Carbal Medical Services | Excellence in Aboriginal & Torres Straight Islander Health
Carbal Medical Services | Excellence in Aboriginal & Torres Straight Islander Health
Carbal Medical Services | Excellence in Aboriginal & Torres Straight Islander Health

Privacy Policy

Home 9 Privacy Policy

Carbal Medical Services’
Privacy Policy

 

Current as of 20 September 2024

Introduction

Carbal Medical Services (Carbal) is committed to protecting the privacy and confidentiality of the personal and sensitive information of all individuals who interact with our services. This Privacy Policy outlines how we collect, use, disclose, and manage personal information across all aspects of our organisation, including clinical services, research initiatives, outreach and support programs, and any other affiliated services or activities.

This privacy policy complies  with the Australian Privacy Principles (the APPs) and the Privacy Act 1988 (Cth) (the Act).

 

Collection of Personal Information

We collect personal information to provide high-quality health care services, engage in research, and conduct outreach activities. The information we collect may include both personal, non-personal and sensitive information.

Carbal may ask the patient for Personal and/or Sensitive Information about other people (for example, family members). If they provide us with this information, we rely on them to tell those people that they are giving their Personal and/or Sensitive Information to us, and to make them aware of this Privacy Policy.

 

Terminology

For the purposes of this Privacy Policy, the term “Individuals” encompasses all persons who interact with Carbal, including but not limited to patients, clients, consumers, advocates, carers, individuals and visitors.

Definition

Personal Information

 

refers to any information or data about an individual that can be used to identify that person, either directly or indirectly. This includes details like a person’s name, address, phone number, email address, date of birth, and more specific identifiers like medical records, financial information, or even online identifiers such as IP addresses.

As per the Act, Personal Information encompasses any data that can reasonably identify an individual, whether alone or in combination with other data. It also includes sensitive information.

Sensitive Information

is any information or opinion about an individual which is health information, or   which relates to the patients racial or ethnic origin, political opinion, religious and/or philosophical beliefs, sexual preferences or practices, or criminal record.

Examples of Sensitive Information could include:

§  medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors;

§  Medicare number (where available) for identification and claiming purposes; and/or

§  healthcare identifiers;

§  health fund details; or

§  any other information reasonably requested by us.

Patient Health Record

 

Medical records, whether electronic or not, are a collection of information about a patient’s healthcare that are essential for his or her present and future care and applies to clinical notes, investigations, letters, photographs and or video footage.

Collection of Personal Information

The kinds of Personal Information and Sensitive Information we collect and hold depends on the specific services provided to you, but will generally include basic personal contact information, as well as other information that is deemed relevant. This will usually include the following:

  1. your contact details (name, postal address, email address, etc.);
  2. your personal details (date of birth, gender, cultural identity, socio-economic status, etc.);
  3. your health information and medical history;
  4. information on personal issues, experiences and relationships; and
  5. your family background and community supports (which can include Personal Information and Sensitive Information of third parties).

Carbal collects Personal Information and Sensitive Information through various means, including:

  1. Directly from Individuals: Personal Information and Sensitive Information is primarily collected directly from you during consultations, phone calls, through forms you complete, or via electronic communication. This can include health information, contact details, and other relevant personal data.
    • For GP Clinics
      • Carbal staff will collect personal and demographic  information at the first appointment via the registration form.
  • During the course of providing medical services, we may collect further Personal Information and Sensitive Information by asking relevant questions or asking the patient to complete further forms if necessary.
  • Information can also be collected through Electronic Transfer of Prescriptions (eTP), MyHealth Record system, e.g., via Shared Health Summary, Event Summary. Carbal practice participates in these eHealth
  1. Third-Party Sources: We may also collect information from third parties such as other healthcare providers, government agencies, or your authorised representative. This occurs when it is necessary for your care, with your consent, or as required by law. Often this is because it is not practical or reasonable to collect it from you directly. This may include information  from:
    • your guardian or authorised representative
    • other involved healthcare providers, such as specialists, allied health professionals, hospitals, community health services and pathology and diagnostic imaging services
    • a health fund, Medicare, or the Department of Veteran’s Affairs (as necessary).
  2. Online Interactions: Personal Information and Sensitive Information may be collected when you interact with our website, social media platforms, send us email correspondence or telephone us, make an appointment or other online services. This can include information provided through online forms, booking systems, or cookies used on our website to enhance your experience.
  1. Outreach and Community Programs: Personal Information and Sensitive Information may also be collected during participation in outreach and community programs, where it is relevant to the services being provided.

If you do not provide us with the required information, we may not be able to perform the services which you require us to provide.

Use of Personal Information

Carbal uses the Personal Information and Sensitive Information we collect:

  • To confirm your identity.
  • to provide and manage healthcare services.
  • to conduct research to improve health outcomes.
  • to deliver community outreach programs and services.
  • to communicate with you regarding appointments, services, and health-related information.
  • to comply with legal obligations and reporting requirements.
  • to share it with our related entities, subsidiaries or other specialist providers as required to perform functions on our behalf.
  • for other purposes communicated to you when your information is collected.
  • for disclosures required by law, regulation or court order.
  • to provide data to Government department and agencies who provide funding for our services.
  • to conduct internal client research and assessment.

This includes us using this information to communicate with you about our services, for internal administration, direct marketing and planning purposes. We will also use your Personal Information for purposes related to those described above which would be reasonably expected by you. You may request not to receive direct marketing communication from us.

Consent

Consent to collect your Personal Information or Sensitive Information may be requested in various forms, including written, verbal, or through an authorised representative. When interacting with Carbal, if Personal Information or Sensitive Information is collected, Carbal will provide Individuals with a consent form to determine how their information will be accessed and used. These consent forms are specific to the areas of Carbal where Personal Information or Sensitive Information is obtained and are electronically scanned into the individual’s file.

Carbal staff or contractors will provide assistance and support to individuals to help their understanding of the content of the consent forms and their rights concerning the Personal Information or Sensitive Information that they provide to Carbal.

Only staff and contractors who need to access Personal Information or Sensitive Information to perform their duties will have access to it. If we need to use your information for any other purpose, we will seek additional consent from you.

Individuals may withdraw their consent at any time by providing written notice to [email protected].

Disclosure of Personal Information

Carbal will not disclose your Personal Information or Sensitive Information to third parties without your consent, except as required by law or as outlined in this policy.

We sometimes share Personal Information or Sensitive Information:

  • with third parties who work with Carbal for business purposes, such as accreditation agencies or information technology providers – these third parties are required to comply with APPs and this policy;
  • Healthcare professionals involved in your care;
  • Research partners, in de-identified form, where appropriate;
  • when it is required or authorised by law (e.g., court subpoenas);
  • when it is necessary to lessen or prevent a serious threat to a individual’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent;
  • to assist in locating a missing person;
  • to establish, exercise or defend an equitable claim;
  • for the purpose of confidential dispute resolution process;
  • when there is a statutory requirement to share certain personal information (e.g., some diseases require mandatory notification);
  • during the course of providing medical services, through Electronic Transfer of Prescriptions (eTP), MyHealth Record system (e.g., via Shared Health Summary, Event Summary); or
  • with other organisations as required from time to time to allow them to assist us to provide you with services.

Only people that need to access information will be able to do so. Other than in the course of providing medical/social support services or as otherwise described in this policy, Carbal will not share Personal Information or Sensitive Information with any  third party without the patients consent.

It is very unlikely that we will disclose your Personal Information and Sensitive Information to overseas recipients. If we transfer your Personal Information or Sensitive Information outside Australia, we may endeavour to comply with the requirements of the Act that relate to transborder data flows, but we cannot guarantee compliance and you specifically agree that you understand this. Therefore, to the fullest extent permitted by law, we disclaim all liability and responsibility for any damage you may suffer due to our non-compliance with APP 8.1, except to the extent that our liability cannot be excluded by applicable laws and regulations which we are subject to.

You should also be aware that:

  • any overseas recipient may not be subject to any privacy obligations or to any principles similar to the APPs;
  • you may not be able to seek redress in the overseas jurisdiction; and
  • any overseas recipient may be subject to a foreign law that could compel the disclosure of personal information to a third party, such as an overseas authority.

While we will not directly disclose your Personal Information and Sensitive Information to overseas recipients without your consent, the entities to which we may disclose your Personal Information and Sensitive Information may do so. We are unable to say what countries, if any, those recipients are likely to be located in.

Carbal will not use personal information for marketing any of our goods or services directly to the patient without express consent. If the patient does consent, they may opt-out of direct marketing at any time by notifying Carbal in writing at [email protected].

Storage and Security of Personal Information

Carbal takes reasonable steps to protect Personal Information and Sensitive Information from misuse, loss, unauthorised access, and disclosure. Those steps include protecting it by a combination of physical and technical measures. Information that we store in hard copy, is stored securely. Information that we store electronically, is stored in a local server/secure cloud-based facility and/or on our computers, which are protected by password or encryption and are kept in secure locations at all times.

We will take all reasonable steps to protect the security of your Personal Information and Sensitive Information held by us. This includes appropriate technology to protect your Personal Information and Sensitive Information stored electronically, such as passwords, as well as limiting the number of personnel who have access to your Personal Information and Sensitive Information, whether stored electronically or in hard copy.

To limit the possibility of human error, we will regularly provide training to our staff regarding the collection, storage and handling of your Information.

When we no longer require your Patient Health Record, Personal Information and Sensitive Information, we will archive it.

Access and Correction of Personal Information

You have the right to access the personal information we hold about you and to request corrections if the information is inaccurate or incomplete. If you believe the information we hold is inaccurate, incorrect, or incomplete, you may request that your information be corrected and we can then take reasonable steps to correct this information.

To access records, request a correction, or opt out of receiving marketing communications, Carbal requires a written request addressed to the General Manager and can be lodged via [email protected]. We will respond within 30 days and in accordance with applicable laws.

There may be a minimal cost for Carbal to provide hard copies of any documents. Carbal will take reasonable steps to correct personal information where it is not accurate or up to date. From time to time, we will ask patients to verify that the personal information held by Carbal is correct and up to date.

Anonymity

An individual has the right to deal with us anonymously or under a pseudonym unless it is impracticable for us  to do so or unless we are required or authorised by law to only deal with identified individuals.

 

Data Breach

A data breach is when Personal and/or Sensitive Information held by Carbal is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Examples of a data breach are when a device containing personal information of clients is lost or stolen, an entity’s database containing personal information is hacked or an entity mistakenly provides Personal Information to the wrong person.

A ‘data breach’ may also constitute a breach of the Act, however this will depend on whether the circumstances giving rise to the data breach also constitute a breach of one or more of the APPs.

Carbal has a comprehensive Data Breach Response Plan. Our actions in the first 24 hours after discovering a data breach are crucial to the success of our response. A quick response can substantially decrease the impact on the affected individuals. However, despite our reasonable efforts, we cannot guarantee that the security of your Personal Information and Sensitive Information will not be breached. Therefore, to the fullest extent permitted by law, we disclaim all liability and responsibility for any damage you may suffer due to a data breach, except to the extent that our liability cannot be excluded by applicable laws and regulations which we are subject to.

Website Terms & Conditions

 

Third Party Links

Our websites may contain links to third-party websites. These websites have their own privacy policies, and we do not accept any responsibility or liability for their content or activities. We recommend that you seek out their privacy policy when redirected to a third party website to ensure that you are aware of how they may use your personal information.

Cookies and Tracking Technologies

Carbal use cookies and similar tracking technologies to enhance your experience on our website. Cookies help us understand how you use our website and enable certain features. Cookies, on their own, will not provide us with your email address or other personally identifiable information. However, cookies allow third parties, such as Google, Facebook and Instagram, to cause our advertisements to appear on your social media and online media feeds as part of our online marketing campaigns. If and when you choose to provide the Site with personal information, this information may be linked to the data stored in the cookie.  Individuals accessing our website can control cookie settings through their browser, but disabling cookies may affect your ability to use some features of our website.

Changes to the Privacy Policy

Carbal reserves the right to update or amend this Privacy Policy as needed to reflect changes in our practices or legal requirements. Any changes will be communicated through our website and other appropriate channels.

Privacy Related Complaint

We take complaints and concerns regarding privacy seriously. Individuals should express any concerns or feedback which can be lodged via our website or by obtaining a feedback form from any of our office locations.

Complaints will be handled in line with our Carbal Complaints Policy & Procedure and SIRS procedures.

Individuals may also contact the Office of Australia Information Commissioner (OAIC). Generally, the OAIC will require you to give them time to respond, before they will investigate. For further information visit www.oaic.gov.au or call the OAIC on 1300 336 002.