information, acquired under or for the purposes of the Commission Act or the Aged Care Act 1997 (Aged Care Act) is protected information for the purposes of those Acts. A breach of the protected information provisions under either Act is an offence, punishable by 2 years imprisonment. The existing penalties for misuse and unauthorised disclosure of protected information under the Commission Act and the Aged Care Act will protect and ensure safe handling of the information collected by the Commission.
Whether other, less rights-restrictive alternatives would be effective to achieve the same objective
The collection, use and disclosure of personal information relating to compliance with the Code is necessary and appropriate because the personal information:
• is directly related to the performance of the Commissioner's Code functions under section 16(da) of the Commission Act (and more broadly, the Commissioner's function under section 16(a) to protect and enhance the safety, health, wellbeing and quality of life of aged care recipients). The Code functions of the Commissioner are outlined in section ISA of the Commission Act and provide a function for the Commissioner to take action in relation to compliance with the Code by approved providers, and their aged care workers and governing persons, and to do anything else relating to that matter as specified in the Commission Rules
• the use of the personal information will relate to an actual, alleged or suspected instance of non-compliance with the Code by an approved provider or their aged care worker or governing person.
It is important for the Commissioner to be able to collect, use and disclose information, including personal information, as part of investigating alleged breaches of the Code in order to be able to effectively investigate and ascertain whether a breach has occurred and where a breach has occurred, to ensure that appropriate action is taken to protect aged care recipients.
The Commissioner's discretion in taking certain actions (including information gathering and sharing) in relation to compliance with the Code is necessary to ensure that the Commissioner can take the most reasonable action allowable to protect the health, safety and wellbeing of aged care recipients, noting that any actions are in accordance with the Commission Rules, the Commission Act, other relevant legislation and the principles of administrative law. If the Commissioner's discretion was limited, the Commissioner's ability to protect the health, safety and wellbeing of aged care recipients could be limited and could potentially cause harm.
The Commission's information gathering and sharing powers under the Code and Banning Orders Instrument are therefore proportionate having regard to the above. There are no effective less rights-restrictive alternatives available for the Commission to achieve the same objective.

Concluding comments

International human rights legal advice

2.77 A key factor in assessing proportionality is whether the information gathering measures are sufficiently circumscribed.^[7] In this regard, the minister advised that the Commissioner will exercise their powers in accordance with all relevant legislative requirements and have due regard to procedural fairness and administrative law principles. The minister stated that the Commission's internal operational policies and processes outline what decision-makers should consider in deciding whether to exercise a power or function as well as any mandatory requirements or preferred/expected policy positions relating to the exercise of a specific power or function. The minister also stated that the Commissioner's information gathering powers are circumscribed by the Commission's statutory obligations under the Privacy Act 1988 (Privacy Act) and the Australian Privacy Principles (APPs) as well as the Commission's privacy policy.

2.78 The minister advised that the information-gathering powers may be exercised when a potential non-compliance with the Code is identified and the Commissioner requires further information to determine compliance, the extent of any non-compliance and/or the appropriate compliance response. The circumstances when disclosure of personal information relating to compliance may be necessary and appropriate include: to promote the safety and rights of other persons; where another entity, such as the NDIS Commission, requires the information to exercise their powers or perform their functions; or where an approved provider requires the information to take appropriate action in relation to the non-compliance.

2.79 The Commission's internal operational policies and processes may assist to circumscribe the Commissioner's information-gathering powers in practice. For example, the Commission's Compliance and Enforcement Policy appears to provide the Commissioner with some guidance as to the scope and manner in which the information-gathering powers should be exercised. It states that the 'question to be decided is whether, based on logically supporting material, the decision-maker is reasonably satisfied that the provider has not complied with the Code or is not complying with one or more of its responsibilities'.^[8] However, the circumstances in which the information gathering powers should be exercised, and the threshold that is required to be met, before the Commissioner takes action in relation to compliance, are not specified in the legislative instrument itself. There is no requirement in the instrument, for example, for the Commissioner to reasonably suspect non-compliance before exercising their information gathering powers. As it is currently drafted, the measure confers on the Commissioner a broad discretion to take any action they consider reasonable in the circumstances in relation to compliance by an approved provider or an individual who is or was an aged care worker or governing person of an approved provider (noting there is no time limit restricting how long ago a person may have been employed in the aged care sector and remain liable to such action).^[9] The measure empowers the Commissioner to, among other things, discuss the compliance with any other person, request documents or information from any person and refer that information to another person or body. Given the broad terms in which the information-gathering powers are drafted and noting that discretionary safeguards are less stringent than the protection of statutory processes (as they may be amended or revoked at any time and there is no requirement to follow them) there is some risk that, depending on how the Commissioner's powers are exercised in practice, the measure may not be sufficiently circumscribed.

2.80 As to the existence of safeguards, the minister advised that the collection, use, storage and disclosure of personal information is in compliance with the Privacy Act, the APPs and the Commission's privacy policy. The latter provides that the Commission will only collect information that is necessary for the function or activity being carried out, and will only use and disclose personal information for the particular purpose for which it was collected, unless the person to whom the information relates provides their consent or the use or disclosure is permitted under the Privacy Act. The privacy policy also outlines how personal information is to be stored, providing that when the information is no longer required, the Commission should destroy or archive the information in a secure manner. Further, the minister advised that the Commission and its staff are bound by the Commission Act, which makes it an offence, punishable by two years imprisonment, to use or disclose protected information unless authorised to do so under the Act.^[10] The minister stated that these protected information provisions will protect and ensure safe handling of personal information collected by the Commission.

2.81 Prohibiting the unauthorised use or disclosure of personal information collected by the Commissioner may assist with proportionality to the extent that it restricts interference with privacy beyond what is strictly necessary. However, having regard to the breadth of the measure, it is not clear that the Commission's privacy policy would adequately limit the scope of personal information which may be collected and the purposes for which it may be used and disclosed. Further, the committee has previously noted that while compliance with the Privacy Act and APPs may offer some safeguard value, it is not a complete answer to concerns about interference with the right to privacy for the purposes of international human rights law. This is because the APPs contain a number of exceptions to the prohibition on use or disclosure of personal information for a secondary purpose, including where its use or disclosure is authorised under an Australian law,^[11] which may be a broader exception than permitted in international human rights law. There is also a general exemption in the APPs regarding the disclosure of personal information for a secondary purpose where it is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.^[12]

2.82 A further safeguard identified by the minister is section 23BG of the Code, which provides that the Commissioner must have due regard to procedural fairness. The minister stated that decision-makers will make their decisions based on relevant considerations, will act in a manner that affords procedural fairness to those affected by a decision, and will explain those decisions in a clear way that people can understand. Affording procedural fairness assists with the proportionality of the measure.

2.83 Finally, the minister advised that there are no effective less rights-restrictive alternatives available for the Commission to achieve the same objective. The minister stated that the Commissioner's discretion to take certain actions in relation to compliance, including gathering and sharing information, is necessary to ensure the Commissioner can take the the most reasonable action allowable to protect the health, safety and wellbeing of aged care recipients. The minister noted that if this discretion was limited, the Commissioner's ability to protect the health, safety and wellbeing of aged care recipients could be limited and could potentially cause harm. While acknowledging the importance of taking compliance action to protect the safety of aged care recipients, questions remain as to whether there are less rights restrictive ways of achieving this legitimate objective. For example, the potential interference with the right to privacy may be lessened if the measure was more narrowly circumscribed (for instance, by including in the legislative instrument itself the threshold that is required to be met before the Commissioner takes action in relation to compliance).

2.84 In conclusion, protecting the safety of vulnerable aged care recipients is a legitimate objective for the purposes of international human rights law, and taking action in relation to compliance with the Code of Conduct appears to be rationally connected to (that is, likely to be effective to achieve) that objective. However, noting the breadth of the measure and that many of the accompanying safeguards are discretionary, there is some risk that, depending on how the Commissioner's powers are exercised in practice, the measure may not be proportionate in all circumstances.

Committee view

2.85 The committee thanks the minister for this response. The committee notes that taking action to ensure compliance by aged care workers and providers with the Code of Conduct promotes the rights to health and, as many people in aged care live with disability, the rights of persons with disability. The committee also notes that establishing broad information gathering and sharing powers in relation to compliance also engages and limits the right to privacy.

2.86 The committee considers that protecting the safety of vulnerable aged care recipients is an important and legitimate objective for the purposes of international human rights law and taking action in relation to compliance is likely to be effective to achieve this objective. The committee notes the minister's advice that conferring discretion on the Commissioner to take compliance action is necessary to ensure the most reasonable action is taken to protect the health, safety and wellbeing of aged care recipients. The committee considers that the measure is accompanied by some safeguards that may assist with proportionality. However, noting the breadth of the measure and that many of the accompanying safeguards are discretionary, the committee considers that, depending on how the Commissioner's powers are exercised in practice, there is some risk that the measure may not be a proportionate limit on the right to privacy in all circumstances.

2.89 The committee draws these human rights concerns to the attention of the minister and the Parliament.

Publication of a register of banning orders

2.90 The legislative instrument establishes additional provisions relating to the register of banning orders. Banning orders prohibit or restrict specified activities, including those of current and former aged care workers.^[13] The Aged Care Quality and Safeguard Commission Act 2018 requires that a register of banning orders must include: the relevant individual’s name; Australian Business Number (if any); and details of the banning order (including any conditions to which the order is subject).^[14] This instrument provides for additional matters that must be included on the register, stating that the register must include the state or territory, suburb and postcode of an individual’s last known place of residence; and if the Commissioner considers that further information is necessary to identify the individual the register can include further information that the Commissioner considers is sufficient to identify the individual.^[15]

2.91 The instrument also provides that an individual may request access to information about themselves that is included in the register and may seek the correction of such information. The instrument provides that the Commissioner may (and in some cases must) correct information that is included in the register of banning orders.^[16] Further, the instrument provides that the register of banning orders may be published on the Commission’s website. However, a part of the register must not be published if the Commissioner considers that its publication would be contrary to the public interest or the interests of one or more care recipients.^[17]

Summary of initial assessment

Preliminary international human rights legal advice

Right to health; rights of persons with disability; and right to privacy and reputation

2.92 Insofar as the register of banning orders helps to ensure that unsuitable people who may present a risk to aged care recipients are not engaged in the provision of their care, this measure appears to promote the rights to health and, as many people in aged care live with disability, the rights of people with disability, as set out at paragraph [2.4].

2.93 However, by providing that the register of banning orders may be made public, including the names and other identifying information in relation to the individuals subject to those orders, the measure also engages and limits the right to privacy. The right to privacy protects against arbitrary and unlawful interferences with an individual's privacy and attacks on reputation. It includes respect for informational privacy, including the right to respect for private and confidential information, particularly the storing, use and sharing of such information. It also includes the right to control the dissemination of information about one's private life.

2.94 The right to privacy may be subject to permissible limitations which are provided by law and are not arbitrary. In order for limitations not to be arbitrary, the measure must pursue a legitimate objective, be rationally connected to that objective and proportionate to achieving that objective.

2.95 Protecting the safety of vulnerable aged care recipients is a legitimate objective for the purposes of international human rights law. Making information about banned individuals accessible to the public, including future employers, is likely to be effective to achieve that objective. The key question is whether the measure is proportionate.

Committee's initial view

2.96 The committee considered that publishing a register of persons who have been banned from providing aged care services is directed towards the extremely important objective of protecting vulnerable older Australians and ensuring that persons found to be unsuitable to provide aged care services are not employed in the sector in future. This committee considered that this measure promotes the rights to health and, as many people in aged care live with disability, the rights of persons with disability. The committee considered publishing this data also limits the right to privacy, but the measure is clearly directed towards a legitimate objective, and publishing this information is likely to be effective to achieve this objective.

2.97 However, the committee required further information to determine whether the measure constitutes a proportionate limit on the right to privacy and sought the minister's advice in relation to:

(a) whether any less rights restrictive alternatives to publicly publishing the register (including the register being available only to employers, or on request) would not be effective to achieve the objective of this measure;

(b) whether it is intended that the date of birth of each person subject to a banning order will be published as a matter of routine, and if so why; and

(c) why the instrument does not require the Commissioner to correct inaccurate or misleading information on the register (when brought to their attention) in all instances.

Minister's response^[18]

2.98 The minister advised:

Whether a less rights restrictive alternatives to publicly publishing the register including the register being available only to employers, or on request) would not be effective to achieve the objective of this measure
While the majority of aged care workers exceed expectations in their care of older Australians/ like in all industries, there will be occasions when individuals are not suited to this highly trusted work. The Code and Banning Orders Instrument ensures that the Aged Care Quality and Safety Commission is able to consider matters as they arise, investigate if required and respond to ensure ongoing compliance. This approach upholds principles of safety and dignity for both the workforce and care recipients. The introduction of the Code and Banning Orders Instrument is a positive step forward for the sector and will support aged care providers, their governing persons and aged care workers to deliver safe and quality care to older Australians.
Banning orders are considered one of the Commission's most serious enforcement actions and will only be appropriate for the most serious cases of poor conduct. This can be evidenced in only four banning orders having been made since 1 December 2022. Those named are currently subject to criminal justice processes in relation to alleged fraud and acts of physical violence directly involving care recipients. With approximately 380,000 people working in aged care this is a very small proportion of the workforce who may find themselves subject to a banning order. Never-the-less, the Government takes seriously the need for quality and safety in aged care and this regulatory option is an important tool in the suite of safeguards being delivered in line with the Royal Commission's recommendations.
In order to ensure that the register of banning orders (Register) functions properly, it is considered necessary for the personal information of banned individuals to be made public.
This is due to the importance of preventing banned individuals from working in the aged care sector and the potential significant consequences for public health and safety if this does not happen.
This aims to ensure the safety of aged care recipients by providing future employers notice of individuals who were found unsuitable to provide aged care or specified types of aged care services.
The Department has advised this provision aligns with the approach taken under the National Disability Insurance Scheme (see section 73ZS of the National Disability Insurance Scheme Act 2013].
The Australian Government is seeking to align worker regulation arrangements across the aged care and disability support sector where it is reasonable and practical to do so. Worker screening is an area where the Australian Government is seeking alignment. While worker screening has not yet been expanded to aged care, individuals with an NDIS worker screening clearance can rely on this clearance to work in the aged care sector. This has the effect of preventing banned individuals from working in either the aged care sector or in the National Disability Insurance Scheme.
The publication of the Register is also intended to act as a deterrent to individuals from engaging in conduct that could result in the issuing of a banning order.
Publication of this information is considered reasonable, necessary and proportionate in order to protect the safety of vulnerable older Australians.
Whether it is intended that the date of birth of each person subject to a banning order will be published as a matter of routine, and if so why
It is not intended that the date of birth of each person subject to a banning order will be published as a matter of routine. The Commission will consider whether there is a concern about misidentification for each person subject to a banning order, noting that the inclusion of additional identifying information is to safeguard the identities, reputations, and rights of third parties with similar names. The date of birth will only be added where misidentification is of sufficient concern. The date of birth information previously published has been removed and this will not be standard practice.
Why the instrument does not require the Commissioner to correct inaccurate or misleading information on the register (when brought to their attention) in all instances
Under subsection 74GI(4) of the Commission Act, the Commissioner must ensure that the Register is kept up to date. Sections 23CE and 23CF of the Code of Conduct and Banning Order Instrument are consistent with APP 13 in Schedule 1 to the Privacy Act 1988. APP 13 sets out minimum procedural requirements for correcting personal information an entity holds about an individual.
The Commission undertake their functions in accordance with APP 13. It further operates on the basis that there is nothing in APP 13 which excludes information contained in a Commonwealth record (such as APP 11. 2(c) which relates to the destruction or deidentification of personal information). The Commission understands information contained in records in its possession or control would also be a Commonwealth record and subject to the requirements of the Archives Act 1983.
As noted by the committee, the Commissioner's general discretion under section 23CF of the Instrument to correct information in the Register is a safeguard in terms of ensuring that the content of the register is accurate. The Commissioner's discretion, rather than obligation, to correct personal information in the Register is consistent with APP 13, which does not impose an obligation on APP entities (such as the Commission) to correct personal information in all instances. Rather, APP 13 requires that APP entities must take reasonable steps to correct an individual's personal information, and must only do so if it can be satisfied that the information is incorrect. The level of discretion afforded to the Commissioner under section 23CF of the Instrument is therefore appropriate having regard to the requirements of APP 13. The discretion also takes into account that there may be other legal obligations in certain circumstances (for example, where a family and domestic violence protection order is in place) which may prevent the Commissioner from publishing certain information to the register.
APP 13 operates alongside and does not replace other informal or legal procedures by which an individual can seek correction of their personal information, including under the Freedom of Information Act 1982.

Concluding comments

International human rights legal advice

2.99 As to whether any less rights restrictive alternatives to publicly publishing the register (including the register being available only to employers, or on request) would not be effective to achieve the objective of this measure, the minister stated that banning orders are considered one of the Commission's most serious enforcement actions and will only be appropriate for the most serious cases of poor conduct. The minister stated that a small number of banning orders (four) have been made since December 2022, relative to the number of employees in the aged care sector (380,000 people). The minister also stated that it is considered necessary for the personal information of banned individuals to be made public to ensure consistency with the approach taken in relation to the NDIS banning order register. Lastly, the minister stated that the publication of the register is to enable a banning order to serve as a deterrent from engaging in conduct that could result in such an order.

2.100 It remains unclear, on the basis of this advice, as to whether publishing the banning order on a publicly accessible website is the least rights restrictive approach, such as to ensure any limitation on privacy is proportionate to the objective sought to be achieved. It is not clear that the approach taken in relation to NDIS banning orders is directly comparable. It appears that aged care sector workers would be employed by aged care providers, and not by aged care recipients directly. By contrast, it appears that NDIS workers may be engaged directly by NDIS participants as part of their NDIS plan. As such, the fact that a particular person is subject to an aged care sector banning order would appear to be of most immediate regulatory significance to an aged care service provider screening prospective staff, rather than to aged care recipients themselves. Aged care service providers would be required to screen employees prior to their employment, including by reference to the banning order register. It is not clear why the register cannot be made available to all aged care providers, and any other organisation employing workers in the aged care sector, without the need to make the register publicly available. Further, it is not clear that publication of a banning order would be necessary to serve as a deterrent, noting that conduct giving rise to such an order may give rise to criminal charges, and being on the banning register (whether it be publicly available or not) results in a person not being eligible for employment as an aged care worker. Consequently, it has not been established that a less rights restrictive alternative (such as limiting access to employers via a secure database or access by request) would not be as effective in achieving the objective of protecting the safety of vulnerable aged care recipients.

2.101 In addition, is noted that the banning order register was previously included on the departmental website as a PDF attachment,^[19] and did not seem to appear when a person named on the register was searched via a web search, such as google. However, it appears that the register has since been embedded as text on a departmental web sub-page, and if someone conducts a general google search of a person's name, for purposes unrelated to checking the banning order register, the listing on the banning order will appear. Inclusion of the public register would, therefore, appear to constitute a greater interference with the right to privacy than previously. No information has been provided to explain why this has changed.

2.102 With respect to the inclusion of a person's date of birth on the register, the minister stated that it is not intended that the date of birth of each person subject to a banning order will be published as a matter of routine. The minister stated that the Commission will consider whether there is a concern about misidentification for each person subject to a banning order, and that a person's date of birth will only be added where misidentification is of sufficient concern. With respect to the version of the register of banning orders published online at the time of the initial consideration of the rules (which included the date of birth of the only listed individual, and included a column that suggested a date of birth would be included as a matter of course), the minister stated that the date of birth information previously published has been removed and this will not be standard practice. It assists with the proportionality of the measure that a person's date of birth will not be included on the register as a matter of course. In instances where it may be included, seeking to ensure that persons with the same name as someone subject to a banning order are not misidentified as being subject to the order is clearly an important consideration. However, the countervailing consideration is that inclusion of a person's date of birth in such circumstances will likely exacerbate the interference with the named person's privacy. In this regard, it is unclear why this information was initially included on the register itself, and whether there were sufficient internal guidelines in place to ensure that such information was only included in accordance with the considerations the minister has outlined.

2.103 As to why the instrument does not require the Commissioner to correct inaccurate or misleading information on the register (when brought to their attention) in all instances, the minister stated that this requirement is consistent with Australian Privacy Principle (APP) 13 – the 'minimum procedural requirements' for correcting personal information held about an individual. APP 13 requires that relevant entities must take reasonable steps to correct an individual's personal information, and must only do so if it can be satisfied that the information is incorrect. The minister further stated that there may be other legal obligations in certain circumstances (for example, where a family and domestic violence protection order is in place) which may prevent the Commissioner from publishing certain information to the register. However, it remains unclear why establishing an obligation to correct personal information (subject to certain exceptions, such as where there is a risk to personal safety) would not be appropriate, particularly noting the minister's advice that APP 13 constitutes only the minimum relevant procedural requirement.

Committee view

2.104 The committee thanks the minister for this response. The committee considers that publishing a register of persons who have been banned from providing aged care services is directed towards the extremely important objective of protecting vulnerable older Australians and ensuring that persons found to be unsuitable to provide aged care services are not employed in the sector in future. In doing so, the committee considers that this measure promotes the rights to health and, as many people in aged care live with disability, the rights of persons with disability.

2.105 However, the committee considers that publishing a register of persons subject to a banning order also limits the right to privacy. The right to privacy may be limited if it is demonstrated it is reasonable and necessary to do so. The committee considers the measure is directed towards this important and legitimate objective of protecting vulnerable older Australians. However, the committee considers it has not been demonstrated that publishing the banning order register on a publicly available website (that means that the names of those on the register will appear in a general google search) constitutes a proportionate limit on the right to privacy. In particular, the committee considers that it is not clear that making the register available as an online resource accessible via a secure portal by aged care providers would not be as effective to achieve the objective of protecting vulnerable older Australians.

2.109 The committee draws these human rights concerns to the attention of the minister and the Parliament.

Mr Josh Burns MP

Chair

[1] This entry can be cited as: Parliamentary Joint Committee on Human Rights, Aged Care Quality and Safety Commission Amendment (Code of Conduct and Banning Orders) Rules 2022 [F2022L01457], Report 2 of 2023; [2023] AUPJCHR 24.

[2] Parliamentary Joint Committee on Human Rights, Report 1 of 2023 (8 February 2023),

pp. 37–45.

[3] Item 2 and Schedule 1.

[4] Section 23BD.

[5] See Part 8A, Division 3 of the Aged Care Quality and Safety Commission Act 2018.

[6] The minister's response to the committee's inquiries was received on 24 February 2023. This is an extract of the response. The response is available in full on the committee's website.

[7] International human rights law jurisprudence states that laws conferring discretion on decision-makers must indicate with sufficient clarity the scope of any such discretion and the manner of its exercise. See, e.g. Hasan and Chaush v Bulgaria, European Court of Human Rights App No.30985/96 (2000) [84].

[8] Commission, Compliance and Enforcement Policy, p. 8.

[9] Section 23BC and subsection 23BD(1), noting paragraph (f).

[10] Aged Care Quality and Safety Commission Act 2018, section 60.

[11] APP 9; APP 6.2(b).

[12] APP; 6.2(e).

[13] Aged Care Quality and Safety Commission Act, section 74GB.

[14] Aged Care Quality and Safety Commission Act, section 74GI.

[15] Section 23CB.

[16] Sections 23CE-CF.

[17] Section 23CG.

[18] The minister's response to the committee's inquiries was received on 24 February 2023. This is an extract of the response. The response is available in full on the committee's website.

[19] At February 2023, when these rules were initially considered. See, Parliamentary Joint Committee on Human Rights, Report 1 of 2023 (8 February 2023), pp. 37-45.