The purpose of this policy is to set out how CANCER RESEARCH SA (CRSA) collects and manages your personal information (including but not limited to patient health information).
CRSA is committed to ensuring the privacy and confidentiality of personal information it collects. CRSA must comply with the Privacy Act 1988 (Cth) as applicable and with other applicable privacy laws that govern organisations like CRSA.
Personal information we may collect about you
If you are a patient, the personal information we collect about you may include: your full name (first and last), address, date of birth, employment details, email and contact details (both home and work), DVA number and other government identifiers, although we will not use these for the purposes of identifying you in our practice, your medical history, test results, family medical history, ethnic background, Medicare, health fund and insurance details, billing/account details, current lifestyle, next of kin, emergency contact and other information that may be relevant to your diagnoses, treatment or healthcare.
We may also collect information about your interactions with us, including your responses to patient surveys relating to service improvement. We may take photographs or audio-visual recordings of you in a clinical context in connection with your treatment or healthcare.
We will only collect information about your health, or other sensitive information about you (including taking photographs or audio-visual recordings of you), if we have your consent to do so or if it is otherwise permitted by law.
Referring clinicians and other healthcare professionals
If you are a referring clinician or other healthcare professional who is involved in treating our patients, the personal information we collect about you may include your name, contact details, professional details (including qualifications) and information regarding your interactions or work with us.
We may also collect personal information about other members of the public, including visitors and families and medical professionals. The types of personal information we may collect about these individuals includes their name, contact details, identification information, and any relationship they may have to a patient.
How we collect your personal information
Where practicable, we will collect your personal information directly from you (might be via a face to face discussion, telephone conversation, registration form or online form) but we may sometimes also collect information from third parties, including family members, from a person responsible for you, referring clinicians and other healthcare professionals and service provider organisations.
We will only collect health information from a third party if you have consented or where we are otherwise permitted by law to do so, such as in a medical emergency, other members of your treating team, diagnostic centres, specialists, hospitals, Medicare, your health insurer, the Pharmaceutical Benefits Scheme.
We may also operate video surveillance systems at our facilities for the purposes of maintaining the safety of our staff, patients and other persons visiting our premises. This may (though not always) involve the collection of some personal information.
Why we collect and how we use your personal information
We collect and use personal information for the following purposes:
- Providing our healthcare services;
- to communicate with you in relation to the health service being provided to you;
- to comply with our legal obligations, including, but not limited to, mandatory notification of communicable diseases or mandatory reporting under applicable child protection legislation;
- for consultations with other doctors and allied health professional involved in your healthcare;
- to obtain, analyse and discuss test results from diagnostic and pathology laboratories;
- Performing activities that are reasonably incidental to our ordinary course operations, such as:
- to help us manage our accounts and administrative services, including billing, arrangements with health funds, pursuing unpaid accounts, management of our IT systems
- education, training, quality assurance and other analytical activities to evaluate and improve our patient management processes, patient outcomes, and broader healthcare and healthcare delivery;
- for identification and insurance claiming;
- To liaise with your health fund, government and regulatory bodies such as Medicare, the Department of Veteran’s Affairs and the Office of the Australian Information Commissioner (OAIC) (if you make a privacy complaint to the OAIC);
- Dealing with enquiries, complaints and legal proceedings;
- Complying with our legal obligations, including in relation to statutory and public health reporting requirements, such as mandatory reporting of child abuse or the notification of diagnosis of certain communicable diseases;
- Sending marketing and other communications to referring clinicians and other healthcare professionals, such as clinical updates, information about our services, events, and other news relevant to them or their practice; and
- Other purposes with your consent.
Research and product development
In addition to the above, we may also use your information in de-identified form for the purposes of research and product development activities. For example, this may include the development of new diagnostic tools and products, treatment methods and pathways. As we only use de-identified information for these purposes, you will not be identified as part of any of these activities.
Occasionally we may receive requests from external researchers who wish to conduct research using information in identifiable form. Any such researchers must follow strict ethical guidelines, including by asking for your consent to be part of their research. We will not share any identifiable information for research purposes without your consent.
When we share your information
We may need to disclose your information for one or more of the purposes described above. For example, depending on the circumstances, we may need to disclose your information to:
- Referring clinicians and other healthcare professionals, such as pathologists, radiologists, allied health professionals, pharmacists, in relation to the provision of healthcare services to you;
- Government agencies, where we provide health services to you under a contract with that agency and are required to provide the information under the relevant contract;
- Private hospitals and other private healthcare providers, where we provide health services to you under a contract with that provider and are required to provide the information under the relevant contract;
- Your close relatives, close friends, and personal representatives who are legally responsible for your healthcare decisions (though we will not do this if you tell us not to);
- Your lawyers and insurance companies that have been authorised by you to obtain personal information from us;
- Government authorities where we are required to do so by law or in response to an order issued by a court or tribunal, such as where we are required to produce records in relation to court proceedings;
- Medical defence organisations, insurers, medical experts or lawyers who work for us and help us to deal with enquiries, complaints and legal proceedings;
- External service providers and advisors who help us run our business, including software vendors and service providers who help run our IT systems; and
- Other CRSA group entities.
In some cases, the people we disclose your information to may be based overseas, including in the European Union, the United Kingdom and the United States of America.
My Health Records
If you have chosen to participate in the My Health Record program operated by the Commonwealth Department of Health, we may access personal information stored in your My Health Record if the access permissions you have set allow this. When requested to do so, we may disclose your personal information by uploading your health information electronically to the My Health Record system.
If you do not want us to access personal information stored in your My Health Record, or to upload health information to it, you may opt out or choose to modify access controls within the My Health Record system.
How we hold and protect personal information
We hold personal information electronically and in hard copy form, both at our own premises and with the assistance of service providers who provide data storage, hosting and cloud computing services. In all cases we implement a range of measures to protect the security of that personal information.
Please note that any information that you send to us by electronic means may not be secure in transit unless it is encrypted. We are not responsible for the security of your information before it comes into our possession.
Our staff are trained and required to respect and protect your privacy. We take reasonable steps to protect information held from misuse and loss and from unauthorised access, modification or disclosure.
How you can access or seek correction of your personal information
You may request access to any personal information we hold about you by contacting our Privacy Officer using the contact details set out below.
Please also let us know if your personal details change (for example, your name or contact details), or if you notice errors or discrepancies in information we hold about you. You may do this at your next appointment with us or by contacting our Privacy Officer using the contact details set out below.
We may ask you to verify your identity when you make an access or correction request. There may also be circumstances in which we will not be able to comply with your request. In these cases, we will provide reasons for why we can’t comply and will explain what other options may be available to you.
Anonymity and pseudonyms
The Privacy Act provides that individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with our practice, except in certain circumstances, such as where it is impracticable for us to deal with you if you have not identified yourself.
Please note: If choosing the option of not identifying yourself or using a pseudonym when dealing with our practice then the provision of medical services is likely to be impacted, and billing via Medicare or a health insurer where applicable is likely to be impracticable.
If you visit any of our websites, we may record various technical information such as your IP address, browser type, domain names, access times and referring website addresses. We use this information to run our websites and for analytical purposes.
Our websites may include links to other websites that are run by third parties. We are not responsible for how those third parties may collect, use and share your information. Please carefully review any privacy statements published on the third party websites you visit.
You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the interactive features of our websites.
What you should do if you have any privacy issues and complaints
We may need to verify your identity and ask for further information, in order to investigate and respond to your concern or complaint. We will aim to respond to you within a reasonable time, and generally within 30 business days.
If we are unable to satisfactorily resolve your concern or complaint, you may wish to contact the Office of the Australian Information Commissioner (OAIC).
Our contact details
Phone: 08 7070 2513
Details correct as of 29 April 2021