Introduction

Sydney Medical Service Co-operative Limited (SMS) understands the importance of protecting the privacy of your personal information and is committed to protecting the privacy of individuals who have dealings with SMS.

This privacy policy sets out, in an open and transparent way, how SMS collects, holds and uses or shares your personal information, how it aims to protect the privacy of your personal information and your rights in relation to your personal information managed by SMS.

SMS is bound by and will comply with the Privacy Act 1988 (Cth) (the Act), the Australian Privacy Principles (the APP) any relevant state legislation in relation to the handling of your personal information including patient health records (to the extent that your personal information is subject to the Act, the APP or other legislation).

What is personal information?

Personal information is information of an opinion (regardless of its accuracy or form) about an identified individual, or an individual who is reasonably identifiable from the information. Personal information also includes:

• Sensitive information includes information such as an individual’s race or ethnic origin, political opinions, religion, sexual preferences or practices, criminal record or health information about an individual; and
• Health information includes information or an opinion about an individual’s health or disability at any time, expressed wishes regarding future health services, health services provided or to be provided, information collected while providing a health service or collected in connection with the donation or intended donation of body parts and substances. Health information collected and held by SMS including, but not limited to, a record of your medical history, treatment notes, observations, correspondence, investigations, test results, photographs, prescription records, medication charts constitute a patient health record for legislative purposes.

For the purposes of this policy, references to personal information shall include references to sensitive information and health information.

What personal information does SMS collect?

The personal information collected and stored by SMS about you may (and others) include:

• your name
• your contact details including residential or business address, telephone numbers, email addresses or fax numbers
• your age or date of birth
• your gender
• health information including but not limited to current and historical health information, the identity of treating medical practitioners, medical reports or treatment notes prepared by an individual (including a medical practitioner who has attended upon you in connection with SMS’s business, medication details or treatments or any other medical information which constitutes ‘health information’ for the purposes of the Act
• Medicare number, Veteran Affair number, Health Care card number, health fund details or pension number
• billing information including bank account details
• sensitive information which SMS believes is necessary to ensure the proper medical treatment of an individual or as required for the proper operation of SMS’s business and to discharge any legal obligations

SMS may request additional information from you which it determines may be necessary to provide the best healthcare to you.

If SMS cannot collect personal information about an individual, it may not be possible for SMS to provide any services to the individual (eg. medical treatment) or the service provided may not be complete.

Dealing with us anonymously

You have the right to deal with us anonymously or under a pseudonym unless it is impractical for us to do so or unless we are authorised by law to only deal with identified individuals.

Why does SMS collect, use, hold and share your personal information?

SMS collects personal information which is necessary for its functions and activities and in particular, for the management and provision of healthcare services and medical treatment to you. This is the primary purpose for which your personal information is collected.

SMS collects, holds, uses and discloses your personal information for the following reasons and purposes:

• to manage and provide medical treatment to an you
• for the purpose of reporting to your normal treating general practitioner or any other health professional or facility as required for your ongoing treatment
• for billing purposes
• to respond to any matters raised by you (such as a complaint regarding services received)
• for administrative purposes which are necessary for the proper conduct of SMS’s business including ensuring that SMS’s records are up to date, to maintain accreditation, practice audits, and for staff training to improve the service delivered to you
• to comply with any laws, rules and regulations
• to report health survey evidence and statistics to associated medical bodies
• to conduct internal reviews of staff policies and management processes
• to ensure propriety with practice emergency response procedures

Your personal information will not be shared, sold or disclosed by SMS other than as described in this policy or as permitted under the Act.

How does SMS collect your personal information?

In most cases, SMS will collect personal information directly from you. SMS may collect personal information directly from you:

• providing the information directly to a representative of SMS (eg. to SMS’s telephone operators when you make an initial or subsequent booking, or by the completion of forms)
• in the course of a medical attendance by a medical practitioner
• from information supplied by email, text message or using SMS’s website or other social media applications

In some circumstances, it may be necessary to collect personal information from a third party. SMS will only collect personal information from a third party:

• where you have consented
• from your guardian, parent or responsible person where you do not have legal or mental capacity
• where it is not reasonably or practicable to collect information you (for example, where you are not able to provide the information which is necessary for the provision medical treatment)
• where the information is necessary for your proper medical treatment, including information obtained from other involved healthcare providers (including your regular general practitioner, specialists, allied health professionals, hospitals, community health services and pathology and diagnostic imaging services), or My Health Record (for example via PRODA, Shared Health Summary, Event Summary)
• your health fund, Medicare, or the Department of Veterans’ Affairs (as necessary)

When, why and with whom does SMS share your personal information?

SMS may share your personal information (including health information as applicable):

• with other healthcare providers as required for the provision of healthcare services to you including:
  • SMS’s contracted medical practitioners who provide healthcare services
  • your treating doctor or regular general practitioner
  • health professionals who may be involved in the provision of healthcare services to you such as ambulance services and emergency department doctors
• when it is necessary to lessen or prevent a serious threat to a person’s life, health or safety or public health or safety, or it is impractical to obtain your consent
• in the case of a minors, with a parent with parental responsibility
• with other authorised representatives such as legal guardians or persons holding a relevant power of attorney
• when it is required or authorised by law (for example, responding to court subpoenas)
• when there is a statutory requirement to share certain personal information (eg some diseases require mandatory notification);
• for the purpose of confidential dispute resolution process
• during the course of providing medical services, through eTP, My Health Record (for example via PRODA, Shared Health Summary, Event Summary)
• with persons whom you request or consent to receiving the information
• with third parties who work with SMS for business purposes, such as accreditation agencies or information technology providers – these third parties are required to comply with APPs and this policy
• your employer or prospective employers, their authorised representatives and insurer in the case of a compulsory work-related consultation or service
• Commonwealth bodies to which patient bulk-billing claims are referred and for record auditing purposes
• associated medical bodies to report health survey evidence and statistics

Your personal information will be primarily used for the purpose for which it was collected, that is, the provision of healthcare services to you. Other than in the course of providing medical services or as otherwise described in this policy, SMS will not share your personal information with any third party without your consent.

SMS will take all steps reasonable to maintain your privacy when sharing your personal information with others. For example:

• patient health records created by SMS’s contract medical practitioners will be transmitted to your treating doctor or regular general practitioner in encrypted form (presently via Health Link or Interfax) unless you consent to SMS transmitting the record by another means
• within SMS, only people who need to access your personal information to perform their role will be able to do so and they will use that information for the purpose for which it was collected. SMS has implemented systems of work and checklists for staff members relating to privacy, whether working from SMS’s premises or otherwise

SMS will not share your personal information with anyone outside Australia (unless under exceptional circumstances that are permitted by law) without your consent.

SMS will not use your personal information for marketing any of our services directly to you without your express consent.

SMS may use your personal information to improve the quality of the healthcare services provided to patients through research and analysis of patient data.

SMS may provide de-identified data to other organisations to improve population health outcomes. The information is secure, patients cannot be-identified and the information is stored within Australia. You can let our staff know if you do not want your information shared for this purpose.

What does SMS do with unsolicited information?

In limited circumstances, SMS may receive unsolicited personal information belonging to you. Where information is received without SMS taking active steps to collect it, SMS will, within a reasonable period after receiving the information decide whether SMS could have lawfully collected the information by other means. If SMS determines it could not have collected the information lawfully, SMS will destroy the information.

How does SMS store and protect your personal information?

SMS is committed to ensuring that your personal information is secured and not subject to unauthorised access. Employees and contracted medical practitioners are inducted in this policy and undertake training on the privacy obligations relating to the collection and use of your personal information.

Your personal information may be stored by SMS in various forms including in electronic (the preferred form) and paper form.

SMS will take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure. SMS uses technology and processes such as access control procedures (including passwords), network firewalls, encryption and physical security to protect personal information. Paper documents are stored in secure premises and reasonable steps are taken to ensure that any paper documents when used not in any situation where they can be accessed or seen by unauthorised persons.

Despite the measures of SMS, SMS cannot provide assurances regarding information transmitted to SMS via unencrypted email or via the website because SMS cannot control the security of the transmission online. SMS’s website may contain links to other websites operated by third parties. SMS does not make any representations or warranties about the privacy practices of the operators of those third party websites.

SMS will securely destroy or permanently de-identify personal information which is no longer needed (subject to SMS’s obligations at law).

How can you access and correct your personal information?

SMS acknowledges you have the right to request access to, and correction of, your personal information. You may submit a request for access to your personal information in writing by email to SMS (admin@sydmed.com.au). SMS will ask you to complete a consent form and will require you to verify your identity before providing access to or transferring your personal information (including sensitive health information).

SMS will take reasonable steps to give you a copy of, and/or correct your personal information within 30 days, unless there is a reasonable or lawful reason not to do so. SMS may charge a reasonable fee for processing a request for access to and provision of personal information which will be notified to you before the provision of information.

SMS is concerned to ensure a secure means of access or transfer of your personal information and will only do so in a form expressly approved by you. There is an inherent risk in the transfer of personal information across the internet as information submitted unencrypted via email may be read, intercepted or modified by third parties (despite any reasonable steps taken by SMS to reduce such risk). SMS will record your consent to the method of transfer with your personal information stored by SMS and your acknowledgment of this inherent risk.

SMS may refuse a request for access to personal information if it is permitted by the Act to do so. Reasons for refusing access may include:

• access would pose a serious threat to the life or health of an individual
• where it may have an unreasonable impact on the privacy of others
• where it is frivolous or vexatious
• where refusal is otherwise required or permitted by law.

If SMS refuses a request for access, where reasonable SMS will:

• give you written notice explaining why it has refused access
• confirm how you may make a complaint (as outlined in this policy)
• at your request, make a note on your file detailing the information you believe to be in correct.

If you believe that your personal information held by SMS is incorrect, you may send a notice in writing by email to SMS (admin@sydmed.com.au) requesting an amendment to the personal information (including the grounds upon which you believe the information is incorrect and should be amended). SMS will require you to provide evidence of your identity in connection with such request. SMS will consider all requests for amendment and will either take reasonable steps to make the correction, where appropriate, or add a note to the information with the details of the request for amendment.

How can you lodge a privacy-related complaint, and how will the complaint be handled by SMS?

SMS takes complaints and concerns regarding privacy seriously. SMS will attempt to resolve any complaint in a fair and reasonable manner. All complaints will be treated confidentially and in accordance with the law.

You should express any privacy concerns you may have in writing to the Chief Executive Officer by email (admin@sydmed.com.au) or by post mailed to Locked Bag 1, PANANIA NSW 2213.

SMS will acknowledge receipt of your complaint and provide information to you regarding the process for handling the complaint. Our intention is that any complaint or concern will be resolved within 30 days of having received the complaint or the concern.

If you have a complaint or concern, or wish to ascertain further information regarding privacy, relevant legislation or your rights, you may also contact:

Privacy and SMS’s website

In addition to personal information which you may provide to us in connection with the provision of healthcare services, SMS may collect additional personal information when you access our website. When you visit SMS’s website, we may utilise web measurement tools and internet service providers to collect information including:

• your server and IP address
• the name of the top level domain (for example, .gov, .com, .edu, .au)
• the type of browser used
• the date and time you accessed the website
• how you interacted with the website
• clickstream data
• the search engines and queries use to access the website
• the previous website you visited
• the operating system

If this information is collected from the website, SMS may store this information in different ways, including:

• our document and records management system
• cloud storage
• browser storage
• cookies

A cookie is a small data file which is stored on your hard drive while navigating a website (but cannot do anything to it). When a user visits our website, the cookie allows us to recognise and individual web user as they browse our website. The cookie identifies your browser or device, but we cannot use it to identify you personally as no personal information is stored within cookies used by our website. No attempt is made to identify individual users or their browsing activities except, in the unlikely event of an investigation, where a law enforcement agency may exercise a warrant to inspect the log file.

SMS may use web analytics services to obtain statistics on how the website is used. A web analytics service uses cookies to collect standard internet log information and visitor behaviour information in an anonymous form. The information generated by the cookie about use of the relevant website is transmitted the provider of the service. The provider will use this information to compile reports on website usage – such as volume of new and return visitors, which pages are the most popular and sources of website traffic. No personally identifying information about any user is recorded or will be provided. Users can opt out of web analytics services if they disable or refuse the cookie, disable JavaScript or install any opt-out browser add-on.

Although SMS takes steps to protect the personal information it holds against loss, unauthorised access, modification or disclosure in accordance with this policy you should be aware that:

• the internet is an unsecure public network
• there is an inherent risk in transmitted information across the internet – information submitted unencrypted via email may be read, intercepted or modified by third parties before it reaches SMS
• the website or downloadable files may contain computer viruses, disabling codes, worms or other devices or defects

Links to other sites

SMS’s website may contain links to other websites. SMS is not responsible for the content and the privacy practices of those other websites and encourages you to review the relevant privacy policy of each site and make an informed decision regarding use of those websites. SMS does not endorse, and is not accountable for, any views expressed by third parties using any third party site.

Privacy and social media

If SMS interfaces with social media sites such as Facebook, SMS may record information posted to our social media channels and use it to:

• to administer the social media channels;
• for record keeping; and
• to consider any comments made.

We do not try to further identify social media subscribers unless requested and authorised by law.

When you use SMS’s social media pages, you are using an external site so are bound by the privacy principles applying to that site. SMS encourages you to review their privacy policies. SMS does not endorse, and is not accountable for, any views expressed by third parties using any third party site.

Policy review statement

This policy is current as at 8th September 2023.

SMS reserves the right to amend this policy. The policy will be reviewed regularly to ensure that it is in accordance with any changes that may occur.

This policy and any updated version of the policy will be published on SMS’s website.