Healthscope (we, us, our) is committed to protecting the privacy of your personal information. 

Healthscope is a leading private healthcare provider in Australia with hospitals which operate in each State and Territory.  We believe in the provision of quality healthcare for our patients, which includes handling your personal information in a lawful and safe way. 

We will handle your personal information (including health information) in compliance with the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) contained in the Privacy Act. We will also handle your personal information in compliance with the relevant State and Territory based health records laws and other applicable privacy laws.

This privacy policy (this Policy) explains how we collect, use, disclose, store and protect your personal information. This Policy also describes how you may access or correct the personal information we hold about you, and how to contact us if you would like to make a privacy complaint.

This Policy explains the way we handle personal information we collect from:

• our patients; and
• other people who interact with us. For example, job applicants, service providers, carers and emergency contacts for patients.

This Policy also includes a section on privacy for people who visit our website. 

If you would like to read a summarised version of how we handle your personal information, please read our summary privacy policy here.  

Both this Policy and the summarised policy are provided in sections which explain one part of the way we handle your personal information (for example, how we collect information, or how we use or disclose information).

You have the choice to read more or less detail about how Healthscope handles your personal information depending on what information you require, how quickly you need to find the information, and how much you wish to read.

Please read this Policy for the full details on how we handle your personal information.

This Policy applies to all Healthscope hospitals and companies which operate in Australia as part of the Healthscope Group. 

This Policy applies to our handling of ‘personal information’.  Personal information includes a broad range of information, or an opinion, that could identify an individual.  Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable. It does not matter whether the information or opinion is true or not, or whether the information or opinion is recorded in material form.

Personal information includes ‘sensitive information’, which is a type of personal information that has more protection under the privacy laws. It includes ‘health information’ (defined below), and information about a person’s:

• genetics or biometrics (that is not health information);
• race or ethnic origin;
• political opinions;
• membership of political, professional or trade associations or trade unions;
• religious beliefs;
• sexual orientation or practices; and
• criminal record.

‘Health information’ is a type of both personal information and sensitive information. It includes information or an opinion about:

• a person's health, a person's wishes about the future provision of a health service, or a health service provided or to be provided to a person;
• other personal information collected to provide or in providing a health service to a person;
• other personal information collected in connection with a person's donation, or intended donation of body parts or substances, or organs; and
• genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

References in this Policy to personal information include sensitive information and health information.

In some circumstances you can deal with us anonymously or by using a pseudonym, for example, if you are enquiring about our services generally.

 
However, we will need to identify you if it is not practicable for you to remain anonymous or use a pseudonym when you deal with us. For example, if you are a patient, it is not always practicable for you to be treated on an anonymous basis or for you to use a pseudonym, because this would prevent us from being able to treat you appropriately, and/or ensure you receive Medicare benefits or private health insurance benefits for the services you receive. 

We may collect personal information from you so that we can provide services to you if you are a patient, or to manage our relationship with you if you are a person other than a patient, or where this is otherwise necessary for our functions or activities.

In particular, if you are a patient, we may collect your personal information:

• to provide you with health services and other services;
• to provide you with information regarding our services;
• to arrange billing with you for our services; or
• to obtain your consent to the above services and activities.

The personal information we collect from you will depend on whether you are a patient, or another type of person we deal with, such as a job applicant, a service provider, or a contractor.

Patients

If you are a patient, we will collect your personal information so that we can provide health services and other services to you. This could include your:

• name, address (postal and email) and telephone numbers;
• date of birth;
• your medical history and other health information;
• gender;
• marital status;
• occupation;
• next of kin;
• payment information (e.g. credit card details);
• health insurance or health fund details;
• Medicare or concession card details; and
• workers’ compensation or other insurance claim details.

To help us provide the best care and services to you we may ask for the following sensitive information (in addition to your health information):

• your religion (if any);
• where you were born; and
• if you identify as an Aboriginal or Torres Strait Islander person.

Other People

Other groups of people we collect personal information from include:

• emergency contacts;
• job applicants;
• referees for job applicants;
• health service providers;
• other service providers;
• contractors; and
• students.

The personal information we collect from you in these circumstances will depend on the way in which you are engaging with Healthscope. We will only collect the information needed for you to engage or deal with us. For example, if you are applying for a job at Healthscope, we will collect personal information to determine if you are the right person for the job.

We may collect sensitive information from you in these circumstances. For example, if you are a job applicant, contractor, student or service provider, we may collect details from a police check, working with children check or health information, depending on how you are engaging with us.

You are not required to disclose your personal information to us.  However, if you do not provide the information requested:

• if you are a patient, we may not be able to provide you with appropriate services or treatment, or provide you with relevant information regarding our services; or
• if you are another person engaging with us, we may not be able to work or transact with you.

We will collect personal information directly from you when it is practical to do so. This might be via a face to face discussion, telephone conversation, registration form or online form.

Sometimes we may need to collect personal information about you from someone else.  We will only do this with your consent, or where it is not practical to obtain this information from you and this is otherwise permitted by the privacy laws.  For example, if you are a patient, we may need to collect your information from your GP, other health service providers, or a family member, where there is a serious threat to your life or health and you cannot provide consent.

Some examples of the persons we may collect your personal information from are provided below.

Patients

To provide care and services, sometimes we need to collect your personal information from:

• a responsible person or representative (e.g. guardian);
• your other health service providers (including other hospitals and specialist clinics);
• your GP or another health professional who has treated you;
• your insurer;
• your family; or
• other sources, where needed to provide our services (e.g. pathology labs or other diagnostic centres).

Unless you have opted out of the My Health Record system, we may also collect your personal information from this system. We will only collect your personal information from this system according to the access controls you have set. You can change the access controls in the My Health Record system if you do not want us to access your personal information from the system.

Other People

An example of circumstances in which we may obtain your personal information from another person include where you list a referee as a

Healthscope job applicant or a service provider, we may contact that referee and collect personal information about you from them. ​​​

When we collect your personal information, we will take reasonable steps to notify you of the details of the collection (including notifying you through this Policy), such as:

• the purposes for which the information was collected;
• the organisations (if any) to which the information will be disclosed; and
• to notify you that this Policy contains details on how you may access or correct your information, or raise any complaints. 

We will generally only use your personal information for the main purposes for which you have provided it to us. For example, if you are a patient, we will generally only use your personal information to provide health services to you. 

If you are a person other than a patient (such as a service provider), we may use your personal information to manage our relationship with you.

If you have consented to the use of your personal information for a different purpose, we will use your information for that purpose.

We may also use your personal information for purposes which are directly related to the main purpose for which the information was collected, in circumstances where you would reasonably expect us to use your information for these purposes. 

We will also use your personal information where we are otherwise required or authorised by law to do so, which may include the following:

• for funding, management, planning, monitoring improvement or evaluation of health services, or the training of staff, where we take all reasonable steps to de-identify that information; or
• where it is unreasonable or impracticable to obtain your consent and the use is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.

The main purposes for which we use your personal information are listed below.

Patients

Care purposes

• To understand and assess your health and other needs.
• To obtain, analyse and discuss test results from diagnostic and pathology laboratories.
• To communicate with you in relation to the health service being provided to you.
• To provide you with health services and other services.
• To provide you with ongoing treatment options.

Feedback and improvement

• To request your participation in patient experience surveys to assess and improve services, and to undertake those surveys where you do participate.
• To contact you to respond to questions.
• To respond to feedback.
• To address a complaint.

Financial, legal and regulatory purposes

• To charge, bill, or process health insurance claims, and enable health insurance funding.
• To collect debts.
• To comply with quality assurance or clinical audit activities.
• To undertake accreditation activities.
• To enable our hospitals, other facilities and our service providers to comply with their legal and regulatory obligations.

My Health Record

• The Australian Government’s My Health Record system provides an online summary of a person’s health information.  We may access and use your My Health Record information, in accordance with the access controls that you have set for the system, so that we can provide you with health services. You may opt out of the My Health Record system. If you have not opted out of the My Health Record system, and you do not want us to access your My Health Record, you must modify the access controls you have set.

Other purposes

• To communicate with you about our services, events, offers and options available from our hospitals and other facilities.
• To ensure the health and safety of our staff and people who use our services or attend our facilities.
• To verify your identity.
• For research, including clinical trials, where you have consented or this is otherwise permitted by the privacy laws.

Other People

How we use your personal information will depend on why you are dealing or engaging with Healthscope and in what capacity. We may use your personal information to:

• contact you to respond to your enquiries;
• communicate with you about our services, events, offers and options available from our hospitals and other facilities;
• manage our relationship with you and/or transact with you (for example, if you are a service provider);
• verify your identity;
• ensure the health and safety of our staff and people who use our services or attend our facilities;
• respond to feedback;
• enable our facilities and our service providers to comply with their legal and regulatory obligations; or
• undertake research, where you have consented or this is otherwise permitted by the privacy laws.

 ​​​​​

We will generally only disclose your personal information to other persons for the main purposes for which you have provided it to us.  For example, if you are a patient, we will generally only disclose your personal information to other health professionals and health service providers for the continuation of your healthcare.  If you are a person other than a patient (such as a service provider), we may disclose your personal information to manage our relationship with you.

We will otherwise only disclose your personal information to other persons:

• for other purposes for which you have provided consent;
• for purposes which are directly related to these main purposes for which the information was collected, in circumstances where you would reasonably expect us to disclose your information for these purposes; and
• where we are otherwise required or authorised by law to do so, for example:
• where disclosure is necessary to comply with our legal obligations, such as mandatory notification of communicable diseases or other mandatory reporting to relevant authorities under applicable laws; or
• where it is unreasonable or impracticable to obtain your consent and we reasonably believe disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.

Following these requirements, the types of persons we may disclose your personal information to are listed below.

Patients

If you are a patient, we may disclose your personal information to:

• Other health professionals, health service providers, hospitals, treatment centres, diagnostic centres, pharmacies, and other organisations who are involved in your care, treatment or diagnosis, but only to the extent this is necessary for them to provide you with your care, treatment or diagnosis. If you tell us you do not wish for your personal information to be disclosed to a particular health professional or organisation, we will not do so without your consent.
• A responsible person (e.g. parent, guardian, spouse) if you do not have capacity or cannot communicate. Sometimes we need to tell a responsible person about your health so they can consent to treatment on your behalf.
• Your close family. Unless you have told us not to, we may give your close family some general information about your health. For example, about your recovery after surgery or treatment.
• Insurers including your private health insurers or our insurer. Some insurers may be located interstate or overseas.
• Government and regulatory bodies such as Medicare, the Office of the Australian Information Commissioner (for example, if you make a privacy complaint) or State or Territory statutory health complaints bodies, as necessary.
• Our legal representatives, for example, in connection with any legal claim or complaint which relates to you.
• Researchers, academic institutions and government agencies, for research purposes, including clinical trials, but only with your consent or where otherwise permitted by the privacy laws.
• The Australian Government’s My Health Record system.  Unless you have opted out of the My Health Record system, we may upload your personal information to this system.
• Providers or facilities we have engaged to provide services. For example, pathology services or a company that makes and supplies medical devices. Some of these providers and facilities are located interstate or overseas.

Other people

Depending on how you are dealing with us, we may need to disclose your personal information to third parties.  For example, if you are a service provider, we may disclose your personal information to manage our relationship with you, and this may include disclosure of your personal information to third parties such as:

• our insurers and legal representatives;
• companies within the Healthscope Group of companies; or
• other third parties relevant to the service relationship.

For patients and other people whose personal information we hold, we will not otherwise disclose your personal information to any other third parties unless you have consented, or we are otherwise permitted or required to do so by law. 

We comply with the requirements of the Privacy Act and relevant State and Territory based health records laws when disclosing personal information interstate or overseas.

It may be necessary to disclose your personal information to persons or organisations interstate or overseas to provide you with ongoing care and treatment (for example, where a referral is made to a health professional located interstate).

In some circumstances we will disclose personal information to overseas organisations that are related to Healthscope, for example, for business administration purposes and data processing.

We will only disclose your personal information interstate or overseas if:

• you have provided your prior consent, and the receiving person or organisation is subject to a law, binding scheme or binding contract that provides substantially similar protection to the APPs which you can access and enforce; or
• if the disclosure is otherwise required or authorised by law.

We will take reasonable steps to ensure that interstate and overseas recipients of personal information do not breach the APPs. For example, these steps may include ensuring the receiving person or organisation is subject to a law, binding scheme or binding contract that provides substantially similar protection to the APPs which you can access and enforce, and requiring that the recipient has appropriate information security protections in place.

Healthscope staff will assess whether a patient has the capacity to make their own privacy decisions. This is assessed on a case-by-case basis, considering matters such as the person’s age and circumstances.

Where a child or adult patient does not have capacity to make privacy decisions for themselves:

• privacy issues concerning that patient will be referred to the parent, guardian or other responsible person authorised by law to make a decision for that patient; and
• we will treat consent given by that authorised person as consent given on behalf of the patient who lacks capacity.

We store personal information in both paper and electronic form. The security of personal information is important to us. We take reasonable steps to protect this information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Some of the ways we do this include:

• requiring our staff to maintain confidentiality;
• implementing document storage security;
• imposing security measures for access to our computer systems;
• providing a discreet environment for confidential discussions;
• using secure third-party storage providers for physical records; and
• requiring that people meet our identification requirements before they can access their personal and health information.

We keep your personal information for the time periods required by law. After this time, we securely de-identify or dispose of the information.

We take all reasonable steps to ensure that the personal information we handle is accurate, complete, up-to-date, relevant and not misleading. These steps include undertaking audit processes for the health information we hold.

You have a right to request the correction of personal information we hold about you. You can request correction at any time by contacting us using our contact details provided here. We will take reasonable steps to correct the personal information we hold if we are satisfied it is inaccurate, incomplete, out of date, irrelevant or misleading.

The accuracy of information we hold also depends on the quality of the information provided to us. To help us ensure the accuracy of your personal information, we ask that you please:

• let us know if there are any errors in your personal information; and
• update us with changes to your personal information (e.g. name and address).

You can do this by contacting us by mail or email using our contact details provided here.

Sometimes we may refuse a request for correction. If this happens, we will let you know in writing of our reasons for the refusal. We will also explain how you can complain if you are not satisfied with our reasons. ​​​​

You have a right to request access to the personal information that we hold about you. You can do this by contacting us using our contact details provided here.

If you request access to your personal information, we will need to confirm your identity. We may ask you to complete a request for access form. We will generally respond to your request within 30 days.

If we grant access to your personal information, we will try to provide it in the form you request. If that is not possible, we will provide a different way to access the information or discuss how access can be given through alternative means.

We may charge a fee for collating and providing access to personal information in accordance with applicable laws.

If you have provided us with authority, we can give your authorised representative or lawyer access to your personal information.

In certain circumstances, we may refuse to allow you access to your personal information where this is authorised by the law. For example, where providing access would have an unreasonable impact on the privacy of other individuals, providing access would pose a serious threat to the life or health of any person or to public health or safety, or giving access would be unlawful. If we refuse your request for access, we will let you know in writing of our reasons for the refusal. We will also explain how you can complain if you are not satisfied with our reasons. 

If we seek to engage with you in any marketing communications, for example, to communicate with you about any events, offers and options available from our hospitals and other facilities, we will only send you such communications in accordance with any previous consent you have provided and any marketing communication preferences that you have notified to us. 

All direct marketing communications will include the option for you to opt out of receiving direct marketing communication. You can opt out at any time.

You can generally interact with us via our website anonymously. Our servers will collect the following details:

• the date and time you visited our website;
• our pages and/or documents that you visited;
• your computer address;
• your top-level domain name (e.g. .au or .com etc.); and
• the browser you are using.

Personal information will not be collected through our website without your consent. If you provide your personal information through our website, for example through filling out an online form or applying for a job, this Policy will apply to the handling of your personal information.

Cookies

We use cookies. Cookies are small data files which are stored on your device’s browser. They allow us to interact more effectively with your device. Cookies will not identify you, but they do identify your ISP (internet service provider) and browser type. We do not collect personal information through cookies.

You can choose whether to allow cookies through your browser settings. However, some functions on our website may not work if you disable cookies.

External websites

If we provide links to other organisations’ websites, we are not responsible for the content, privacy policy and practices of the other organisation.

We must comply with the ‘notifiable data breach’ scheme (the NDB scheme) under the Privacy Act.  The NDB scheme applies when an ‘eligible data breach’ of personal information occurs.

An ‘eligible data breach’ occurs when:

• there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation holds; and
• this is likely to result in serious harm to one or more persons; and
• the organisation has not been able to prevent the likely risk of serious harm with remedial action.

We may take remedial steps to reduce the likelihood of serious harm occurring after a data breach has occurred. If we take these steps, the data breach is not an ‘eligible data breach’.

If we have reasonable grounds to believe that we have experienced an eligible data breach (and remedial action cannot be used), we will promptly notify affected people and the Office of the Australian Information Commissioner about the breach.

If you have any questions about privacy, this Policy or the way we manage your personal information, or if you believe that we have breached your privacy rights and wish to make a complaint or raise a concern, please contact us using the contact details provided here.

If you wish to correct or seek access to your personal information, or if you have a privacy related question or complaint you would like to raise, please first contact the Director of Nursing of the relevant hospital, or the Health Information Manager of the relevant hospital, either by phone or in writing.

Contact details can be obtained from the hospital’s website or via the main Healthscope website: see www.healthscope.com.au

You can also contact Healthscope in writing at:

Chief Privacy Officer
Healthscope Limited
Level 1, 312 St Kilda Road, Melbourne VIC 3004
Email: Privacy.Officer@healthscope.com.au

If you are not satisfied with our response, or if you do not wish to contact us directly, you can contact the Office of the Australian Information Commissioner via:

• Website: www.oaic.gov.au
• Telephone: 1300 363 992
• In writing: Office of the Australian Information Commissioner GPO Box 5218, Sydney NSW

Please contact the Director of Nursing of the relevant hospital, or the Health Information Manager of the relevant hospital, if you would like to request a copy of this privacy policy in a different form.

Healthscope may review, change and update this Policy to reflect our current practices and obligations and changes in technology. We will publish the current version of this Policy on our website at www.healthscope.com.au. The changes will take effect at the time of publishing. You should review this Policy regularly and remain familiar with its terms.

A copy of this Policy is also available by contacting us using the contact details above or visiting the Reception of any Healthscope hospital, or Healthscope Head Office.

Last updated: January 2021