Effective 17 July 2022
- All CU Health staff;
- All Healthcare professionals; and
- All Contracted service providers to CU Health
- the kinds of personal information that we collect and hold
- how we collect and hold your personal information
- the purpose for which we collect, hold, use, and disclose your personal information including the different types of communications we send.
- personal information that may be disclosed to overseas recipients
- how you can contact us if you want to access or correct personal information that we hold about you
- how you can complain about a breach of the relevant Privacy Laws and how we will respond to your complaint.
2. What we do
CU Health’s mission is to improve the health and wellbeing of working Australians through better workplace health outcomes.
CU Health is a registered Australian healthcare provider that delivers secure video-based healthcare services through its own Portal. We provide whole-person healthcare including acute and preventative medical care, chronic disease management, pain management and mental health services.
CU Health provides members with access to a multi-disciplinary healthcare team and allows General Practitioners with an existing clinical relationship with a member to continue to care for them by providing access to the Portal functionality to conduct video appointments.
Our diverse set of responsibilities include:
- assessing an individual’s physical and psychological health including diagnosing illness and disability.
- providing evidence-based treatments for chronic diseases to improve or maintain an individual’s physical and psychological health.
- identifying the risk factors for chronic diseases and providing support and advice to help individuals overcome the barriers to changing behaviour and lifestyle factors.
- providing medications through the delivery of electronic prescriptions when appropriate.
- co-ordinating care with a broad range of physical and mental health professionals and services when needed, for example antenatal shared care, audiology, physiotherapy, podiatry, psychology, psychiatry, occupational therapy and optometry.
- helping people stay healthy by coordinating and promoting preventive health and disease prevention activities including timely cancer screenings.
- treating mild to moderate COVID-19 at home.
Further information about CU Health can be found on CU Health’s website.
3. Our obligations under the relevant Privacy Laws
As an Australian health service care provider, CU Health Pty Limited ABN 22 635 562 720 and our related bodies corporate (CU Health, we or us) is bound by the Privacy Act and the requirements of the Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act. The Privacy Act sets out 13 APPs which regulate how we collect, use, disclose and store your personal health information. To the extent that we seek to collect the personal health information of individuals residing in Singapore in situations where we provide services to our clients with employees in Singapore, we are also bound by the PDPA.
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
You may notify us should you no longer want to receive certain communications and provided your request to opt-out is clinically appropriate your preference will be updated.
Where possible, we will allow you to interact with us anonymously or using a pseudonym. If you want to discuss setting up and using a pseudonym account, and the limitations, use the contact details at the end of this policy to arrange a confidential appointment with the Privacy Officer.
Using a pseudonym means to use a different name or term instead of your actual name. For example, we may not need your personal information when you:
- seek general information during a video appointment or integrated messaging feature
- provide feedback to us about our service
- provide a tip-off about an alleged fraud or misconduct
In other circumstances however it may be impracticable to remain anonymous or use a pseudonym, or we may be legally required to deal with you in an identified form. It may also be necessary to collect some personal information from you to resolve a complaint that you have made. We will notify you at the time of collection if this is the case.
4. Methods of collection
We collect reasonably necessary personal and sensitive information about you in the provision of healthcare. Where reasonable to do so we will notify you of the purpose at the time of collection, or as soon as practicable after collection.
We collect your personal information only by lawful and fair means and in most cases, we will collect your personal information directly from you. We take reasonable steps to ensure that personal information we collect about you is accurate, up-to-date, complete, relevant and not misleading.
In accordance with the relevant Privacy Laws, and where it is reasonably necessary to do so, we can collect personal information about you through a range of different channels including:
- paper-based and electronic forms (including registration forms and surveys).
- telehealth appointments.
- face to face appointments.
- a family member (with your consent or in an emergency where it is unreasonable or impracticable to collect the information only from you).
- communications within the CU Health portal, by telephone, email or facsimile.
- other Australian health care providers or organisations.
- Government websites (including MyHealthRecord in Australia, and the National Electronic Health Records in Singapore).
- As an authorised healthcare provider under the Healthcare Identifiers Act (HI Act) CU Health can collect your individual healthcare identifiers (IHIs) for the purpose of providing healthcare to you.
- social media websites and accounts.
- CU Health’s mobile application.
- international health care facilities and treating practitioners (with your consent in certain circumstances, such as when you are overseas and in need of treatment from an overseas health care facility or treating practitioner).
- other bodies where it is reasonably necessary for, or directly related to, the provision of healthcare.
5. Personal information we collect
In the provision of healthcare, we collect the following types of personal information:
- name, address and contact details (for example, phone or email).
- information about your personal circumstances (for example, marital status, age, gender and relevant information about your partner and children).
- information about your identity (for example, date of birth).
- information about your employment.
- information about your regular healthcare professionals.
- government identifiers (for example, Medicare number and health care identifier).
- information about your entitlements under the legislation.
- information that does not include your name and date of birth but is considered. personal information if it includes other information about you.
We will only collect personal information about children when required or authorised by or under law, or otherwise in accordance with the relevant Privacy Laws.
6. Sensitive information we collect
Sensitive information is a subset of personal information. The Privacy Act defines ‘sensitive information’ as information or an opinion about a person’s health, illness, injury or disability. Health information is classified as ‘sensitive information’ under the Privacy Act. Paragraph 12.69b) of the PDPA Advisory Guidelines and Chapter 7 of the Personal Data Protection Commission’s (the PDPC) Advisory Guidelines on the PDPA for Selected Topics (Revised Edition 17 May 2022) (together, these are the PDPA Guidelines) also recognise that personal data may have varying levels of sensitivity.
We will only collect health information when you have consented, it is required or authorised by or under law, or permitted under the relevant Privacy Laws.
We only collect information that is reasonably necessary for the purposes of providing our services to you, and we will take steps that are reasonably necessary to ensure that the information collected is relevant to these purposes, not excessive, and is accurate, up to date, complete, and will not intrude unreasonably on your personal affairs.
We collect the following types of health information:
- medical history where relevant to your individual health (including information about your medical history and any disability or injury you may have, or a family member’s medical history)
- appointment details
- your wishes about future health services
- health risk factors
- notes of your symptoms or diagnosis
- allergies and adverse reactions
- information about a health service you’ve had or will receive
- specialist reports and test results
- prescriptions and other medications
- genetic or biometric information
- racial or ethnic origin
- relevant family history
- relevant social history where clinically relevant including health goals and lifestyle factors
- sexual orientation or practices
- any other personal information about you when a health service provider collects it
CU Health collects personal information related to notifiable diseases and adverse events from the use of therapeutic goods regardless of age, for the purposes of managing public health risks.
7. Unsolicited personal information we may collect
We may, on occasion, receive personal information about you from individuals or other entities, without it being requested by us. This information is considered ‘unsolicited’. An example of ‘unsolicited’ personal information is where you write to us to provide feedback on your experience with us and you provide information that is not required to respond to your query or feedback.
We will deal with unsolicited personal information in accordance with the APPs and PDPA Guidelines. We will destroy your personal information unless we consider that we could have lawfully collected it under the APPs and PDPA Guidelines.
8. Information security policies to protect your personal information
CU Health has a layered in-depth security approach to protecting information from misuse, interference and loss from unauthorised access, modification, or disclosure. CU Health’s detailed information security policies are in a separate Security Management Plan that has been guided by the information security policies and guidelines within:
- Information security in general practice, Royal Australian College General Practitioners (RACGP)
- Guide to Information Security, the Office of the Australian Information Commissioner (OAIC)
In each case where CU Health authorises contracted service providers to act on its behalf, CU Health takes the following measures to ensure that the third party complies with the same privacy requirements applicable to CU Health:
- All employees and subcontractors of service providers must sign a confidentially agreement before providing services to CU Health.
- Individuals are provisioned security controls to limit access to information that is necessary to perform their duties and functions. Access to personal records by staff and contractors is restricted to a ‘need to know’ basis.
- Prior to providing service providers with any personal information, it is reviewed and reduced to the minimum amount of personal information to enable the appropriate the necessary functionality.
Further information can be found
9. Why we collect personal information
The purpose for which we collect your personal information is important as it restricts how we can use and disclose your personal information.
Unless an exception applies in the relevant Privacy Laws, we will only use or disclose your personal information where it is reasonably necessary for, or directly related to, the provision of healthcare including for the following purposes:
- to verify that it is you logging into your account.
- to provide health services including to assess, maintain, or improve your individual health.
- to follow up on treatment you are currently receiving for example management of chronic conditions, quitting smoking, ongoing treatment of a thyroid disorder or hormone replacement therapy.
- to measure improvements in your individual health over time.
- to inform better clinical decisions made by other treating providers for example to collaborate on chronic disease management plan.
- to undertake health management activities including duty of care responsibilities.
- to comply with legislative requirements including the National Notifiable Disease Surveillance System.
- to remind you of preventive health initiatives such as cancer screenings.
- to remind you of upcoming appointments.
- to perform clinical functions and activities such as to send you care plans and educational material.
- to manage our contracts.
- to discuss feedback provided to us.
- to manage any complaints (including privacy complaints).
- to evaluate the provision and commissioning of our healthcare programs and services.
- to manage fraud, compliance investigations and audits.
- to compile population health statistics.
This list is not exhaustive, and we may send you additional communications in accordance with the relevant Privacy Laws.
10. Why we use information we collect
We will only use or disclose your personal information for another purpose where we are able to do so in accordance with the relevant Privacy Laws. We may use the information we collect from you:
- to facilitate healthcare services and functions such as sending you electronic scripts, referrals and investigation order forms.
- to inform clinical decision-making.
- to keep up-to-date medical records and clinical notes.
- to notify you when test results, correspondence or investigation reports have been received.
- to send you support and administrative messages, reminders, technical notices, updates, security alerts, and information requested by you;
- to verify your identity with Services Australia (which operates Medicare) and the Healthcare Identifiers (HI) Service Operator, where applicable.
- to handle complaints or resolving incidents.
- to ensure the system is operating in a safe and secure manner.
- to send you healthcare information that may be of interest to you based on your medical history or demographic profile
- to send you invoices or statements and to collect payments (only where we have agreed).
- to conduct research and optimise the user experience on our website, portal and mobile app
- to administer rewards, surveys, activities, or events managed by us
- to comply with our legal obligations, resolve any disputes.
11. Personal information we disclose
We will only disclose your personal information:
- in accordance with the relevant Privacy Laws and other relevant legislation including but not limited to:
- The Australian Healthcare Identifiers Act 2010 (Cth).
CU Health is authorised under the HI Act to disclose ‘identifying information’ to the HI Service to the purpose of assigning you a healthcare identifier. This may include your name, address, date of birth, sex, Medicare number, CU Health or Veteran Affairs number.
- The Australian Human Services (Medicare) Act 1973 (Cth) and National Health Act 1953 (Cth).
CU Health is authorised to disclose reasonably necessary personal information in administering the Medicare Benefits Schedule, the Pharmaceutical Benefits Scheme, or other health related programs.
- The Australian NSW Public Health Act 2010 (NSW)
CU Health is required to record information about individuals with certain diseases and notify the relevant health authority. CU Health is required to notify the NSW Department of Health and record information about patients with certain medical conditions such as AIDS, malaria, measles, tetanus, and typhoid.
- The Singaporean Infectious Diseases Act 1976
CU Health is required to record information about individuals we have reason to believe or suspect are suffering from certain diseases and notify the relevant health authority.
- The Australian Healthcare Identifiers Act 2010 (Cth).
- to an overseas recipient only if you require us to issue a letter with personal information about you to the relevant treating facility in an overseas country to allow you to receive the relevant treatment.
- to another health service, hospital or medical specialist in Australia involved in your care and treatment.
- Where authorised or required by or under an Australian law (or Singaporean law where applicable) or a court/tribunal order
- To people or contracted service provider organisations authorised by CU Health including Technology vendors (to enable the features and functionality available on the Portal), Information, Communications and Technology service providers, or Other service providers assisting with corporate functions.
12. Storage, retention, and destruction of your medical record
We are required to retain medical records and health information and follow the legal requirements and guidelines of individual States in Australia and in Singapore.
Personal information held by CU Health is stored on electronic media, including the Electronic Practice Management Software, Enterprise Data Warehouse, business applications and cloud computing solutions. Personal information may also be held on paper files. Any third-party organisations which we engage to assist us in collecting, using and disclosing personal data are legally obliged to provide you with an equivalent or higher level of protection than required under the relevant Privacy Laws.
CU Health follows the relevant jurisdictional authorities with respect to storage, retention and destruction of your personal information including your medical record. Typically, in New South Wales, medical records must be retained for at least 7 years after the last record. We will take reasonable steps to destroy or de-identify your personal information if we no longer need it for the purpose for which it was collected, unless required or authorised by or under law or a court/tribunal order to retain the information.
13. Accessing your personal information
We will take reasonable steps to provide you with access and/or make a correction to your personal information within 30 calendar days, unless we consider there is a sound reason under the Privacy Act or PDPA or other relevant law to withhold the information, or not make the changes. For example, we may refuse access to your personal information where the record includes another individual’s personal information.
If we do not provide you with access to your personal information, or refuse to correct your personal information, where reasonable we will:
- provide you with a written notice including the reasons for the refusal
- provide you with information regarding available complaint mechanisms
- at your request, take reasonable steps to associate a statement with the personal information that you believe to be inaccurate, out of date, incomplete, irrelevant or misleading.
14. My Health Record (Australia)
CU Health is a registered Portal Operator in the My Health Record system and is bound by the Australian My Health Records Act 2012 (Cth).
Where applicable, you have the discretion to connect your My Health Record (My Gov account) to your CU Health account to view the health information in your My Health Record within your personal dashboard. This information is provided as read-only and we are not able to access, view or store your health information.
15. Correcting or updating your personal information
It is important to tell us if your circumstances change to ensure that the information we hold, use or disclose about you is accurate, up-to-date and complete.
You also have a right to request correction of your personal information if it is inaccurate, out of date, incomplete, irrelevant or misleading.
If we correct your personal information, at your request, we will also take reasonable steps to notify other organisations that we have previously disclosed your personal information to, and that are bound by the relevant Privacy Laws, of the correction.
16. In the event of a suspected or actual data breach
If CU Health suspects an eligible data breach may have occurred must quickly assess the incident to determine if it is likely to result in serious harm to any individual.
Under the Notifiable Data Breach scheme CU Health will notify affected individuals and the OAIC about an eligible data breach.
An eligible data breach occurs when:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds
- this is likely to result in serious harm to one or more individuals, and
- we have not been able to prevent the likely risk of serious harm with remedial action
Similarly, under the PDPA and the PDPA Guidelines, CU Health is subject to the Data Breach Notification Obligation, and will assess and where required to will notify the Personal Data Protection Commission and each affected individual of a data breach which results in or is likely to result in significant harm to an affected individual, or is or is likely to be of a significant scale.
17. Making a privacy complaint
If you believe that we have breached the APPs or mishandled your personal information, you should take the following steps:
- Contact us: in the first instance, any privacy concern or complaint should be reported directly to CU Health. This can be done using the contact details set out at the end of this document.
- Submit your concern or complaint in writing: in order to be able to fully investigate your complaint, we would prefer that you make your complaint in writing using the contact details set out at the end of this document. The complaint should include information about the claimed privacy breach and your contact details. Please note that if you do not provide sufficient information or if you submit an anonymous complaint, we may not be able to fully investigate and respond to your complaint.
- Reasonable amount of time: we will acknowledge your concern or complaint upon receipt. This may involve email or telephone correspondence with you. We will also provide you with updates as to our investigation into your privacy complaint, if you provide your contact details. We will try to respond to your privacy concern or complaint as soon as practicable.
We will use the information from your complaint to investigate and seek to resolve the issues you have raised. This may include speaking to relevant healthcare providers and considering their processes as well as speaking to third parties where relevant.
We will use the information you provide in your complaint to provide feedback to staff or our business areas. If you are not satisfied with our response, you can complain directly to the OAIC.
The OAIC’s details are:
Telephone: 1300 363 992
Australian Information Commissioner
GPO Box 5218
Office of the Australian Information Commissioner
Sydney NSW 2001
Please note that the OAIC generally requires that a complaint first be raised with us before the OAIC will investigate.
Where applicable, complaints in relation to the PDPA can be raised with the PDPC through their online Feedback form on their website www.pdpc.gov.sg.
18. How to contact us
If you still have more questions or concerns about how we’re processing personal information, or you would like to know more about how to exercise your rights, you can contact our Privacy Officer on:
Phone: 1300 284 325 (1300 CU HEALTH)
275 Darling Street
BALMAIN NSW 2041