Skip to content

Privacy Policy

Last updated: 17 May 2026

Purpose

This Privacy Policy outlines how we collect, use, store, disclose, and protect your personal information, including sensitive and health information, in accordance with:

  • Privacy Act 1988 (Cth)
  • Australian Privacy Principles (APPs)
  • My Health Records Act 2012 (Cth)
  • Applicable State and Territory health privacy laws

We are committed to safeguarding your privacy and complying with all relevant legislation.

Scope

This Policy applies to all individuals who interact with us, including patients, website visitors, service users, contractors, and employees, and covers all methods of personal information collection, whether electronic, verbal, or written.

Definitions

  • Personal Information: Information or an opinion about an identifiable individual, recorded in any form, including names, contact details, or other details from which a person's identity can reasonably be ascertained.
  • Sensitive Information: A subset of personal information that includes racial or ethnic origin, political opinions, religious beliefs, sexual preferences, criminal records, or membership in professional/trade associations.
  • Health Information: Information about your health, disabilities, or use of health services.
  • Third-Party Website Visitors: Individuals who visit the clinic's website but are not current patients or users of our services.

What Information We Collect

We may collect the following types of personal information:

For Patients:

  • Full name, date of birth, gender
  • Contact details: phone number, email, residential address
  • Medicare number, private health insurance details
  • Medical history, current health status, referrals, pathology results, prescriptions
  • Payment and billing details
  • Telehealth session records and usage data

Website Visitors:

  • Technical Data: IP address, browser type, operating system, device information, and website usage data.
  • Personal Data: Any personal information you choose to provide through contact forms, newsletter sign-ups, or online queries.

How We Collect Information

We collect personal information through various methods, including:

  • Direct interactions with patients during consultations, via telehealth platforms, phone calls, or emails.
  • Online forms, such as appointment booking or contact forms on our website.
  • Automatic collection through cookies and similar technologies when you visit our website.
  • Third-party referrals from other healthcare providers, insurers, or authorised representatives.

Anonymity and Pseudonymity

Due to the nature of the health services we provide, it is generally impracticable for us to deal with individuals who have not identified themselves. Accurate identification is required to ensure the safety and continuity of clinical care, to comply with our legal and professional obligations under applicable health legislation, and to meet the requirements of Medicare and private health insurance billing.

Accordingly, we are unable to provide health services to individuals who choose to interact anonymously or using a pseudonym. Where you contact us for general enquiries only and do not seek clinical services, you may choose not to identify yourself to the extent that it is lawful and practicable to do so.

Unsolicited Information

From time to time, we may receive personal or health information that we did not solicit, for example, through misdirected correspondence, unsolicited referrals, or information provided voluntarily beyond what was requested.

Where we receive unsolicited personal information, we will promptly assess whether that information is of a kind we could have collected under our standard collection practices as described in this Policy. If the information could have been collected in the ordinary course of providing our services, we will handle it in accordance with this Policy as if it had been actively collected.

If we determine that the unsolicited information is not of a kind we would have been entitled to collect, we will, as soon as practicable and where lawful to do so, destroy or permanently de-identify that information. We will not use or disclose unsolicited information for any purpose prior to making this assessment.

Where unsolicited information relates to a third party rather than the individual who provided it, we will take particular care to limit its use strictly to what is necessary and will not retain it beyond the purpose for which it was received, unless we are required to do so by law.

Legal Basis for Collection

We collect personal information:

  • With your consent
  • When necessary for the performance of healthcare services
  • To comply with legal obligations
  • To pursue legitimate interests (e.g. improving services)

How We Use Your Information

For Patients:

We use your personal information for the following purposes:

  • To provide healthcare services, including telehealth consultations, diagnosis, treatment, and follow-up care.
  • To communicate with you regarding appointments, treatment plans, and health-related information.
  • To process payments, including Medicare and private health insurance claims.
  • To comply with legal and regulatory obligations, such as reporting notifiable diseases or responding to court orders.
  • To improve our services, telehealth platforms, and website functionality.
  • To provide you with updates about our services, appointment reminders, or health-related information. You can opt out of receiving these communications at any time by following the "unsubscribe" instructions included in the communication or by contacting us directly. We will not use your health information for direct marketing without your explicit consent.

For Website Visitors:

We use your information to:

  • Respond to your inquiries or requests made through our website.
  • Analyse website usage and improve user experience.
  • Manage our website's functionality and security.

Disclosure of Information

We do not sell or rent your personal information to third parties. We may share your personal information in the following circumstances:

  • Healthcare Providers: With your consent, we may share your health information with other healthcare providers involved in your care.
  • Third-Party Service Providers: We may share your information with third-party service providers who assist us in delivering our services (e.g., IT service providers, payment processors) under strict confidentiality agreements.
  • Legal Requirements: We may disclose your information where required or authorised by law (e.g., to comply with a subpoena or court order).
  • Regulatory Authorities: We may disclose your information to regulatory authorities as required for compliance with health regulations.
  • Overseas Disclosure of Information: We do not routinely disclose personal or health information to overseas recipients. If it becomes necessary to transfer your information outside Australia (for example, where our third-party service providers store data on secure overseas servers), we will:
    • Only transfer the information where permitted by law;
    • Take reasonable steps to ensure the overseas recipient complies with Australian privacy principles or equivalent safeguards; and
    • Inform you in advance, including which country the information will be transferred to, where possible.

Data Security Measures

We implement the following measures to protect your personal information from misuse, interference, loss, unauthorised access, modification, or disclosure:

  • Encryption: All personal information is encrypted during transmission over the internet using secure socket layer (SSL) technology.
  • Access Controls: Access to your personal information is restricted to authorised personnel who need it to perform their duties.
  • Secure Storage: All digital data is stored on secure servers protected by firewalls and regularly updated security software.
  • Regular Audits: We conduct regular security audits and assessments to identify and mitigate potential vulnerabilities.
  • Multi-Factor Authentication (MFA): Employees must use MFA to access systems containing sensitive information.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies on our website to improve your browsing experience, analyse traffic, and support the functionality and security of our online services. These tools help us understand how visitors use our website and enable us to deliver a more personalised and efficient user experience.

What Are Cookies?

Cookies are small text files that are placed on your device (computer, tablet, or mobile) by websites you visit. They are widely used to make websites work, improve efficiency, and provide reporting information.

Types of Cookies We Use

  • Strictly Necessary Cookies: These are essential for the operation of our website and enable basic features such as page navigation, secure access, and session management. Our website cannot function properly without these cookies.
  • Performance and Analytics Cookies: These collect anonymised information about how visitors use our website, such as which pages are visited most often or if error messages occur. This data helps us improve website performance and user experience.
  • Functionality Cookies: These remember your preferences and settings (such as language, location, or login details) to provide enhanced, more personalised features.
  • Third-Party Cookies: In some cases, we may use third-party services (such as embedded videos or social media plug-ins) which may place cookies on your device. These providers are responsible for how they use cookies, and we recommend reviewing their privacy policies.

Managing Your Cookie Preferences

You can choose to accept, decline, or customise your cookie preferences through your browser settings or by using a cookie management tool (where available on our website). Most web browsers automatically accept cookies, but you can usually modify your browser settings to decline them or notify you when a cookie is set.

Please note that disabling certain cookies may affect the functionality or performance of our website and limit your ability to access some services or features.

Where required by law, we will seek your consent before placing non-essential cookies on your device. By continuing to use our website after seeing a cookie notice, you are deemed to consent to the use of cookies as described in this Policy.

Data Retention

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal and regulatory obligations, and for legitimate operational or business requirements.

Our retention practices take into account the type of information held, its sensitivity, applicable laws and regulatory requirements, and the risks of unauthorised use or disclosure.

Retention of Health Records

In accordance with legal obligations and professional standards, we retain patient health records for the following minimum periods:

  • Adult Patients: At least 7 years from the date of the last consultation or entry in the record.
  • Child Patients: Until the patient turns 25 years of age, or for 7 years from the date of the last entry, whichever is longer.
  • Deceased Patients: Health records are retained in accordance with the above timelines unless a longer period is necessary for legal or clinical reasons.

Retention of Website and Technical Data

Data collected from website visitors, such as cookies, IP addresses, and analytics, is retained for up to 2 years, or longer if required for legal, technical, or business continuity purposes.

Other Records

Administrative, financial, or communication records (such as email correspondence, appointment logs, or billing records) are retained in line with legal retention obligations, typically between 5 to 7 years, depending on the nature of the document.

Secure Disposal

Once personal information is no longer required, we securely dispose of or de-identify it in accordance with industry standards and applicable law. This includes:

  • Secure deletion of electronic records
  • Shredding of physical documents
  • Use of data destruction services certified for handling sensitive information

We conduct regular reviews of our data holdings to ensure information is not retained longer than necessary.

Your Rights

As part of our commitment to transparency and data protection, you are entitled to exercise a number of rights under the Privacy Act 1988 (Cth) and relevant health privacy laws. These rights are designed to give you control over how your personal and health information is collected, used, and maintained.

You have the right to:

  • Request access to your Personal Information;
  • Request correction or updating of your information;
  • Request deletion of your data where no longer required;
  • Object to processing for marketing purposes;
  • Request a portable copy of your data where technically feasible;
  • Withdraw consent (where consent is the basis for processing).

How to Exercise Your Rights

To submit a request regarding any of the rights listed above, please contact us in writing using the contact details provided below. We may request verification of your identity to ensure that your information is not disclosed to or altered by an unauthorised individual.

We aim to respond to all valid requests within a reasonable timeframe, typically within 30 days. There is no charge for submitting a request; however, we may charge a reasonable administrative fee for the provision of physical copies or for excessive, repetitive, or manifestly unfounded requests.

If you are not satisfied with our response, you have the right to escalate your concern to the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

Data Breach Notification

We take data security seriously and have implemented appropriate technical and organisational measures to protect personal information. However, in the event of a data breach, we will comply with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 (Cth) and take swift action to mitigate any potential harm.

A data breach may include the unauthorised access to, disclosure of, or loss of personal information that we hold. If we have reasonable grounds to believe that a data breach is likely to result in serious harm to any individuals whose information is involved, we will:

  • Promptly assess the breach to determine its nature, scope, and potential impact in accordance with our internal data breach response plan;
  • Contain the breach where possible, and take immediate steps to prevent further unauthorised access or disclosure;
  • Notify affected individuals as soon as practicable, including details of the breach, the types of information involved, recommended steps they should take, and how we are responding;
  • Notify the Office of the Australian Information Commissioner (OAIC) by submitting a Notifiable Data Breach Statement through the prescribed process;
  • Document the breach and all steps taken in response, in compliance with our obligations under the Privacy Act;
  • Review our policies, procedures, and security safeguards to prevent recurrence and improve future responses.

Where we determine that a data breach does not meet the threshold for notification but may still carry risks, we will take proactive steps to inform affected individuals where appropriate.

We are committed to acting transparently, responsibly, and promptly to minimise the impact of any data breach and to uphold the privacy and trust of our patients, clients, and stakeholders.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our privacy practices, legal obligations, or service offerings. The updated version will be published on our website and will take effect from the Effective Date listed at the beginning of this Policy.

We encourage you to review this Policy periodically to stay informed about how we handle your personal information. Where material changes are made that may impact your rights, we will take reasonable steps to bring these changes to your attention, such as through notices on our website or direct communication where appropriate.

Your continued use of our services following the Effective Date of an updated Policy indicates your acceptance of the changes.

Privacy Policy Complaints and Enquiries

If you have any questions, concerns, or complaints regarding this Privacy Policy or how your personal information is handled, we encourage you to contact us directly using the contact form on our website.

We take all privacy-related enquiries seriously and are committed to resolving complaints in a timely and respectful manner. Upon receiving a complaint, we will:

  • Acknowledge your enquiry within a reasonable timeframe;
  • Investigate the circumstances of your concern;
  • Provide a written response outlining the outcome of our investigation and any steps taken to address the issue.

All complaints will be handled in accordance with our obligations under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and, where applicable, relevant health privacy legislation.

If you are not satisfied with our response, you may escalate your complaint to the Office of the Australian Information Commissioner (OAIC):

  • Website: www.oaic.gov.au
  • Phone: 1300 363 992
  • Mail: GPO Box 5218, Sydney NSW 2001