1.1 From time to time Gippsland Orthodontics (Practice) is required to collect, hold, use and/or disclose information (Personal, Health or Financial Information) (Information) relating to individuals (including, but not limited to, its patients, contractors, suppliers and employees) in the performance of its business activities.
1.2 This Privacy Policy (Policy) outlines the types of Information that the Practice usually collects, the purposes for which the Practice collects it, to whom the Practice discloses it, how the Practice holds and keeps it secure and your rights in relation to your Information, including how to complain and how the Practice deals with complaints, as under the Privacy Act 1988 (Cth) (Act) and the Australian Privacy Principles (APP).
1.3 The APPs regulate the handling of personal information.
1.4 This Policy should be read together with the Practice's website terms and conditions.
1.5 By visiting the Practice's website or providing the Practice with your Information (either directly or allowing another person to do so on your behalf), you acknowledge and agree that the Information the Practice collects about you will be collected and handled in accordance with this Policy. If you do not agree with any part of this Policy, you must not provide your Information to the Practice.
2. Important Terminology
2.1 Personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion or as otherwise defined by applicable privacy law and also includes Financial Information as outlined at section 4.2.3.
2.2 Health information, which means personal information about your health such as your medical history or medical conditions or disabilities as more particularly described as a category of "sensitive information" as outlined at section 4.2.2.
3. Important Privacy Laws
3.1 The Practice will always comply with Applicable Privacy Laws and Applicable Anti-Spam Laws which means the Act, the Australian Privacy Principles and the Spam Act 2003 (Cth).
4. Kinds of Information that the Practice Collects and Holds
4.1 The Practice collects personal information that is reasonably necessary for one or more of its functions or activities.
4.2 The type of information that the Practice collects and holds may depend on your relationship with the Practice. For example:
4.2.1 Patient: if you are a patient of the Practice, the Practice may collect and hold information including your name, address, medicare, health fund and health insurance cover details, email address, contact telephone number, gender and age.
4.2.2 Sensitive information: the Practice will only collect sensitive information where you consent to the collection of the information and the information is reasonably necessary for one or more of the Practice's functions or activities. Sensitive information includes, but is not limited to, information or an opinion about racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, membership of a trade union, sexual preferences, criminal record, health information or genetic information.
4.2.3 Financial information: the Practice may collect your credit card details or other financial information where you provide them directly at the Practice for the purposes of arranging direct debit or payment plans you have requested. The Practice will only use your financial information for the purpose for which it was collected and in accordance with this Policy. The Practice may also collect financial information from you through its sales facilities, to be used by the Practice solely to facilitate payment for the services you have requested. Financial or credit card information the Practice collects from you is strictly confidential and held on secure servers in controlled facilities.
5. How the Practice Collects and Holds Personal Information
5.1 The Practice must collect personal information only by lawful and fair means. The Practice will collect personal information directly from you if it is reasonable or practicable to do so.
5.2 The Practice may collect personal information in a number of ways, including without limitation:
5.2.1 via application forms;
5.2.2 by email or other written mechanisms;
5.2.3 over a telephone call;
5.2.4 in person;
5.2.5 through transactions;
5.2.6 through the Practice's website;
5.2.7 through surveillance camera;
5.2.8 by technology that is used to support communications between the Practice;
5.2.8.1 through publicly available information sources (which may include telephone directories, the internet and social media sites);
5.2.8.2 direct marketing database providers;
5.3 The Practice may collect personal and health information from third parties such as:
5.3.1 your health service provider;
5.3.2 a health professional who has treated you;
5.3.3 your family or legal guardian;
5.3.4 other sources where necessary to provide a health service
5.3.4.1 When the Practice collects personal information about you through publicly available information sources, it will manage such information in accordance with the APPs.
5.3.4.2 At or before the time or, if it is not reasonably practicable, as soon as practicable after, the Practice collects personal information, the Practice must take such steps as are reasonable in the circumstances to either notify you or otherwise ensure that you are made aware of the following:
5.3.5 the identity and contact details of the Practice;
5.3.6 that the Practice has collected personal information from someone other than you if you are unaware that such information has been collected;
5.3.7 that collection of personal information is required by Australian law, if it is;
5.3.8 the purpose for which the Practice collects the personal information;
5.3.9 the consequences if the Practice does not collect some or all of the personal information;
5.3.10 any other third party to which the Practice may disclose the personal information;
5.3.11 the Practice's Policy contains information about how you may access and seek correction of personal information held by the Practice and how you may complain about a breach of the APPs; and
5.3.12 whether the Practice is likely to disclose personal information to overseas recipients, and the countries in which those recipients are likely to be located.
5.3.13 Unsolicited personal information is personal information that the Practice receives which it did not solicit. Unless the Practice determines that it could have collected the personal information in line with the APPs or the information is contained within a Commonwealth record, it must destroy the information to ensure it is de-identified.
6. Purposes for which the Practice Collects, Holds, Uses and/or Discloses Personal Information
6.1 The Practice will collect personal information if it is reasonably necessary for one or more of its functions or activities.
6.2 The main purposes for which the Practice may collect, hold, use and/or disclose personal information may include but are not limited to:
6.2.1 recruitment functions;
6.2.2 patient service management;
6.2.3 training and events;
6.2.4 surveys and general research; and
6.2.5 business relationship management.
6.3 The Practice may also collect, hold, use and/or disclose personal information if you consent or if required or authorised under law.
7. Marketing and your consent/opting out
7.1 The Practice may use or disclose personal information (other than sensitive information) about you for the purpose of direct marketing (for example, advising you of new goods and/or services being offered by the Practice).
7.2 The Practice may use or disclose sensitive information about you for the purpose of direct marketing if you have consented to the use or disclosure of the information for that purpose.
7.3 You can opt out of receiving direct marketing communications from the Practice by contacting the Privacy Officer in writing or if permissible accessing the Practice's website and unsubscribing appropriately.
8. Cookies
8.1 Most commercial websites use cookies. Cookies are data that a website transfers to your browser and are stored in your hard drive, and are used to track your ongoing access to and use of the website. The Practice may use cookies to allow it to track usage patterns and help it improve and tailor its service to you. Cookies are used to 'remember' when your computer or device accesses the Practice's website. Cookies are essential for the effective operation of the Practice's website and to help you interact with the Practice online. They are also used to tailor the products and services offered and advertised to you, both on the Practice's website and elsewhere. Cookies will not identify you personally. If you would prefer not to receive cookies, you can alter your security settings on your web browser to disable cookies or to warn you when cookies are being used. However this may mean you may not be able to take advantage of all features of the Practice's website.
8.2 The Practice may also use your personal information and information collected about you using third parties such as Google Analytics to provide you with a better or more personalised and relevant experience when using the Practice's website. The Practice may do this by combining behavioural data it collects by the use of cookies and combining it with the personal information it has collected from you.
9. Disclosure of Personal Information
9.1 The Practice may disclose your personal information for any of the purposes for which it is was collected, as indicated under Clauses 6-8 of this Policy, or where it is under a legal duty to do so.
9.2 Disclosure will usually be internally and to related entities or to third parties such as contracted service suppliers.
9.3 Before the Practice discloses personal information about you to a third party, the Practice will take steps as are reasonable in the circumstances to ensure that the third party does not breach the APPs in relation to the information.
10. Access to Personal Information
10.1 If the Practice holds personal information about you, you may request access to that information by putting the request in writing and sending it to the Practice Manager. The Practice will respond to any request within a reasonable period, and a charge may apply for giving access to the personal information.
10.2 There are certain circumstances in which the Practice may refuse to grant you access to the personal information. In such situations the Practice will give you written notice that sets out:
10.2.1 the reasons for the refusal; and
10.2.2 the mechanisms available to you to make a complaint.
11. Correction of Personal Information
11.1 If the Practice holds personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading, it must take steps as are reasonable to correct the information.
11.2 If the Practice holds personal information and you make a request in writing addressed to the Privacy Officer to correct the information, the Practice must take steps as are reasonable to correct the information and the Practice will respond to any request within a reasonable period.
11.3 There are certain circumstances in which the Practice may refuse to correct the personal information. In such situations the Practice will give you written notice that sets out:
11.3.1 the reasons for the refusal; and
11.3.2 the mechanisms available to you to make a complaint.
11.4 If the Practice corrects personal information that it has previously supplied to a third party and you request the Practice to notify the third party of the correction, the Practice will take such steps as are reasonable to give that notification unless impracticable or unlawful to do so.
12. Integrity and Security of Personal Information
12.1 The Practice will take such steps (if any) as are reasonable in the circumstances to ensure that the personal information that it:
12.1.1 collects is accurate, up-to-date and complete; and
12.1.2 uses or discloses is, having regard to the purpose of the use or disclose, accurate, up-to-date and complete.
12.2 The Practice will take steps as are reasonable in the circumstances to protect the personal information from misuse, interference, loss and form unauthorised access, modification or disclosure.
12.3 If the Practice holds personal information, it no longer needs the information for any purpose for which the information may be used or disclosed, the information is not contained in any Commonwealth record and the Practice is not required by law to retain the information, it will take such steps as are reasonable in the circumstances to destroy the information or to ensure it is de-identified.
13. Storing Personal Information and Health Information
13.1 The Practice will take all reasonable and appropriate steps (including organisational and technological measures) to protect your personal information and health information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Some of the ways this is done include:
13.1.1 requiring Practice staff to maintain confidentiality;
13.1.2 implementing document storage security;
13.1.3 imposing security measures for access to Practice computer systems;
13.1.4 providing a secure environment and access control for confidential information; and
13.1.5 only allowing access to personal and health information where the individual seeking access has satisfied Practice identification requirements.
13.2 Where the Practice stores your personal information and health information depends on what interaction you have had with the Practice. These include:
13.2.1 electronic databases, including those for processing customer enquiries or feedback;
13.2.2 email databases for marketing communications; and
13.2.3 paper based forms.
13.3 However, the internet is not in itself a secure environment and the Practice cannot give an absolute assurance that your personal information will be secure at all times. Transmission of personal information over the internet is at your own risk and you should only enter, or instruct the entering of, personal information within a secure environment.
14. Anonymity and Pseudonymity
14.1 You have the option of not identifying yourself, or using a pseudonym, when dealing with the Practice in relation to a particular matter. This does not apply:
14.1.1 where the Practice is required or authorised by or under an Australian law, or a court/tribunal order, to deal with individuals who have identified themselves; or
14.1.2 where it is impracticable for the Practice to deal with individuals who have not identified themselves or who have used a pseudonym.
14.2 However, in some cases if you do not provide the Practice with your personal information when requested, the Practice may not be able to respond to your request or provide you with the goods or services that you are requesting.
15. Complaints
15.1 You have a right to complain about the Practice's handling of your personal information if you believe the Practice has breached the APPs.
15.2 If you wish to make such a complaint to the Practice, you should first contact the Privacy Officer in writing. Your complaint will be dealt with in accordance with the Practice's complaints procedure and the Practice will provide a response within a reasonable period.
15.3 If you are unhappy with the Practice's response to your complaint, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC).
16. Privacy Officer Contact Details
16.1 If you have a question or comment regarding this Policy or wish to make a complaint or exercise your privacy rights, please contact our Privacy Officer on the following details:
16.1.3 Postal address: 132A Albert Road, Warragul, VIC 3820
16.2 If you are not satisfied with our response, you may complain to OAIC via the OAIC website: www.oaic.gov.au.
17. Breach of this Policy
17.1 The Act requires the Practice to notify affected individuals and the OAIC about 'eligible data breaches'. An eligible data breach occurs when the following criteria are met:
17.1.1 there is unauthorised access to or disclosure of personal information the Practice holds (or information is lost in circumstances where unauthorised access or disclosure is likely to occur) (data breach);
17.1.2 the data breach is likely to result in serious harm to any of the individuals to whom the information relates; and
17.1.3 the Practice is unable to prevent the likely risk of serious harm with remedial action.
17.2 If it is not clear whether a suspected data breach meets these criteria, the Practice will investigate and assess the breach to determine whether the breach is an ‘eligible data breach’ that requires the Practice to notify the affected individuals. This is to ensure that you are notified if your personal information is involved in a data breach that is likely to result in serious harm. Even if the criteria are not met, the Practice may decide it appropriate to notify you anyway as part of our commitment to taking privacy seriously.
18. Variations
18.1 The Practice may vary, replace or terminate this Policy from time to time.