Privacy Policy
Effective Date: December 2025
Last Updated: December 2025
Plain English Summary
- MedNest is a Victorian healthcare staffing platform connecting nurses and support workers with facilities across Victoria.
- We collect personal information when you create an account, apply for roles, submit feedback, or use our website—including your name, contact details, employment history, qualifications, and uploaded documents (resumes, certificates).
- We may collect sensitive information where legally required or permitted, such as immunisation records, Working With Children Check status, police check results, and right-to-work verification, as necessary for healthcare recruitment and compliance.
- Your information is used to process applications, match you with roles, meet legal and safety requirements, provide customer support, and improve our services.
- We share information with service providers (cloud hosting, email delivery, file storage), clients (healthcare facilities requesting staff), credentialing and background check providers, and our AI chatbot provider (OpenAI). Some of these providers may process data overseas.
- You can access, correct, or request deletion of your information by contacting info@mednest.com.au.
- We’re committed to protecting your privacy in accordance with Australian law.
A. Introduction
Who We Are
Med Nest Nursing Pty Ltd (trading as MedNest, we, us, our) is a healthcare staffing agency based in Victoria, Australia. We connect qualified healthcare professionals—including Food Service Assistants (FSA), Personal Care Assistants/Assistants in Nursing (PCA/AIN), Enrolled Nurses (EN), and Registered Nurses (RN)—with aged care facilities, hospitals, and home care providers across Victoria.
What This Policy Covers
This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you:
- Visit our website (www.mednest.com.au)
- Create a user account
- Submit a job application
- Provide feedback or contact us
- Interact with our AI-powered chatbot
This policy applies to all users, applicants, and visitors, whether you are based in Australia or overseas.
Key Definitions
Personal Information: Information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not. Examples include your name, email address, phone number, and employment history.
Sensitive Information: A subset of personal information that includes health information, criminal records, membership of professional or trade associations, and other categories defined in the Privacy Act 1988 (Cth). This type of information receives additional protections under Australian law.
Health Information: Information or an opinion about the health or disability of an individual, including information about their healthcare services, which is also personal information or could be used to identify them. In Victoria, health information is regulated by the Health Records Act 2001 (Vic).
B. What Personal Information We Collect
We collect the following categories of personal information, depending on how you interact with MedNest:
1. Identity and Contact Information
Examples: Full name, email address, phone number, residential address (house number, street, suburb, postcode, state), gender, date of birth
Required for: Account creation, application processing, communication
Optional/Required: Required for applications; optional for general website browsing
2. Account Credentials
Examples: Email address, password (stored in encrypted/hashed form only)
Required for: Account login, session management
Optional/Required: Required if you create an account
3. Employment and Professional Information
Examples: Desired roles (FSA, PCA/AIN, EN, RN), years of experience, availability (weekdays, weekends, nights), mode of transport, referral source (how you heard about MedNest), professional qualifications, certifications (name/description only; certificates uploaded separately)
Required for: Assessing suitability, matching you with roles
Optional/Required: Required for job applications
4. Right-to-Work and Compliance Information
Examples: Australian work rights (hours per week eligible to work), visa status (if applicable)
Required for: Legal compliance, client requirements
Optional/Required: Required for job applications
5. Emergency Contact Information
Examples: Emergency contact name, phone number, email address
Required for: Workplace health and safety compliance
Optional/Required: Required for job applications
6. Uploaded Documents
Examples: Resume/CV, cover letter, professional certifications, qualifications, credentials (e.g., AHPRA registration documents, training certificates)
Required for: Application review, credentialing, verification
Optional/Required: Resume required; other documents optional but may be necessary for specific roles
File Types: PDF, DOC, DOCX (validated by content, not extension only)
7. Feedback and Communications
Examples: Messages submitted via our feedback form, customer support inquiries
Required for: Responding to your requests, improving our services
Optional/Required: Optional
8. Technical and Usage Data
Examples: IP address, device type, browser type, pages visited, time spent on pages, referring website, date/time of access
Required for: Website functionality, security monitoring, analytics, troubleshooting
Optional/Required: Automatically collected when you use our website
Collection Method: Server logs, cookies, analytics tools
9. Chatbot Interaction Data
Examples: Questions you ask our AI chatbot, conversation history during your session
Required for: Providing chatbot responses, improving AI accuracy
Optional/Required: Optional (only if you use the chatbot feature)
10. Administrative and Audit Data
Examples: Application status (submitted, under review, interview, pool, withdrawn), login timestamps, login count, session activity logs
Required for: Application management, security monitoring, fraud prevention
Optional/Required: Automatically recorded for authenticated users
C. Sensitive Information and Health Information
Sensitive Information We May Collect
In the course of healthcare recruitment and workforce compliance, we may collect sensitive information as defined by the Privacy Act 1988 (Cth), including:
- Health Information: Immunisation status, serology results, fitness-for-work assessments, injury or incident reports, WorkCover claims, infection control declarations, COVID-19 vaccination status (where required by law or client facility policy)
- Criminal Records Information: National Police Check results, Working With Children Check (WWCC) status
- Professional Membership: AHPRA registration number and status for nurses
When and Why We Collect Sensitive Information
We only collect sensitive information where:
- You provide explicit consent (e.g., during the application process)
- Required or authorised by law (e.g., mandatory health screening for healthcare workers, working with vulnerable persons checks)
- Necessary to prevent or lessen a serious threat to life, health, or safety
- Permitted under an Australian Privacy Principle (APP) exception
Note: The current version of the application form in the codebase collects professional and employment details but does not explicitly capture immunisation records, police checks, or AHPRA numbers in structured fields. If such information is required for specific roles, it may be collected through uploaded documents (e.g., certificates, clearances) or during subsequent onboarding steps. If you provide sensitive information in uploaded documents or free-text fields, this policy applies.
Victorian Health Privacy Principles (HPPs)
If we collect health information about you (e.g., immunisation records, fitness-for-work certificates), we handle it in accordance with the Health Records Act 2001 (Vic) and the Health Privacy Principles (HPPs), in addition to the Australian Privacy Principles. Health information is subject to stricter protections and is only used for purposes directly related to healthcare recruitment, placement, and compliance.
D. How We Collect Information
1. Directly From You
Most personal information is collected directly when you:
- Create a user account (name, email, password)
- Submit a job application (all application form fields and uploaded documents)
- Submit feedback via our feedback form
- Contact us by email
- Interact with our chatbot
2. Automatically
We collect technical and usage data automatically through:
- Server logs: Record IP addresses, browser type, pages visited, timestamps
- Cookies: Small text files stored on your device (see Section H)
- Session tracking: Records login activity, application status changes
3. From Third Parties (Where Applicable)
We may receive information from:
- Referees: If you provide referees’ contact details, we may contact them to verify your employment history and qualifications (with your consent)
- Background check providers: National Police Check results, Working With Children Check verification (with your consent)
- Credentialing bodies: AHPRA registration status verification (publicly available information or with your consent)
- Training providers or immunisation clinics: Verification of qualifications or immunisation records (with your consent)
- Client facilities: Feedback on your performance during placements (if you work through MedNest)
We only collect information from third parties where you have provided consent, where it is publicly available, or where permitted or required by law.
E. Why We Collect, Use, and Disclose Information (Purposes)
We collect, use, and disclose your personal information for the following purposes, which are reasonably necessary for our functions and activities as a healthcare staffing agency:
1. Recruitment and Application Processing
- Assess your suitability for roles
- Verify your qualifications, registrations, and right to work in Australia
- Contact you about your application status
- Match you with suitable job opportunities
2. Placement and Workforce Management
- Schedule shifts and rosters
- Provide your details to client healthcare facilities for placement
- Manage timesheets, payroll, and superannuation (if you are engaged)
- Track competencies, training, and compliance requirements
3. Legal and Regulatory Compliance
- Comply with workplace health and safety laws
- Verify Working With Children Check, National Police Check, and AHPRA registration (where applicable)
- Respond to lawful requests from government agencies (e.g., Fair Work, regulators, law enforcement)
- Maintain records as required by law
4. Client Relationship Management
- Provide staffing services to healthcare facilities
- Respond to client requests for qualified staff
- Conduct quality assurance and audits
5. Communication and Customer Support
- Respond to your feedback, inquiries, and support requests
- Send you updates about your application or account (transactional emails only; we do not send marketing emails unless you opt in)
- Provide password reset functionality
6. Website Functionality and Security
- Enable account login and session management
- Protect against fraud, unauthorised access, and security threats
- Enforce our terms of service and acceptable use policies
- Monitor and log activity for security and troubleshooting
7. AI Chatbot Responses
- Process your questions and provide relevant answers using our AI-powered chatbot
- Improve chatbot accuracy and FAQ content
8. Analytics and Service Improvement
- Analyse website usage patterns to improve user experience
- Identify and fix technical issues
- Develop new features and services
Lawful Basis (Australian Context)
We handle personal information in accordance with the Australian Privacy Principles (APPs). We rely on:
- Your consent (e.g., when you submit an application, provide referees, or use the chatbot)
- Necessity for our functions and activities (recruitment, placement, compliance)
- Legal obligations (e.g., workplace safety, tax, employment law)
- Protection of life, health, or safety (emergency contact information)
For sensitive information, we rely on your explicit consent or a specific exception under the Privacy Act (e.g., legal requirement, threat to life/health/safety).
F. Disclosure of Personal Information
We may disclose your personal information to third parties in the following circumstances:
1. Client Healthcare Facilities
If you apply for roles through MedNest, we may disclose your application details, qualifications, and documents to healthcare facilities (aged care, hospitals, home care providers) that we partner with, for the purpose of recruitment, placement, and workforce management.
2. Service Providers and Technology Partners
We engage third-party service providers to support our platform. These providers may access or process your personal information on our behalf:
- Cloud hosting and infrastructure providers: Store and host our website, database, and application files
- File storage providers: Store uploaded documents (resumes, certificates). Depending on configuration, files may be stored locally on our servers or in cloud object storage (e.g., Amazon S3 or equivalent)
- Database providers: Host and manage our PostgreSQL database (or SQLite in development environments)
- Email delivery services: Send transactional emails (e.g., password reset links, application confirmations)
- AI and natural language processing providers: Our chatbot uses OpenAI's API to process questions and generate responses. Your chatbot questions and conversation context are sent to OpenAI for this purpose. OpenAI's data handling practices are governed by their own privacy policy and terms of service.
- Logging and monitoring services: Security monitoring, error tracking, performance monitoring (e.g., log aggregation tools)
We take reasonable steps to ensure these providers handle your information securely and in accordance with Australian privacy laws, including through contractual obligations requiring confidentiality, security measures, and compliance with privacy principles.
3. Background Check and Credentialing Providers
With your consent, we may disclose your information to:
- National Police Check providers
- Working With Children Check verification services
- AHPRA and other professional registration bodies
- Training and immunisation verification services
4. Professional Advisers and Auditors
We may disclose information to:
- Legal advisers (for advice or dispute resolution)
- Accountants and auditors (for financial reporting and compliance)
- Insurance providers (e.g., professional indemnity, workers’ compensation)
5. Government Agencies and Regulators
We may disclose information where required or authorised by law to:
- Australian Taxation Office (ATO)
- Fair Work Commission or Fair Work Ombudsman
- State and federal health regulators
- Law enforcement agencies (e.g., Victoria Police, Australian Federal Police)
- Workplace health and safety authorities
6. Business Transfers
If MedNest is involved in a merger, acquisition, sale of assets, or restructure, your personal information may be disclosed to prospective buyers or successors, subject to confidentiality obligations and continued privacy protection.
Disclosure Without Consent
We may disclose your personal information without your consent where:
- Required or authorised by law
- Necessary to prevent or lessen a serious threat to life, health, or safety
- Reasonably necessary for law enforcement or fraud prevention
- Permitted under an Australian Privacy Principle exception
G. Cross-Border Disclosure (Overseas Transfers)
Some of the service providers we use may store or process your personal information outside Australia. This includes:
- Cloud hosting providers: Servers may be located in Australia, Singapore, the United States, or the European Union, depending on the provider and configuration
- AI service provider (OpenAI): Chatbot data is processed by OpenAI, which operates infrastructure in multiple countries including the United States
How We Protect Your Information Overseas
When we disclose information to overseas recipients, we take reasonable steps to ensure:
- The recipient is subject to privacy laws or contractual obligations substantially similar to the Australian Privacy Principles, or
- You have consented to the overseas disclosure after being informed that APP 8.1 will not apply, or
- The disclosure is required or authorised by law
We select reputable service providers with strong privacy and security practices, and we include contractual protections requiring them to:
- Handle information securely
- Use it only for the purposes we specify
- Comply with Australian privacy standards where reasonably practicable
- Delete or return information when no longer needed
Countries where data may be processed: United States, Singapore, Australia, European Union member states (depending on service provider configuration and data routing).
H. Cookies and Analytics
What Are Cookies?
Cookies are small text files placed on your device (computer, smartphone, tablet) when you visit a website. They help websites remember your preferences, enable functionality, and collect usage data.
How We Use Cookies
We use cookies and similar technologies for:
- Essential Functionality: Session cookies to keep you logged in, remember your application progress, and enable secure form submissions (CSRF protection)
- Security: Detect and prevent fraud, brute-force attacks, and unauthorised access
- Analytics: Understand how visitors use our website (pages visited, time spent, navigation paths) to improve user experience
Assumption: The codebase does not explicitly integrate third-party analytics tools (e.g., Google Analytics) in the provided files. If analytics are added in future, this section applies.
Types of Cookies We Use
- Session Cookies: Temporary cookies deleted when you close your browser. Used for login sessions and CSRF protection.
- Persistent Cookies: Remain on your device for a set period or until deleted. Used for "remember me" functionality (if implemented) and analytics.
Managing Cookies
You can control cookies through your browser settings:
- Block all cookies: May prevent website functionality (e.g., cannot log in)
- Block third-party cookies: Prevents tracking by external services
- Delete cookies: Clear your browser’s cookie storage
Most browsers accept cookies by default. Refer to your browser’s help documentation for instructions on managing cookies. If you block or delete cookies, some features of the MedNest website may not function correctly, such as staying logged in or submitting forms.
I. Security and Storage
How We Protect Your Information
We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, or disclosure. Our security measures include:
- Password Security: User passwords are hashed using industry-standard algorithms (PBKDF2-SHA256 with salt). We never store passwords in plain text.
- Access Controls: Administrative access is restricted to authorised personnel only. Admin sessions expire after 30 minutes of inactivity.
- Secure Transmission: Data transmitted between your browser and our servers is encrypted using HTTPS (TLS/SSL).
- CSRF Protection: All forms include cross-site request forgery (CSRF) tokens to prevent unauthorised submissions.
- Rate Limiting: Login attempts, application submissions, and API requests are rate-limited to prevent brute-force attacks and abuse.
- File Upload Validation: Uploaded files are validated by content type (not just file extension) to prevent malicious uploads. Only PDF, DOC, and DOCX files are accepted. Files are stored with randomised filenames to prevent unauthorised access.
- Session Management: Secure session cookies with HttpOnly and SameSite flags. Sessions are cleared on logout.
- Logging and Monitoring: Security events, errors, and suspicious activity are logged for review and investigation.
- Regular Updates: We keep software dependencies up to date with security patches.
Storage Locations
- Database: User accounts, applications, and feedback are stored in a PostgreSQL database (production) or SQLite (development). Database credentials are encrypted and stored securely.
- Uploaded Files: Resumes, cover letters, and certificates are stored either:
- Locally on secure servers outside the web root (not directly accessible via URL), or
- In cloud object storage (e.g., Amazon S3) with access controls and encryption in transit
- Logs: Application logs are stored on our servers and rotated regularly to prevent storage exhaustion.
Limitations of Security
While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security against all threats. You are responsible for:
- Keeping your password confidential
- Using a secure internet connection
- Logging out after using shared devices
- Reporting any suspected unauthorised access to your account to info@mednest.com.au
J. Data Retention
How Long We Keep Your Information
We retain your personal information only as long as reasonably necessary for the purposes described in this policy, or as required by law.
Retention Periods
| Information Type | Retention Period |
|---|---|
| User accounts and login data | Retained while your account is active. If you do not log in for 3 years, we may contact you to confirm whether you wish to keep your account active. |
| Job applications (active status) | Retained while your application is active (submitted, under review, interview, or applicant pool status). |
| Job applications (withdrawn) | Retained for 12 months after withdrawal, then archived or deleted unless we have a legal obligation to retain them longer. |
| Uploaded documents (resumes, certificates) | Retained in line with the associated application. If you withdraw your application, documents are retained for 12 months then deleted. |
| Feedback submissions | Retained for 2 years for quality improvement purposes, then anonymised or deleted. |
| Server logs and security logs | Retained for up to 90 days for security monitoring and troubleshooting, then deleted. |
| Chatbot conversation data | Session-based only. Not permanently stored on our servers. Sent to OpenAI for processing (see OpenAI’s data retention policy). |
| Email communications | Retained in line with the purpose (e.g., support requests retained for 2 years). |
Legal and Regulatory Retention
We may retain information longer where:
- Required by law (e.g., tax records, employment records, workplace incident reports)
- Necessary for legal claims or dispute resolution
- Necessary for compliance audits
Deletion and Anonymisation
When information is no longer needed:
- We securely delete it from our systems, or
- We de-identify or anonymise it so that it can no longer identify you
K. Access, Correction, and Your Choices
Accessing Your Information
You have the right to request access to the personal information we hold about you. To request access:
- Email us at info@mednest.com.au with:
- Your full name
- The email address associated with your account
- Details of the information you wish to access
- We will verify your identity before providing access
- We aim to respond within 30 days
We will provide access unless:
- Providing access would pose a serious threat to life, health, or safety
- Providing access would have an unreasonable impact on another person’s privacy
- The request is frivolous or vexatious
- Providing access would be unlawful
- Legal proceedings are on foot and access would prejudice those proceedings
- Access would reveal our commercially sensitive information
If we refuse access, we will provide written reasons and inform you of your right to complain.
Correcting Your Information
If you believe any information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, you can request correction by:
- Logging into your account and updating your details (if supported), or
- Emailing info@mednest.com.au with the details you wish to correct
We will take reasonable steps to correct your information within 30 days. If we refuse to correct information, we will:
- Provide written reasons
- At your request, attach a statement to the record that you believe it is inaccurate
- Inform you of your right to complain
Withdrawing Your Application
You can withdraw your job application at any time by:
- Logging into your account and clicking "Withdraw Application", or
- Emailing info@mednest.com.au
Withdrawing your application does not delete your account or information immediately. See Section J (Data Retention) for retention periods.
Deleting Your Account
To request deletion of your account and associated information:
- Email info@mednest.com.au with "Account Deletion Request" in the subject line
- We will verify your identity and process your request within 30 days
Note: We may retain certain information where required by law (e.g., tax records, employment records) or for legitimate business purposes (e.g., fraud prevention).
Current Implementation Note: The codebase does not include a self-service account deletion feature. All deletion requests are handled manually by our team.
Unsubscribing from Communications
We only send transactional emails (e.g., password reset, application confirmations). If we send promotional or marketing emails in future, you will be able to unsubscribe using the link in the email or by contacting info@mednest.com.au.
Opting Out of the Chatbot
Use of the chatbot is optional. If you prefer not to use it, simply do not click on the chatbot widget. Your questions will not be sent to our AI provider unless you actively submit them.
L. Notifiable Data Breaches (NDB Scheme)
Australia’s Notifiable Data Breaches Scheme
Under the Privacy Act 1988 (Cth), if we experience an "eligible data breach"—that is, unauthorised access to or disclosure of personal information that is likely to result in serious harm to affected individuals—we are required to:
- Assess the breach: Determine whether it is likely to result in serious harm
- Notify affected individuals: If serious harm is likely, notify you as soon as practicable
- Notify the Office of the Australian Information Commissioner (OAIC): Submit a statement about the breach
What We Will Do in the Event of a Data Breach
If a data breach occurs, we will:
- Promptly investigate and contain the breach
- Assess the risk of serious harm to affected individuals
- Take steps to mitigate harm (e.g., reset passwords, notify relevant parties)
- Notify you by email if you are affected, including:
- A description of the breach
- The kinds of information involved
- Steps you should take to protect yourself
- Contact details for further information
- Report the breach to the OAIC where required
What You Should Do
If you suspect your account has been compromised:
- Change your password immediately
- Contact us at info@mednest.com.au
- Monitor your accounts and credit reports for suspicious activity
M. Children’s Privacy
MedNest is not intended for use by children under the age of 18. We do not knowingly collect personal information from children under 18 without appropriate consent and lawful basis.
If we become aware that we have inadvertently collected information from a person under 18 without proper consent, we will take steps to delete that information as soon as practicable. If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at info@mednest.com.au.
N. Complaints and Contact
How to Make a Privacy Complaint
If you have concerns about how we have handled your personal information, please contact us first:
- Email: info@mednest.com.au
- Subject Line: Privacy Complaint
- Postal Address: [Insert postal address]
- Phone: [Insert phone number]
Please include:
- Your full name and contact details
- Details of your complaint
- Any relevant dates, documents, or correspondence
We aim to respond to complaints within 30 days. If we need more time, we will let you know.
Escalation to Regulators
If you are not satisfied with our response, you may lodge a complaint with:
-
Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
Email: enquiries@oaic.gov.au
Post: GPO Box 5288, Sydney NSW 2001
For health information complaints (Victoria):
-
Health Complaints Commissioner (Victoria)
Website: hcc.vic.gov.au
Phone: 1300 582 113
Email: info@hcc.vic.gov.au
O. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in:
- Our practices
- Legal requirements
- Technology or services we use
How We Notify You of Changes
We will post the updated policy on this page with a new "Last Updated" date. If we make significant changes that materially affect how we handle your personal information, we may also:
- Email you (if you have an account)
- Display a prominent notice on our website
Your Continued Use
Your continued use of the MedNest website or services after changes are posted constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.
Contact Us
Med Nest Nursing Pty Ltd
ABN: 37 687 748 376
Email: info@mednest.com.au
Postal Address: [Insert postal address]
Phone: [Insert phone number]
Legal References (December 2025 Verification)
This Privacy Policy is based on the following Australian legislation, regulations, and authoritative guidance current as at December 2025:
- Privacy Act 1988 (Cth)
Legislation: legislation.gov.au/Series/C2004A03712
Australian Privacy Principles (APPs): Schedule 1 of the Privacy Act
OAIC Guidance: oaic.gov.au/privacy/australian-privacy-principles - Health Records Act 2001 (Vic)
Legislation: legislation.vic.gov.au/.../health-records-act-2001
Victorian Health Complaints Commissioner: hcc.vic.gov.au - Notifiable Data Breaches (NDB) Scheme
Part IIIC of the Privacy Act 1988 (Cth), effective 22 February 2018
OAIC Guidance: oaic.gov.au/privacy/notifiable-data-breaches - Office of the Australian Information Commissioner (OAIC)
Main website: oaic.gov.au
Privacy Resources: oaic.gov.au/privacy - APP Guidelines (OAIC)
Australian Privacy Principles Guidelines (Version 2.1, March 2024, verified current as at December 2025)
URL: oaic.gov.au/.../australian-privacy-principles-guidelines
Verification Notes
- All legislative references checked against current consolidations as at December 2025
- OAIC guidance documents reviewed for updates and currency
- Victorian Health Records Act provisions confirmed for health information handling in healthcare recruitment context
- Cross-border disclosure obligations (APP 8) reviewed for overseas service provider arrangements
Additional Considerations
- Work Health and Safety Act 2011 (Cth) and equivalent state legislation: Relevant for collection of emergency contact information and health/safety-related data
- Fair Work Act 2009 (Cth): Relevant for employment records retention and disclosure to Fair Work authorities
- Australian Consumer Law (Schedule 2, Competition and Consumer Act 2010): Relevant for accuracy of information provided to clients and service descriptions
End of Privacy Policy
Version: 1.0
Effective Date: December 2025
Last Reviewed: December 2025
Next Review Due: December 2026 (or sooner if significant changes occur)