last edited: December 2024

What is personal information?

In this Privacy Policy, ‘personal information’ has the meaning set out in the Privacy Act. In general terms, personal information is information (whether fact or opinion) about an individual who is identified or reasonably identifiable by that information.

Some types of personal information are designated as ‘sensitive information’, which are subject to additional protection under the Privacy Act. For example, these can include information about your health.

What personal information does PEHA collect and hold?

We collect personal information about you in the course of operating our business and providing our services to you. The types of personal information we collect about you will be information that is reasonably necessary for one or more of PEHA’s functions or activities and will depend on the purpose for which the personal information is collected. This can include:

• if you have requested to receive news and information about PEHA’s services – your name, address, contact details, occupation and professional memberships;
• if you are a user of PEHA’s services (or you are a person who engages with PEHA on behalf of another person, such as a patient, in relation to the provision of PEHA’s services) – your (or the other person’s) name, date of birth, age, gender, contact details (including address, email address and phone number), emergency contact details, next-of-kin details, requested services, general practitioner, medical specialist or referring doctor’s details, Medicare card number, government or other individual health identifiers, medical history details (in respect of you and your family), insurance or health fund information, current health information (including details of your current lifestyle), ethnic background, credit card or payment details and responses to our COVID-19 screening questions;
• if you have contacted us to make a complaint, provide feedback, submit an enquiry, or request a call-back – your name and contact details, and any other personal information that you supply to us as part of the complaint, feedback or enquiry;
• in the case of health professionals (which may include trainees or students undertaking training placements in our facilities) – your name, email address, contact details, details of your licences and accreditations, and responses to our COVID-19 screening questions;
• in the case of employees or contractors (whether prospective, current or former) – information contained in your application or résumé, recorded during any interview, or obtained through any pre-employment or engagement checks (including criminal records and working with children checks), contact details (including email address and phone number), health information, government-issued identifiers such as ABNs, tax file numbers and provider numbers, credentialing information, bank account details and superannuation details, and any other personal information held in your employee record (or other records relating to you); and
• in the case of our hospital partners, suppliers and distributors – the name, mailing or street address, email address, and telephone number(s) of your representative(s).

As a health service provider, where you are a user of PEHA’s services, the personal information, including information about your health and health services, that we collect to provide, or in providing our services to you is a category of sensitive information referred to as ‘health information’. When you register as a user of our services, you provide consent for PEHA’s doctors and staff to access and use your personal information to facilitate the delivery of healthcare.

We may also collect health information from prospective and current employees and contractors. Except as otherwise required or authorised by law, we will obtain your consent before collecting your sensitive information. For users of PEHA’s services, this consent will be obtained through forms that you will be asked to sign at the time of receiving our services. For employees and contractors, this consent will be obtained through your employment or services contract or otherwise from you expressly or impliedly at the time that you provide such information to us.

Where you access our website, we also collect technical information and general analytics arising from your use of our website, such as:

• the number of page views (or page impressions) that occur on our website;
• the number of unique visitors;
• how long these unique visitors (on average) spend on our website; and
• common entry and exit points to our website.

When you provide us with personal information or when you receive our services and sign a consent form, you consent to us collecting, holding, using and disclosing your personal information (including your health information and other sensitive information) in accordance with this Privacy Policy, or otherwise for such purposes and in such ways as we may communicate to you from time to time.

How does PEHA collect personal information

We collect your personal information directly from you, including when you:

• access or use our website;
• complete our electronic contact forms on our website;
• subscribe to receive information about our services;
• make enquiries about PEHA or our services or otherwise communicate with us by email, telephone, in person or via our website or otherwise; and
• apply to work with us or are employed or engaged by us as an employee or contractor.

For users of our services, we collect your personal information, including health information, directly from you when you:

• complete our written forms at the time of receiving our services;
• use our services; and
• make enquiries to us in relation to services you intend to or have received.

Where it is reasonable and practicable to do so, we will only collect personal information about you from you directly and not from third parties. However, if it is not reasonable and practicable to do so, we may collect your personal information from third parties (which may include our hospital partners (or their personnel) who have collected personal information, including health information, from you, your general practitioner or specialist or other persons or entities who ask us, or our doctors, to perform services on your behalf (e.g. the hospital where you are a patient, a government department or your employer).

We also use website traffic tracking technology to collect technical information and general analytics about the use of our website. By using our website, you consent to the use of website traffic tracking technology in accordance with this Privacy Policy.

Does PEHA use Artificial Intelligence (AI) Scribes to collect personal information?

We use AI scribe tools, such as i-scribe, to support our doctors take notes during their consultations with you. These AI scribes use an audio recording of your consultation to generate a clinical note for your health record. The AI scribe services used by PEHA and our doctors:

• do not share information outside of Australia;
• store the audio file for a limited period of time after the transcription is complete; and
• retain sensitive, personal identifying information as part of the transcription.

You are able to opt out of the use of AI scribe tools by notifying us or your doctor. We will only use data from our AI scribe service to provide healthcare to you.

Can you choose not to disclose your personal information?

If you contact us to make a general enquiry about PEHA or our services, you do not have to identify yourself or provide any personal information. Alternatively, you can also notify us that you wish to deal with us using a pseudonym.

However, if we are not able to collect personal information about you, we may not be able to provide you with the information or assistance you require. For example, we will not be able to send you information you have requested if you have not provided us with a valid email address or telephone number.

Where you a user or prospective user of our services, you do not have to identify yourself and are under no obligation to provide any personal information, however this may mean that we are not able to provide you with some or all of our services. For example, where you do not consent to the use of your personal information, this will mean that the emergency doctor will not be able to request blood tests, or pathology tests, refer you for specialist treatment, advise your general practitioner or medical specialist of your visit or discuss your condition with your family members.

How does PEHA use personal information?

We may use your personal information (including your health information and other sensitive information) for purposes connected with our business or our services and otherwise where required or permitted by law.

Some specific purposes for which we use your personal information (including your health information) are as follows:

• to provide information, goods and services to you or someone else on your behalf;
• to communicate with other health professionals (such as your general practitioner or medical specialist, or other staff at the facility that you are being treated in) or institutions (such as radiology or pathology departments) that are involved in the provision of healthcare services to you;
• to generate referral letters through the use of referral templates and document automation technology;
• to inform your next of kin of the outcomes of treatment or to obtain consent to necessary treatment when you are not able to provide such consent;
• to facilitate our internal business operations (including establishing our relationship with you, fulfilling our legal requirements, maintaining and managing our relationship with you and communicating with you in the ordinary course of that relationship (including responding to feedback or complaints));
• to protect and/or enforce our legal rights and interests, including defending any claim, demand, legal proceeding, cause of action or other dispute arising from, or in connection with, the operation of our business including without limitation, any medical negligence claim;
• for medical research projects, provided that the research has been approved by a Human Research Ethics Committee and we are satisfied that privacy and confidentiality requirements have been met;
• to obtain payment from Medicare, you, your private health insurer or from any organisation responsible for payment of any part of your account, such as the Department of Defence; or
• to securely store your patient records and/or provide you with information that is necessary for you to obtain Medicare payments or other health insurance rebates (if you are a patient).

For users of PEHA’s services, you provide your consent to us using your health information for the purposes listed above when you sign the relevant forms at the time of receiving our services.

In addition to the above purposes, we may also use your other personal information for the following purposes:

• to respond to your questions, inform institutions and other clients of developments in the services we provide (including events and opportunities to participate in projects/programs);
• to communicate with you about news, exclusive offers, promotions (including direct marketing) or events;
• to request feedback through surveys and research so that we can improve our business and services; or
• for quality assurance, research and professional development purposes.

PEHA will not use personal information for any other purposes unless otherwise permitted or required by law, or with your prior consent.

Does PEHA use document automation technologies to process personal information?

Document automation is where systems use existing data to generate electronic documents relating to medical conditions and healthcare.

We use document automation technologies to create documents such as referrals, which are sent to other healthcare providers. These documents contain only your relevant medical information.

These document automation technologies are used through secure medical software that we use in the operation of our business and the provision of our services to you, such as Medtech.

All users of the medical software have their own unique user credentials and password and can only access information that is relevant to their role in the PEHA team.

All data, both electronic and paper are stored and managed in accordance with this Privacy Policy and the Royal Australian College of General Practitioners Privacy and managing health information guidance.

To whom may PEHA disclose personal information?

We may disclose your personal information (including your health information and other sensitive information) to third parties in connection with the purposes described above (see the “How does PEHA use personal information?” section).

This may include disclosing your personal information to the following types of third parties:

• our related companies;
• any potential third party acquirer of our business or assets, and advisors to that third party;
• our professional advisers (such as lawyers, accountants or auditors) and insurers, including where a claim, demand, legal proceeding, cause of action or other dispute arising from, or in connection with, the operation of our business is made against us;
• our hospital partners to whom we provide services;
• our employees, contractors and third party service providers (including the providers of our AI scribe tools and document automation technology) who assist us in performing our functions and activities;
• other health professionals (such as your general practitioner or medical specialist, or other staff at the facility that you are being treated in) or institutions (such as radiology or pathology departments) that are involved in the provision of healthcare services to you;
• persons or entities (such as your employer or a government department) who have requested services on your behalf;
• organisations authorised by us to conduct promotional, research or marketing activities;
• medical researchers or research bodies, provided that the research they are undertaking has been approved by a Human Research Ethics Committee;
• government and regulatory authorities and other organisations, enforcement or exchange bodies or courts;
• third parties to whom you have authorised us to disclose your information (e.g. referees); and
• any other person as required or permitted by law.

Other than providing services or as otherwise described in this Privacy Policy, we will not share your personal information with any third party without your consent.

Direct marketing communications

We will only send you direct marketing communications (either through mail, SMS or email), including news, exclusive offers, promotions or events, where you have consented to us doing so.

You may opt-out of receiving direct marketing communications at any time by contacting us or by using opt-out facilities provided in the direct marketing communications.

Does personal information leave Australia?

We store personal information in servers located in Australia. We may disclose your personal information to overseas recipients, such as to our service providers (e.g. providers of data storage or processing services). It is not practical for us to list every country where such overseas recipients may be located, however, such countries are likely to include India and the Philippines.

Except where an exemption applies under the Privacy Act or other relevant legislation, we will take commercially reasonable steps to ensure that overseas recipients to whom we disclose personal information do not breach the Australian Privacy Principles stated in the Privacy Act in relation to such information.

Any information disclosed to overseas recipients who provide financial or accounting support is anonymised and does not contain any patient-identifiable information.

Security

PEHA takes reasonable steps to ensure the security of your personal information. However, where you interact with us online you should be aware that the internet is not a secure environment, and we cannot guarantee the security or transmission of personal information you disclose to us online. Accordingly, you transmit your personal information to us online at your own risk.

Please notify us immediately if you become aware of any breach of security.

How long do we keep your personal information?

Generally, we will retain your personal information for the period necessary for the purposes for which your personal information was collected (as outlined in this Privacy Policy) unless a longer retention period is required by law (including minimum record retention periods under State and Territory legislation applying to health records) or if it is reasonably necessary for us to comply with our legal obligations, resolve a dispute or maintain security.

Access to and correction of personal information

You may request access to your personal information held by PEHA at any time by contacting us. If you believe that personal information we hold about you is incorrect, incomplete or inaccurate, then you may also request us to amend it by contacting us.

We will provide access to that information or make the requested changes in accordance with the Privacy Act, subject to any exemptions that may apply. Before providing access or making changes, we will require you to verify your identity. We may charge an administration fee in limited circumstances, including where we are required to.

Requests for third party access to your medical records (or transfers of such records) should be initiated by either receipt of correspondence from a solicitor or government agency, or by you directly requesting such access from us in writing. PEHA may withhold the release of your medical records until you have provided a written request or signed authorisation.

What is the process for complaining about a breach of privacy?

If you have any questions, concerns or complaints about our collection, use, disclosure or management of your personal information, please contact us in writing using the contact details below.

We will make inquiries and your complaint will be assessed by an appropriate person with the aim of resolving any issue in a timely and efficient manner.

Complainants also have the option of making a complaint anonymously. Where an anonymous complaint is received, the complainant’s anonymity will be preserved insofar as is possible, however, PEHA may be unable to act on a complaint where the complainant is anonymous. If you would like to submit an anonymous complaint, you can do so on our website or by completing a feedback form (which are available upon request from our hospital partners).

If you are unsatisfied with the outcome, we will advise you about further options, including, if appropriate, review by the Privacy Commissioner within the Office of the Australian Information Commissioner.

Exemptions and inconsistency with law

Where laws allow for an exemption to compliance with certain legal obligations (for example, the employee records exemption), we may rely on such an exemption.

This Privacy Policy will not apply to the extent that it is inconsistent with any applicable law.

Changes to this Privacy Policy

PEHA may change this Privacy Policy from time to time at our discretion, including to maintain our compliance with applicable laws and regulations or following an update to our internal practices, policies and procedures. Amendments to this Privacy Policy will be posted on our website. Your continued dealings with us, for example, use of our website or services, will signify your agreement to this Privacy Policy as amended.

How to contact us

If you have a query, concern or complaint about this Privacy Policy, the manner in which your personal information has been collected or handled by us, wish to make a complaint about a breach of applicable privacy legislation or would like to request access to or correction of the personal information we hold about you, please contact us using the details provided below:

Attention: Privacy Officer

GPO Box 145 Brisbane QLD 4001

[email protected]

For more information about privacy in general, you can visit the Office of the Information Commissioner’s website at www.oaic.gov.au.

Last updated: 17 December 2024