This document is the Privacy Statement of Prince Henry Medical Practice.
The purpose of this Privacy Statement is to tell you how we collect, use, hold, disclose and protect your Personal and Health Information.
We act to protect your Personal and Health Information in accordance with the Australian Privacy Principles (“APP”) and the Privacy Act 1988 (Cth) (together “Privacy Laws”).
Information we may collect
What is personal information?
Personal Information is any information or opinion about you that is capable, or reasonably capable, of identifying you, whether the information or opinion is true or not and is recorded in material form or not. Personal Information includes Sensitive and Health Information.
Sensitive Information includes such things as your racial or ethnic origin, political opinions or membership of political associations, religious or philosophical beliefs, membership of a professional or trade association or trade union, sexual orientation or criminal record, that is also personal information. Your health, genetic and biometric information and biometric templates are also Sensitive Information.
Health information is any personal information about your health or disability. It includes information or opinion about your illness, injury or disability. Some examples of health information include:
notes of your symptoms or diagnosis;
information about a health service you've had or will receive;
specialist reports and test results;
prescriptions and other pharmaceutical purchases;
your genetic information;
your wishes about future health services;
your wishes about potential organ donation;
appointment and billing details; and
any other personal information about you when a health service provider collects it.
We only collect Health and Sensitive Information about you if we obtain prior consent to the collection of the information or if the collection is required or authorised by law.
What kind of Personal Information do we collect and hold?
The Personal Information we collect and hold generally includes or consists of:
identification information such as your name, postal or email address, telephone numbers and date of birth;
health and biometric information;
information about how you interact with us when you use our website (such as device information - which browser you use and your operating system language, your location or activity including IP address and geolocation data based on the GPS of your mobile device (when accessing our services) and whether you’ve accessed third party sites); and
other information we think is necessary.
When you become a patient of Prince Henry Medical Practice, you provide consent for our practitioners and administrative staff to access and use your Personal Information. Your Personal Information is only accessed by practitioners and staff in order to provide you with the highest level of healthcare.
There are certain circumstances we may be required to share your Personal Information with third parties which are covered by this policy. If we need to use your Personal Information for anything else, we will seek additional consent from you to do this.
Having provided consent, you are able to withdraw it at any time. To withdraw consent, please contact us in writing at firstname.lastname@example.org.
Please note that withdrawing your consent may lead to us no longer being able to provide you with healthcare services.
When and how we collect Personal Information
How we collect Personal Information
We collect most Personal Information about you in the following ways:
When you become a patient you will be required to supply personal and demographic information, as well as health information such as allergies, health and family history.
In the course of providing you health services, we may collect further personal information relevant to the supply of healthcare services;
We may also collect your personal information when you visit our website, send us an email or SMS, telephone us, make an online appointment or communicate with us using social media;
Personal information may also be collected from other sources when it is not practical or reasonable to collect it from you directly. This may include information from:
your guardian or responsible person;
other involved healthcare providers, such as specialists, allied health professionals, hospitals, community health services, and pathology and diagnostic imaging services;
your health fund, Medicare, or the Department of Veterans’ Affairs (as necessary).
How do we deal with unsolicited Personal Information
If we receive Personal Information that is not solicited by us, we only retain it, if we determine that it is reasonably necessary for one or more of our functions or activities and that you have consented to the information being collected or given the absence of your consent that it was impracticable or unreasonable for us to obtain it under the circumstances.
If these conditions are not met, we destroy or de-identify the information.
If such unsolicited information is Sensitive or Health Information, we obtain your consent to retain it regardless of what the circumstances are.
Why do we collect, use and disclose your Personal Information
We collect, use and disclose your Personal Information so we can provide you with a professional healthcare service and inform you about the healthcare services we offer. We also use it for activities directly related to the supply of healthcare services, such as Medicare claims and payments, clinic audits and accreditation.
We may not be able to provide you with the healthcare services you are seeking if you provide incomplete or inaccurate information.
Integrity of your information
Quality of information
We ensure that the Personal Information we collect, use or disclose is accurate, up to date, complete and relevant. Please contact us at email@example.com if any of the details you have provided to us change or if you believe that the information we have about you is not accurate or up to date.
How do we protect and hold your information?
We are committed to ensuring that we protect any Personal Information we hold from misuse, interference, loss, unauthorised access, modification and disclosure.
For this purpose, we have a range of practices and policies in place to provide a robust security environment. We ensure the on-going adequacy of these measures by regularly reviewing them.
We have the following security measures in place to protect against misuse, loss and alteration of Personal Information under our control. Our security measures include, but are not limited to:
educating our staff and practitioners as to their obligations to maintain the highest levels of confidentiality with regard to your personal information;
requiring our staff to use passwords when accessing our systems;
employing firewalls, intrusion detection systems and virus scanning tools to protect against unauthorised persons and viruses from entering our systems; and
employing physical and electronic means such as alarms and guards (as required) to protect against unauthorised access to buildings.
Where Personal Information we hold is identified as no longer needed for any purpose, we ensure it is effectively and securely destroyed, for example, by shredding or pulping in the case of paper records or by other means in the case of electronic records and equipment.
Disclosure of Personal Information
Who do we share your Personal Information with?
In some circumstances, we may be required to share your personal information. Other than in the course of providing healthcare services, or as otherwise described in this policy, we will not share personal information with any third party without your consent.
We may be required to share your personal information in the following instances:
to liaise with other healthcare providers and prepare relevant healthcare documentation including but not limited to Shared Health Summary and My Health Record related to the supply of healthcare services to you;
in emergency situations to lessen or prevent a serious threat to you or another patient’s life, health or safety or public health or safety, or if you are unable to act on your own behalf due to a health condition, we may need to discuss your health information with relatives or emergency contacts, to ensure you receive necessary care;
if needed to assist in locating a missing person;
to establish, exercise or defend an equitable claim;
for the purpose of confidential dispute resolution processes;
where required to disclose information by law e.g. under court orders or statutory notices;
if there is a statutory requirement to share certain personal information (for instance in the case of mandatory notification of certain diseases);
or otherwise permitted to disclose the information under applicable Privacy Laws.
Do we disclose your Personal Information overseas?
We will not disclose your personal information with anyone outside Australia (unless under exceptional circumstances that are permitted by law) without your consent.
We may store your Personal Information in cloud-based software or other types of networked or electronic systems. As electronic or networked systems can be accessed from various countries via an internet connection, it’s not always practicable to know in which country your Personal Information may be held. If your Personal Information is stored in this way, disclosures may occur in countries other than those listed.
Overseas organisations may be required to disclose information we share with them under a foreign law. In those instances, we are not responsible for that disclosure.
Access to and Correction of your Personal Information
How you can access your Personal Information
You can request us to provide you with access to the Personal Information we hold about you.
Requests for access to limited amounts of Personal Information, such as checking to see what address or telephone number we have recorded, can generally be handled over the telephone.
If you would like to request access to more substantial amounts of Personal Information such as details of what is recorded in your records, please provide your request in writing to firstname.lastname@example.org. Your identity will be confirmed before access is provided.
We will respond to your request within 30 days and in the manner requested by you.
Can we refuse to give access?
In particular circumstances we are permitted by law to deny your request for access or limit the access we provide. We let you know why your request is denied or limited if this is the case. For example, we are not required to give you access where giving you access to your Personal Information would pose a serious threat to any person’s life, health or safety or giving access would be unlawful or where we reasonably conclude your request to be frivolous or vexatious.
If we refuse to give access to the Personal Information or to give access in the manner requested by you, we will give you a written notice setting out the reasons for the refusal, the mechanisms available to complain and any other relevant matter.
We are committed to and do take all reasonable steps in respect of maintaining accurate, timely, relevant, complete and appropriate information about our patients.
From time to time, we may ask you to verify that the personal information we hold about you is correct and current. You may also request that we correct or update your information, and you should make such requests in writing to email@example.com. We will respond to your request within 30 days.
Refusal to correct information
If we refuse to correct the Personal Information as requested by you, we give you a written notice setting out the reasons for the refusal. Such reasons set out the grounds for refusal, the mechanisms available to complain and any other relevant matter.
Request to associate a statement
If we refuse to correct the Personal Information as requested by you, you can request us to associate with the information a statement that the information is inaccurate, out of date, incomplete, irrelevant or misleading. We will then associate the statement in such a way that makes the statement apparent to users of the information.
Notifiable Data Breaches
From February 2018, the Privacy Act includes a new Notifiable Data Breaches (“NDB”) scheme which requires us to notify you and the Office of the Australian Information Commissioner (“OAIC”) of certain data breaches that is likely to result in serious harm to affected individuals and provide recommendations of steps you can take to limit the impacts of the breach.
If we believe there has been a data breach that impacts your Personal Information and creates a likely risk of serious harm, we notify you and the OAIC as soon as practicable and keep in close contact with you about the nature of the breach, the steps we are taking and what you can do to reduce the impacts to your privacy.
If you believe that any Personal Information we hold about you has been impacted by a data breach, you can contact us in writing at firstname.lastname@example.org or by calling (02) 9921 1708.
Making a privacy complaint
Should you have a privacy complaint, please contact us in writing to email@example.com to discuss your concerns.
If you are not satisfied with our internal privacy practices or the outcome in respect to complaint, you may approach the OAIC with your complaint:
Office of the Australian Information Commissioner
Address: GPO Box 5218, Sydney NSW 2001
Phone: 1300 363 992
Updated: April 2021