We all have those documents that we either need to archive or dispose of correctly to avoid disclosing sensitive information. Although I now get most of my invoices or bills via email, I still find that I have a plethora of physical documents that include sensitive information that I’d rather not have in the public domain, information that could potentially open me up to identity theft or financial loss.

But it’s not just our own personal information that we need to be mindful of. In the day to day business of operating an aged care service, we need to keep a lot of information on clients or residents.

This information is essential to help us provide a quality service to consumers. For example, we need to keep track of Mrs Smith’s health status so we can anticipate her needs. We keep track of how we’ve spent Mr Theil’s Home Care Package funds. We note down the care and services to be delivered to Ms Kumar to track whether we are meeting her stated goals.

But this information is all sensitive.

Colourful letters scattered on a grey benchtop, surrounded by a lock and chain. The word Information is spelled out in colourful letters and separated from the other letters. Text reads: Sensitive information needs to be stored securely.

Sensitive information, in this context, is generally recognised as personal and confidential information provided by, or about, a client/resident to the organisation that is used to assist in the delivery of service and care to that individual. Information may include, but not be limited to, details of financial status, health conditions, diagnoses, medication, family, location, vulnerability, etc.

If someone were to inappropriately access this information, they could learn a lot about the individual, things that the person might not be comfortable with others knowing, or put them at risk. For example, that they live alone, how frail or vulnerable they are, or their financial status. 

With increasing numbers of high care clients choosing to remain at home, they may also be using prescribed S6 and S8 level medication, such as medicinal cannabis, morphine, oxycodone and fentanyl for pain and symptom management. 

We need to recognise that documents containing personal information have the potential to cause physical, financial, emotional or other harm to the individual should the information in them be inappropriately disclosed. We don’t want to be the reason a person is at risk of abuse or theft. We need to acknowledge that as a holder of sensitive information we have a duty of care to clients to protect that information.

So how do we do this?

Secure Storage

Firstly, we want to make sure that we store any sensitive information about a client securely. This might mean the information is stored behind a password-protected electronic client management system, or it might be in a locked file cabinet if in paper format.

Staff who need to take some information out with them, e.g. client run sheets or rosters that contain addresses and basic information, need to ensure that they don’t leave personal information lying around where others can access it. This might mean locking folders in the boot of their car in between client visits and password protecting their phone if the information is sent through via an electronic format.

Limiting Access

Secondly, you want to ensure that only those who need the relevant information have access to it. This means clearly defining what aspects of client information your staff really need. 

Obviously, if you are sending a staff member out to provide a cleaning service to a client, you will need to disclose their address and any workplace safety concerns or client health issues that need to be considered for the service being delivered safely and effectively. However, you wouldn’t need to disclose anything that relates to the person’s finances, medication, or their wider family support to the staff member.

In a residential setting, consider access levels if you are using an electronic client management system. Most will allow you to lock sensitive resident information away behind access levels.

Archiving or disposing of information

Once the client no longer uses your service, you will be faced with what to do with the information you hold on them.

Well, you can’t simply throw it in the general waste bin!

Firstly, you will need to investigate the contents of a client or resident file and determine the value of the information and whether it requires archiving or should be disposed of immediately. The sort of information you might dispose of would include information from other stakeholders that has no strong bearing on their care and support.

While I realise this might sound strange to many operating in an urban context (why would you have something in a file that has little bearing on their care?), in a remote context some clients will ask the service to ‘hold’ information for them to keep them safe, such as letters from Centrelink or the Taxation office as the client has no secure place of their own. This information will be held by the relevant Department so the aged care provider doesn’t need to retain a copy once they are no longer supporting the client.


All records that are owned by the services must be archived in accordance with the Aged Care Records Principles 2014. This is seven years after the client or resident ceases to access services, or where the date of cessation is unknown, meaning 10 years after the last action.

Records of people from an Aboriginal or Torres Strait Islander background may be destroyed 10 years after the date of death or 10 years after the last access on behalf of the deceased, whichever is the latest (provided the person attained or would have attained the age of 25 years). But check if the person identifies as from the Stolen Generation as there are different requirements.

Additionally, updates to legislation, program, and regulatory requirements do occur so it is always wise to keep up with the latest information.

Disposing of Information

After reviewing a client file, anything that is not archive quality should still be disposed of correctly. This might include shredding or some other disposal method in your organisation. 

And when it comes to disposing of archived information (once the archive timeframe has passed) this must be securely destroyed according to requirements outlined in the Aged Care Records Principles 2014 and Aged Care User Rights Principles 2014.

Policies and Procedures

Your organisation should have sound Client / Resident Storage, Archiving and Disposal policies and procedures that all staff should be aware of.

If you have a subscription to the CDCS Total Quality Package, you will find a template that will assist in ensuring your organisation is up to date and compliant in this area. Also, check out the new Data Breach policy if you haven’t already.

If you’re looking for up to date policies and resources that will support compliance, check out the CDCS Total Quality Package. It's a resource hub that includes access to regularly updated policies and procedures to support both residential and home care providers.

The start of the year is always a good time to review your policies and procedures, including those that relate to document management and how you handle the sensitive information you hold on consumers. It’s also a good time to remind staff, perhaps through an in-service or by passing on this post, of the importance of maintaining confidentiality and how they can support the safety and wellbeing of consumers by understanding policies and following the organisation’s practices.

Print Friendly, PDF & Email

Get A Free Sample Pack Of Our Resources

Tools designed to help you stay compliant

You have Successfully Subscribed!