Mealward
Sign inDemo
All legal documents
Industry alignmentLast updated 21 May 2026

Aged Care Compliance Mapping

How Mealward maps to NACA (new Aged Care Act, 2025) Strengthened Quality Standards and the Statement of Rights.

Email legal@mealward.comRequest redlinable copy

Owner: Luke Ferguson trading as Mealward Privacy Officer (with input from clinical advisor) Audience: procurement, clinical governance, and quality teams at aged-care providers evaluating Luke Ferguson trading as Mealward Document type: evidence pack to support provider compliance under the Aged Care Act 2024 / NACA (commenced 2025) and the Strengthened Aged Care Quality Standards. Version: 1.0 (DRAFT - lawyer review required)

1. Position statement

Luke Ferguson trading as Mealward is not an approved provider of aged care under the NACA (Cth). Luke Ferguson trading as Mealward is a software-as-a-service supplier whose product helps approved providers run safe, person-centred meal services, capture dietary requirements, and evidence consumption against care plans.

This document explains how Luke Ferguson trading as Mealward's controls map to the obligations Australian aged-care providers carry, so that a provider's quality, clinical, and compliance teams can document Luke Ferguson trading as Mealward in their own controls register and procurement files.

This document is a mapping; it is not a substitute for the provider's own quality management system, clinical governance, or legal advice.

2. Regulatory backdrop

The relevant Commonwealth framework, as commenced and applicable at the time of writing, is:

  • NACA (Cth), commenced 1 July 2025, replacing the Aged Care Act 1997 and consolidating provider obligations around person-centred care, supporter rights, and provider accountability.
  • Strengthened Aged Care Quality Standards (the "Standards") issued under the Act, in particular:
    • Standard 4 - Care delivery, which includes nutrition and hydration as a clinical-care domain (food, drink and the dining experience), allergen management, texture-modified diets, and meal-by-meal documentation;
    • Standard 6 - Governance, which includes clinical governance, information management, risk management, complaints and feedback, workforce, and incident management;
    • Standard 5 - Clinical care to the extent it interfaces with nutrition (swallow safety, malnutrition risk, medication-nutrition interactions);
    • Standard 1 - The person, in respect of dignity, choice, and cultural/religious dietary preferences.
  • Privacy Act 1988 (Cth) and the Australian Privacy Principles, particularly APP 11 (security of personal information), APP 6 (use and disclosure), and Part IIIC (Notifiable Data Breaches).
  • Aged Care Quality and Safety Commission Act 2018 (Cth) and the Commission's regulatory and assessment activities.
  • State and territory health-records legislation (e.g. NSW Health Records and Information Privacy Act 2002) where the provider holds health information in those jurisdictions.

The NACA and the Standards are evolving. Luke Ferguson trading as Mealward reviews this mapping at least annually and updates it on material regulatory change.

3. How providers use Luke Ferguson trading as Mealward

  • Build menus and menu cycles aligned to the provider's nutrition-and-hydration policy.
  • Capture each resident's dietary profile: cultural and religious preferences, allergies and intolerances, IDDSI texture level (0-7), fluid consistency, swallow-safety notes, medication-related dietary flags, and other clinical flags entered by qualified staff.
  • Take meal orders at point of service (tablet or printed run-sheet) with allergens and IDDSI levels surfaced to the staff member.
  • Record meal-by-meal consumption (ordered / served / consumed proportion / refused) and notes (e.g. choking event, refusal pattern).
  • Produce reports for the provider's clinical governance and quality committees, and evidence trails for audit.

4. Standard 4 (Care delivery) - mapping

Standard 4 outcomes that intersect with food, drink, dining, allergens, and texture-modified diets:

Outcome (paraphrased)How Luke Ferguson trading as Mealward supports itEvidence available to the provider
Each older person is supported to eat and drink in a way that meets their needs and preferencesResident dietary profile captures cultural, religious, and personal preferences; meal-ordering screens surface preferences alongside choicesResident profile audit log; daily order list per resident
Allergens and intolerances are clearly identified and managedAllergens are first-class fields with mandatory entry on profile; allergens displayed in red on order screens and printed run-sheets; menu items are tagged with constituent allergensAllergen alert log; printable resident allergen sheet; menu item allergen matrix
Texture-modified diets are correctly assigned and served (IDDSI)IDDSI level (0-7) is a structured field on the resident profile; menu items are tagged with served IDDSI level; mismatches between resident IDDSI level and selected menu item are blocked or warnedIDDSI mismatch warning log; printable IDDSI level summary by wing
Meals are served as prescribed; deviations are recorded with clinical reasoningOrder, served, and consumed states are captured per resident per meal; refusals and substitutions captured with optional notesPer-resident consumption history; refusal-pattern report
Hydration is monitoredFluid intake (where the provider chooses to use this module) captured at point of service against the resident's fluid consistency requirementFluid intake report per resident per day
Risk of malnutrition is identified and managedConfigurable malnutrition-risk flags (e.g. MUST-derived) appear on the resident profile and ordering screen; consumption trends are visible to clinical staffMalnutrition risk dashboard; trend charts
Cultural and religious dietary requirements are respectedProfile fields for halal, kosher, vegetarian, vegan, and free-text cultural notes; menu cycles can include culturally appropriate optionsResident preference report

5. Standard 6 (Governance) - mapping

Standard 6 covers governance, information management, risk, workforce, and incident management. Luke Ferguson trading as Mealward's controls support providers as follows.

5.1 Information management

  • Audit logs of every change to a resident profile, every meal order, served, and consumed event, and every menu publication, retained by default for 7 years (configurable). This supports providers' record-keeping under the Aged Care Act and clinical governance obligations.
  • Role-based access with least privilege; SSO and MFA on enterprise plans.
  • Data residency in Australia (Sydney region) for primary storage.
  • Backup and disaster recovery documented in the Information Security Policy and SLA: nightly backups, 90-day retention, RPO 24h / RTO 8h.
  • Data export at any time and at termination, in CSV (and on request, JSON), supporting the provider's portability obligations.

5.2 Clinical governance interface

  • Luke Ferguson trading as Mealward is not a clinical decision-support system. Clinical decisions (assigning an IDDSI level, identifying an allergen, prescribing a texture-modified diet) are made by suitably qualified provider staff and recorded in the system.
  • Where Luke Ferguson trading as Mealward surfaces a warning (e.g. allergen alert, IDDSI mismatch) it is to support the staff member, not to replace clinical judgement.
  • Reporting outputs are designed to feed the provider's clinical governance committee.

5.3 Risk management

  • Luke Ferguson trading as Mealward's own risk register addresses: software defects, security incidents, sub-processor outages, and patient-safety bugs. Sev 1 incidents (including any patient-safety-impacting bug) trigger the Incident Response Runbook.
  • Material risks affecting provider operations are communicated under the SLA and DPA notification clauses.

5.4 Workforce

  • Luke Ferguson trading as Mealward staff with production access undergo background checks (identity, right-to-work, NPC) where lawful, and complete privacy and security awareness training annually.
  • Provider staff training on the Service is the provider's responsibility; Luke Ferguson trading as Mealward supplies training materials and runs onboarding.

5.5 Incident management

  • Luke Ferguson trading as Mealward's Incident Response Runbook coordinates with the provider's incident-management process. Patient-safety bugs are escalated to the provider's nominated clinical contact within 1 hour.
  • Notifiable Data Breach assessment is run jointly with the provider, who is the primary controller for resident information.

5.6 Complaints and feedback

  • Luke Ferguson trading as Mealward provides a documented complaints pathway via {{LEGAL_EMAIL}} and supports providers with reports needed to investigate resident or family complaints (e.g. reconstructing what was served on a particular day).

6. Standard 5 (Clinical care) and Standard 1 (The person) - relevant intersections

  • Swallow safety. IDDSI level and fluid consistency are mandatory fields when the provider's clinical workflow uses them. Mismatches between the resident's prescribed level and a selected menu item are flagged.
  • Medication-nutrition interactions. A free-text "dietary flag" field allows the provider to record interactions (e.g. warfarin and vitamin K, MAOI and aged cheese). The flag is shown on the ordering screen.
  • Choking and aspiration events. Recorded as an event type against the meal record, supporting incident review.
  • Person-centred care (Standard 1). Resident preferences (food likes/dislikes, cultural and religious requirements, mealtime social preferences) are first-class profile data, surfaced at every order step.

7. Privacy and security controls (cross-reference)

The Service's privacy and security controls are documented in:

  • docs/legal/PRIVACY-POLICY.md
  • docs/legal/DATA-PROCESSING-AGREEMENT.md (with Schedule 2 TOMs and Schedule 3 sub-processors)
  • docs/legal/INFORMATION-SECURITY-POLICY.md
  • docs/legal/INCIDENT-RESPONSE-RUNBOOK.md

Highlights relevant to providers' Privacy Act and Standard 6 obligations:

  • Data residency in Australia (Sydney).
  • AES-256 at rest, TLS 1.2+ in transit.
  • Single-tenant logical isolation via PostgreSQL Row-Level Security.
  • Mandatory MFA on all staff access; quarterly access reviews.
  • ACSC Essential Eight: target ML1 at launch, ML2 within 12 months.
  • Notifiable Data Breach: customer notification within 48 hours; joint assessment with the provider as controller.

8. Audit log retention

  • Default retention for clinical-adjacent audit logs (resident profile changes, meal orders, served, consumed events, menu publications, allergen overrides, IDDSI overrides) is 7 years, in line with conservative interpretation of provider record-keeping obligations under the NACA and state health-records legislation.
  • Retention is configurable upward by the provider but cannot be set below the regulatory floor.
  • Audit log access is restricted and itself audited.

9. Provider responsibilities (out of scope for Luke Ferguson trading as Mealward)

To ensure clarity, the following remain the provider's responsibility:

  • Determining clinical appropriateness of menus, IDDSI levels, allergen management, and any other clinical decision recorded in the Service.
  • Obtaining consent from residents (or their authorised representatives) under APP 3 and the Aged Care Act for the collection and use of their information.
  • Notifying residents under APP 5 of how their information is handled.
  • Assessing and notifying Eligible Data Breaches as the controller (with Luke Ferguson trading as Mealward's support and information).
  • Training and supervising staff in safe meal service.
  • Maintaining records under sector record-keeping obligations beyond what is in the Service.
  • Engaging with the Aged Care Quality and Safety Commission, including for assessments, audits, and complaints.

10. Continuous improvement

Luke Ferguson trading as Mealward commits to:

  • reviewing this mapping at least annually;
  • updating it whenever the Standards or the Act are materially amended;
  • providing customers with a written change summary on each material update; and
  • co-developing with at least one enterprise customer's quality team an annual evidence pack that supports the customer's accreditation cycle.

DRAFTING NOTES

  • Standards version. The Strengthened Aged Care Quality Standards continue to be refined under the NACA (commenced 1 July 2025). Lawyer / clinical advisor to confirm exact outcome numbering at publication date and adjust mapping headings.
  • Clinical advisor sign-off. This document should be reviewed by a clinically-trained advisor (RN with aged-care nutrition experience or accredited practising dietitian) before being shown to enterprise customers - language is otherwise plausible but unverified clinically.
  • Not a medical device. Repeated deliberately. If we ever ship genuine clinical decision support, this document becomes substantially more complex and TGA classification advice is needed.
  • State law. NSW HRIP Act referenced. Add Victorian, Queensland, and SA equivalents before pitching outside NSW.
  • Audit log floor of 7 years. Conservative; some providers retain longer (e.g. for incidents, "lifetime + period"). Configurable upward, but never below the floor.
Source of truth: docs/legal/AGED-CARE-COMPLIANCE.md in our public repo.Question about this document?

Related documents

Public-facing policy

Privacy Policy

How Mealward collects, uses, and protects personal information under the Australian Privacy Act 1988 and APPs.

Read

Public-facing policy

Website Terms of Use

The terms governing use of mealward.com and its public marketing surfaces.

Read

Customer agreement

Master Services Agreement

Customer-facing contractual terms for the Mealward platform after the 30-day pilot.

Read