We are committed to protecting the privacy of patient information and to handling your personal information in a responsible manner in accordance with the Privacy Act 1988 (Cth), the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the Australian Privacy Principles (APP) and relevant State and Territory privacy legislation.
Our policy informs you whether we are likely to disclose personal information to overseas recipients, and if so, the countries in which such recipients are likely to be located if it is practicable to specify those countries.
It also explains how you may make a complaint about a breach of privacy legislation.
The use of the terms “Our practice”, “we” and “us” throughout this policy refers to the Western Australian Plastic Surgery Centre, Assure Cosmetic Centre, 1300HANDOC – The Hand Injury Management Experts, and all surgical, clinical and administrative staff employed by these practices.
Your Privacy is our Business
APP 1 — Open and Transparent Management of Personal Information
Our practice has made this and other material available to you to inform you of our policies on management of personal information. On request, our practice will let you know, generally, what sort of personal information we hold, for what purposes, and how we collect, hold, use and disclose that information.
APP 2 — Anonymity and Pseudonymity
You have a right to be dealt with anonymously or by using a pseudonym, provided this is lawful and practicable. However, in the medical context this is not likely to be practicable or possible for Medicare and insurance rebate purposes. It could also be dangerous to your health.
APP 3 — Collection of Solicited Personal Information
It is necessary for us to collect personal information from patients and sometimes from others associated with their health care in order to attend to the patient’s health needs and for associated administrative purposes. ‘Personal information’ is any information recorded about a person where their identity is known or could be reasonably worked out. We will be fair in the way we collect information about our patients. This information is generally collected directly from our patients, but from time to time we may receive patient information from other sources including, but not limited to, other healthcare practitioners and healthcare services. When this occurs we will, wherever possible, make sure you know we have received this information. Personal information also includes clinical imaging (see ‘Policy on Patient Clinical Imaging’) and web log files (see ‘Website Data Collection’). If you are unwilling to provide any of the information we request, please discuss it with us. In certain circumstances this may require you to seek professional services elsewhere and not from us.
Health information is ‘sensitive information’ for the purposes of privacy legislation. This means that generally your consent will be sought to collect such health information that is necessary to make an accurate medical diagnosis, prescribe appropriate treatment and to be proactive in your health care.
APP 4 — Dealing with Unsolicited Personal Information
If our practice receives unsolicited personal information we will determine, within a reasonable period after receiving the information, whether or not we could have collected the information under APP 3 – as if we had solicited the information. For instance, our practice often receives unsolicited personal information in the form of referrals directly from referring medical practitioners. We will assess the information to ensure it is addressed to our practice and/or one of our medical practitioners – if this is the case, the personal information will be treated as if we had solicited the information.
We may use or disclose the personal information for the purposes of making the determination. If we determine that we could not have collected the personal information under APP 3, for example, the information is addressed to the wrong practice/medical practitioner; and the information is not contained in a Commonwealth record, as soon as practicable, and lawful and reasonable to do so, we will destroy the information or ensure that the information is de-identified.
APP 5 — Notification of the Collection of Personal Information
APP 6 — Use and Disclosure
A patient’s personal health information is used (i.e. by our practice) or disclosed (i.e. to others) for purposes directly related to their health care and in ways that are consistent with patients’ expectations (the primary purpose). In the interests of the highest quality and continuity of health care, this may include sharing information with other healthcare providers who comprise a patient’s medical team from time to time. In addition, there are circumstances when information will be disclosed without patient consent such as:
- Emergency situations;
- When required or authorised by or under an Australian law or a court/tribunal order;
- By law, doctors are sometimes required to disclose information for public interest reasons (e.g. mandatory reporting of some communicable diseases);
- It may be necessary to disclose information about a patient to fulfil a medical indemnity insurance obligation and medical defence purposes;
- Provision of information to Medicare or private health funds, if relevant, for billing and medical rebate purposes;
- To credit agencies and debt collection agencies in the event of default on bill payment after fair warning;
- A patient’s involvement in unlawful activity.
In general, a patient’s health information will not be used for any other purpose without their consent.
There are some necessary purposes of collection for which information will be used beyond providing health care (the secondary purpose), such as professional accreditation, quality assessments, clinical audit, billing, patient satisfaction surveys and so forth.
The doctors of our practice use shared patient files and therefore all patient records collected at this practice will be available to any medical practitioner you see at this practice.
APP 7 — Direct Marketing
Direct marketing involves the promotion of goods or services directly to patients, for example advertising via post, email, and SMS.
Where our practice collects personal information directly from an individual, it may use or disclose that information (other than sensitive information) for the purpose of direct marketing if:
- the individual would reasonably expect our practice to use or disclose the information for the purpose of direct marketing; and
- our practice provides a simple way of opting out of direct marketing; and
- the individual has not already requested to opt out of direct marketing from our practice.
Individuals may request that our practice provide its source of their information. If such a request is made, our practice must notify the individual of its source without any charge within a reasonable period of time, unless it is impracticable or unreasonable to do so.
Related Commonwealth laws such as the Spam Act 2003, the Freedom of Information Act 1982 and the Do Not Call Register Act 2006 apply.
If an individual’s mobile number and/or Email address has been provided to our practice, these may also be used as a method of electronic communication, such as providing SMS/Email appointment reminders, newsletters and so forth. You may request to opt out of this method of communication at any time.
We do not disclose personal information to third parties for the purposes of any direct marketing by them (see ‘Use of Third-Party Medical Services or Tools’).
APP 8 — Cross-border Disclosure of Personal Information
An individual’s privacy is protected Australia wide by privacy laws. We will take steps to protect patient privacy if information is to be sent interstate or outside Australia. Our practice will not disclose personal information to recipients overseas, without that individual’s consent.
Our practice primarily stores and retains a patient’s personal & health information in electronic form in a cloud environment through our IT provider. Our IT provider is compliant with the Australian Privacy Principles, including ensuring all information is secured by the physical security of purpose-built Australian-based data-centres, and their IT security systems.
Our IT provider holds your information as a ‘de-identified’ data-set and does not hold any rights, intention, or facility to access, classify or use that data for any reason other than secure custodianship.
Our IT provider will not provide your information to an external party without your express written permission (other than that lawfully required by Australian Government or Law Enforcement Organisations).
Our practice may also choose to store and retain a patient’s personal/health information in hard copy and/or electronically either on site or with our secure Perth-based document archive storage provider.
APP 9 — Adoption, use or disclosure of Government Related Identifiers
These are the numbers, letters or symbols that are used to identify you with or without the use of a name (e.g. Medicare/DVA numbers). We will limit the use of identifiers assigned to you by Commonwealth Government agencies to those uses necessary to fulfil our obligations to those agencies.
APP 10 — Quality of Personal Information
Our practice will take such steps as are reasonable to ensure that the personal information that it collects, uses and discloses is accurate, up-to-date, complete and relevant.
APP 11 — Security of Personal Information
The storage, use and, where necessary, transfer of personal health information will be undertaken in a secure manner that protects patient privacy. It is necessary for medical practices to keep patient information after a patient’s last attendance for as long as is required by law or is prudent having regard to administrative requirements.
APP 12 — Access to Personal Information
You may request access to your personal health information held by this practice. While not required to give reasons for your request, you may be asked to clarify the scope of the request:
- Where such a request is made, strict identification criteria are used so as information is not mistakenly disclosed.
- There are some circumstances in which access is restricted, and in these cases reasons for denying access will be explained.
- A charge may be payable when the practice incurs costs in providing access.
- The material in which the doctor has copyright might be subject to conditions that prevent further copying or publication without the doctor’s permission.
- This practice acknowledges the right of children to privacy of their health information. Based on the professional judgement of the doctor and consistent with the law, it might at times be necessary to restrict access to personal health information by parents or guardians.
- Upon your request, your health information held by this practice will be made available to another health service provider.
APP 13 — Correction of Personal Information
Our practice will take all reasonable steps to amend or correct any personal information held that is not accurate, complete or up-to-date. If our practice corrects personal information about an individual that we have previously disclosed to another party and the individual requests that we notify the other party of the correction, we will take such steps (if any) as are reasonable in the circumstances to give that notification unless it is impracticable or unlawful to do so.
If you and our practice disagree about whether your information is accurate, complete and up-to-date, you may request that our practice associate the information with a statement claiming that the information is not accurate, complete or up-to-date.
Our practice will provide reasons for denial of access or a refusal to correct personal information.
It is important to us that your expectations about the way in which we handle your information are the same as ours. You should feel free to discuss any concerns, questions or complaints about any issues related to the privacy of your personal information with us. If you believe a privacy breach has occurred, please contact:
The Privacy Officer
Suite 215, St John of God Medical Centre
25 McCourt Street
SUBIACO WA 6008
In dealing with your complaint, we will communicate time frames to you based on the nature and complexity of your concern and will do our utmost to adhere to these.
If you are dissatisfied with our response to your privacy complaint, please contact the Office of the Australian Information Commissioner (OAIC) for further advice by telephone (1300 363 992) or by visiting their website (www.oaic.gov.au).
Use of Third-Party Medical Services or Tools
Our practice may use third-party websites, products and services to enhance our patient’s experience. Our practice may also use or offer products or services from third parties. Information collected by third parties, which may include such things as location data, contact details, or clinical imaging you have provided or consented to our practice using, is governed by their privacy practices. We encourage you to learn about the privacy practices of those third parties.
Some of the third parties we may use include, but is not limited to:
- TouchMD – Interactive Visualisation and Patient Education Platform; Based in the United States; http://alphaeonsuite.com/touch
- Crisalix – Before and after plastic surgery simulation app in 3D; Based in Germany; http://www.crisalix.com/
- Vectra by Canfield – Before and after plastic surgery simulation app in 3D; Based in the United States; https://www.canfieldsci.com/imaging-systems/
- Shortcuts Software – Our practice software provider; Based in Australia with database and records stored securely on Amazon AWS in Oregan, United States; https://www.shortcuts.com.au/
- MailChimp – Email marketing platform used for newsletter purposes; Based in the United States; http://mailchimp.com/
- Formstack – Secure online form service for data collection; Based in the United States; https://www.formstack.com/
- Genie Two-Way SMS – Appointment SMS functionality made available through our practice software provider Genie Solutions; Based in Australia and Europe.
Website Data Collection
Web Log Files
In common with most websites, our website automatically logs certain information about every request sent to it. This information is used for system administration and for producing usage statistics. Summary statistics are extracted from this data and some of these may be made publicly available, but these do not include information from which individuals could be identified. Relevant subsets of this data may be used as part of investigations of computer misuse involving this site. Data may also on occasion be used to enable investigation of technical problems on the website. Otherwise logged information is not passed to any third party except if required by law.
From time to time we will use electronic forms on this site to gather personal information for purposes directly related to a service, function or activity of our practice. When we do so we will let you know the purpose for which the information is being collected (including if the information is to be published). Completion of and submission of any form on this website is entirely at the discretion of you, the website user.
Data Protection Statement
In using and submitting forms on this website you agree that our practice may use any personal data of yours that you supply through the forms.
Our practice respects your privacy and seeks to protect your personal data:
- Our practice will only collect and use your information to administer, support, improve and obtain feedback on its service.
- Our practice may also use this information to assess what services may be of interest to you and to personalise our service and marketing.
- Our practice may also contact you to obtain feedback on services and any improvements we can make to them.
- You have the right to ask us at any time not to contact you by way of direct marketing.
Our Policy on Patient Clinical Imaging
Clinical imaging, which includes photographic, video and audio recordings, are an important part of your medical record, and are a form of personal information that is ‘sensitive information’.
During the course of your treatment, clinical imaging may be taken for our records (i.e. our ‘use’). These are necessary for accurate record keeping, comparison and reference. Clinical imaging may also be provided to our practice by your referring GP/specialist. This imaging is accessible only by the staff in our practice.
Identifiable clinical imaging (i.e. those that are identifiable as you) will not be shown to other patients, or published online or in medical literature (i.e. ‘disclosed’) without your express written consent.
However, identifiable clinical imaging may occasionally be shown without your express consent in closed medical sessions with other doctors or nurses for educational purposes only. These sessions are bound by a code of strict confidentiality. Should you object, please let us know.
Pre- and post-operative clinical imaging is useful in helping a patient make a decision about whether to go ahead with a procedure, and demonstrate the quality of our work. In cosmetic procedures such as breast augmentation, breast lift or breast reduction; liposuction; and abdominoplasty, clinical imaging is generally not identifiable. In others such as facelift, rhinoplasty, eyelid surgery, and ear surgery, clinical imaging may be identifiable. In order to show patients such identifiable pictures of other patients, we need their express consent. We are extremely grateful to those patients who give us such consent. Of course, this consent may be given or withdrawn at any time.