Our business is bound by the Privacy Act 1988 (Cth) (the Act) and the Australian Privacy Principles (APP). Our business is an APP entity as defined in s 6(1) of the Act.
This policy sets out our commitment to our Patients and may be updated from time to time.
Our practice is committed to best practice in relation to the management of information we collect. This practice has developed a policy to protect patient privacy in compliance with the Act. Our policy is to inform you of:
- the kinds of information that we collect and hold, which, as a medical practice, is likely to be ‘health information’ for the purposes of the Act;
- how we collect and hold personal information;
- the purposes for which we collect, hold, use and disclose personal information;
- how you may access your personal information and seek the correction of that information;
- how you may complain about a breach of the Australian Privacy Principles and how we will deal with such a complaint;
- whether we are likely to disclose personal information to overseas recipients;
What kinds of personal information do we collect?
We collect and hold personal information relating to our Patients and to other people and entities associated with our Patients as may be provided or disclosed to us in the course of business.
Such personal information may include, but is not limited to:
- Your name, address, date of birth, email and contact details
- Medicare number , DVA number and other government identifiers, although we will not use these for the purposes of identifying you in our practice
Other health information about you, including:
- notes of your symptoms or diagnosis and the treatment given to you
- your specialist reports and test results
- your appointment and billing details
- your prescriptions and other pharmaceutical purchases
- your dental records
- your genetic information
- your healthcare identifier
- any other information about your race, sexuality or religion, when collected by a health service provider.
Personal information is collected from our Patients in the following ways:
- by providing it to us directly;
- by authorising third parties to provide it to us;
- by other parties providing it to us either voluntarily or pursuant to compulsory processes we conduct on our Patient’s behalf.
How is personal information received and held?
Personal information may be received and held either as a hard copy, paper, or a soft copy being electronic data, in any available form. In either case, we take the security of personal information very seriously. We secure hard copy documents carefully in and out of our office. We use cyber-security systems to protect soft copy documents. We never ask for bank details or other sensitive information by email.
For what purpose is personal information collected, held, used and disclosed?
All data is processed by the business on a lawful basis. The purposes for which we collect, hold, use and disclose personal information are:
- to provide health services to you
- to communicate with you in relation to the health service being provided to you
- to comply with our legal obligations, including, but not limited to, mandatory notification of communicable diseases or mandatory reporting under applicable child protection legislation.
- to help us manage our accounts and administrative services, including billing, arrangements with health funds, pursuing unpaid accounts, management of our ITC systems
- for consultations with other doctors and allied health professional involved in your healthcare;
- to obtain, analyse and discuss test results from diagnostic and pathology laboratories
- for identification and insurance claiming
- [Note: If your practice uses the My Health Record system]: If you have a My Health Record, to upload your personal information to, and download your personal information from, the My Health Record system.
- [Note: If your practice uses an electronic transfer of prescriptions service – you will need to specify if your practice participates in this service]: Information can also be disclosed through an electronic transfer of prescriptions service.
- To liaise with your health fund, government and regulatory bodies such as Medicare, the Department of Veteran’s Affairs and the Office of the Australian Information Commissioner (OAIC) (if you make a privacy complaint to the OAIC), as necessary.
- to obtain, maintain and comply with the terms of our professional indemnity and other insurance policies; and
- to comply with applicable laws.
How can personal information be accessed or corrected?
Patients may access their personal information and seek correction of it at any time by applying to our office in person or in writing.
Patients will be formally identified before releasing or amending any personal information.
Is personal information disclosed outside of Australia?
Where necessary we will disclose personal information to overseas recipients, including a related body corporate. The likely countries that information might be sent to include the United States and United Kingdom.
We may disclose your personal information to the following overseas recipients:
- any practice or individual who assists us in providing services (such as where you have come from overseas and had your health record transferred from overseas or have treatment continuing from an overseas provider)
- overseas transcription services overseas based cloud storage
- anyone else to whom you authorise us to disclose it
All staff are responsible for protecting the confidentiality of Patient information and business information. Refer any data breaches, or suspected data breaches, to the customer services team as soon as possible.
What is an eligible data breach?
An eligible data breach, defined in s 26WE(2) of the Act, is when:
- both of the following conditions are satisfied:
- there is unauthorised access to, or unauthorised disclosure of, the information;
- a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
- the information is lost in circumstances where:
- unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
- assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates;…
If there is a suspicion of a breach
If we suspect that there has been an eligible data breach, a reasonable and expeditious assessment will be conducted within 30 days.
If we believe or have reasonable grounds to believe there has been a breach then a statement will be prepared setting out:
- the business’s details;
- a description of the breach;
- the kind or kinds of information concerned; and
- recommendations about the steps that we will take in response to it.
If practicable, we will advise the contents of the statement to each of the affected Patients who may be at risk from the breach. If this is not practicable we will publish the statement on our website and take other reasonable steps to publicise its contents. Communications with individuals will be via their preferred communication method.
The statement will be submitted to the Privacy Commissioner.
Exception to reporting
Mandatory notification requirements are waived if remedial action can be taken that results in a reasonable person concluding that the access or disclosure is not likely to result in serious harm to any of those individuals.
What is the complaints process relating to personal information?
The Practice Manager
Hunter Valley Urology
173 East Chisholm Road
Email: [email protected]
Phone: 02-4934 7333
If you have any questions about privacy-related issues or wish to complain about a breach of the Australian Privacy Principles or the handling of your personal information by us, you may lodge your complaint in writing to (see below for details). We will normally respond to your request within 30 days.
If you are dissatisfied with our response, you may refer the matter to the OAIC:
Phone: 1300 363 992
Email: [email protected]
Fax: +61 2 9284 9666
Post: GPO Box 5218
Sydney NSW 2001