At HealthShare, we realise that your health concerns are sensitive, and we understand that you trust us to be very careful with your information. We respect your privacy and we’re committed to protecting your personal information. That’s why we currently abide by the Australian Privacy Principles in the Privacy Act 1988.
We have provided this policy to explain how your information is collected, used, stored and disclosed. By accessing the website http://www.healthshare.com.au or any of the HealthShare websites, or by using our services, you agree to be bound by the terms of this policy. We encourage you to read the policy carefully.
This policy covers the following areas:
- Your personal information: what we collect and hold, how we collect and hold it, and why we collect and hold it;
- Disclosure to third parties: why we might disclose your personal information and who we might disclose it to (including potential disclosure to overseas recipients);
- Access, corrections and complaints: how you might access and correct, if necessary, the personal information we hold about you, and how complaints about any breach by us of the APPs might be made and dealt with;
- How we deal with data breaches;
- Our security measures;
- Future Changes to the Policy; and
- Additional Requirements for Health Information.
If you have any questions or concerns about our policy you can email us: firstname.lastname@example.org
1. Your personal information
The more we know about you the easier it is for us to deliver helpful, relevant information and services. We collect both personal and non-personal information about you. “Personal information” is information which can identify you and includes information you provide when you register on our sites such as your name, email address, password, contact phone number and date of birth. You are given choices when we ask for personal information and, whenever possible, we try to explain why we ask for information. You can always refuse to provide personal information, but this may mean that some site features or services will not function properly as a result.
The personal information we collect from you might also include “sensitive information”, which is information or an opinion about your racial or ethnic origin, political persuasion, memberships in trade or professional associations or trade unions, religious beliefs, sexual preferences, criminal record or health information. Sensitive information also includes genetic information and some biometric information and biometric templates. We only hold and collect sensitive information where it is necessary for the purpose for which it is being collected and with your consent unless the collection is required or authorised by law.
We will not collect or monitor any personal information about you without your consent. The only personal information we collect is what you tell us about yourself – through written or verbal communication – and how you use our sites. We use this personal information to verify your identity, provide you with the services we provide, notify you of new or changed services, tailor the content you see on our website and to contact you as required. By providing us with this information, you are able to use our personalised features, health tools and content, to make appointments, and to join and create groups and take part in discussions, promotions and competitions.
For direct marketing purposes, your Personal Information will be added to our database. The database may be used for ongoing marketing and educative purposes. The type of marketing and educative activities that we undertake includes forwarding material to you so that you are kept updated in relation to various issues and our services. If at any time you do not wish to continue receiving this information, we provide an “opt-out” procedure in each communication to you.
Specific collections and uses of personal information
Health care practitioners
For health care practitioners only, when you register on the HealthShare website, you understand and agree that we may use (and where necessary disclose to third parties) the information you provide us in order to make enquiries, from time to time, to assess your compliance with the HealthShare Terms of Service. We may also use the information to provide services to you, for marketing and communications purposes, and to verify your professional identity where necessary. Such information may be disclosed to third parties where reasonably necessary to make these enquiries, including but not limited to enquiries of professional associations or registration bodies and other enquiries arising from your profile which are disclosed during your registration or arise from information you provide in our community forum.
Communities and Tools
From time to time we may ask you for feedback about our sites. This information allows us to better understand the needs of our users and to gather information about health issues and trends. You provide this information at your own discretion and voluntarily, and we may share this information with third parties.
Competitions and promotional communications
When you enter a competition or take part in a promotion on our sites we may ask you to provide additional information or answer certain questions. Some or all of the information collected from you during a competition may be disclosed publicly. It may also be shared with a co-sponsor(s), participating health services provider(s) or provider(s) of prizes in order to update you of your status. We may contact you in connection with a particular competition or promotion to update you regarding your status, let you know that a competition or promotion has ended and for other competition and promotion -related messages. If data is to be disclosed or shared, we will include a notice at the time of data collection. If you prefer not to receive any promotional information from us, please let us know by clicking on the “unsubscribe” link at the bottom of any of our communications.
When you search on our sites, we store the search terms and the site(s) visited so that we can continue to improve the quality of our search results.
When you visit our sites, our servers will collect log information. This information may include your page request, Internet Protocol (IP) address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser. Log information helps us to gather information about how our sites are being used such as the pages visitors are viewing.
Information you provide when you create your profile, tools you’ve used and articles you’ve viewed will be used to personalise your experience of the site. In addition, as a HealthShare member, you have the option to receive regular email newsletters and alerts. You can unsubscribe from newsletters by clicking on the “unsubscribe” link at the bottom of any newsletter. You can manage your alerts in your profile.
Making enquiries or appointment requests
When you make an enquiry or request an appointment via the HealthShare website or telephone, your personal information is recorded and viewed by HealthShare staff members who are providing the information to the health professional(s) and practice staff with whom you wish to make the enquiry or appointment, for the purpose of making the enquiry or appointment. By making enquiries or appointments through our site or telephone, you consent to your personal information being disclosed to the health professional and practice staff in this way.
Any information you post in group discussions and comments you make on blogs and social media channels are open to the public and can appear in search engine results. Your posts will be associated with your profile name and your photo (if you uploaded one). We may use information you provide on blogs, social media channels and other third party sites either to facilitate discussion on those sites or on HealthShare’s own website. If we use information you have provided on third party sites on our own website, then we shall use and handle that information in accordance with this policy and HealthShare’s Terms of Service.
Emails and Forms
Information that you send to us via links, emails, or forms on our sites will be stored by HealthShare.
If you share any HealthShare content via our Send to a Friend function, we will send them an email on your behalf.
Third Party Links
2. Disclosure of Personal Information to Third Party Providers
Any personal information provided to us may be disclosed, if appropriate, to other entities in order to facilitate the purpose for which the information was collected. Such entities generally include:
- third party suppliers for the purpose of enabling them to provide a service such as (but not limited to) payroll, superannuation administration, IT supply, data storage, web-hosting and server providers, debt collectors, maintenance or problem-solving providers; marketing, promotional or advertising providers;
- third party health care, health insurance and other health service providers;
- any applicable or relevant regulator or third party for the purpose of legislative or contractual compliance and/or reporting;
- any of our related entities; or
- other entities if you have given your express consent.
Other than the above, we will not use or disclose any personal information about you without your consent unless all identifying information about you has first been removed. There may be exceptional circumstances where this may not be possible, such as if disclosure is required by law, is necessary to protect the rights or property of HealthShare or any member of the public, or to lessen a serious threat to a person’s health or safety.
Transfer of personal information overseas
3. Access, corrections and complaints
We take reasonable steps to make sure that the personal information we collect, use and disclose is accurate, complete and up-to-date. You may request access to the information we hold about you.
You can change or update your profile information, including your contact details and alerts, at any time. Your profile, along with your photo (if you choose to upload one), may be viewable by anyone on the Internet.
We assume that the information we hold about you is accurate, complete and up-to-date. However, if you identify that any of the information is not accurate, complete or up-to-date, please contact us at email@example.com so that we can update the information for you.
If you wish to complain about how we have handled your personal information, please contact our Privacy Officer:
- by telephone 1300 533 433; or
- by e-mail firstname.lastname@example.org; or
- by letter to The Privacy Officer, HealthShare P.O. Box 259, Bondi Junction, N.S.W. 1355
We will endeavour to:
1. provide an initial response to your query or complaint within 5 business days; and
2. resolve your query or complaint within 21 business days.
If you are still not satisfied, you can contact the Australian Privacy Commissioner (see http://www.oaic.gov.au/about/contact.html or call 1300 363 992).
Cancelling your membership
You can cancel your membership at any time by visiting your profile. After you have cancelled your membership you will not be able to sign into the site to view or access any information you may have saved or created on the site.
4. Dealing with Data Breach
We will manage the process of dealing with an actual or suspected Data Breach in accordance with the Notifiable Data Breach (NBD) Scheme pursuant to Part IIIC of the Privacy Act.
An NBD will be considered to have occurred when the following three criteria are satisfied:
– suffer a Data Loss, meaning accidental or inadvertent loss of Personal Information likely to result in Unauthorised Access or Unauthorised Disclosure (ie a laptop containing Personal or Sensitive information is lost or stolen). If data the subject of the Loss can be deleted remotely or is encrypted it will not constitute an NDB; or
– suffer or are suspected to have suffered an Unauthorised Disclosure, meaning we release or make visible Personal or Sensitive Information in a way not permitted by the Privacy Act (ie an email is sent to the wrong address or employee accidently publishes a confidential data file containing personal information on the internet); or
– suffer or are suspected to have suffered an Unauthorised Access, meaning Personal or Sensitive Information is accessed by someone who is not permitted to have access (ie a database is hacked by the third party);
- The Data Loss, Unauthorised Access or Unauthorised Disclosure is likely to result in serious harm to a person to whom the Personal Information relates; and
- We have not been able to prevent the likely risk of serious harm.
Within 30 days of a suspected Data Breach occurring, we will assess the breach to determine if it is likely to cause serious harm, using the NDB Scheme list of relevant matters, including:
- The Sensitivity of the Personal Information or Sensitive Information (ie loss of medical records or details of sexual orientation would be more likely to be assess as capable of causing Serious Harm);
- The type of Personal Information or Sensitive Information (ie loss of credit card numbers or drivers licences may be more likely to result in serious harm);
- Whether security matters, such as encryption, protect the Personal Information following the Data Breach thereby limiting the likelihood of Serious Harm; or
- The nature of the harm (ie credit card details being released are more likely to harm serious and immediate consequences than other information).
We will take all reasonable steps to ensure an assessment is completed within 30 days and a notification submitted to the Office of the Australian Information Commissioner (OAIC).
As soon as is practicable after a Notifiable Data Breach is confirmed, we will provide a statement to each individual whose data was breached or who are at risk, including details of the breach and recommendations of the steps you should take in the circumstances.
5. Our security measures
We are dedicated to protecting the security of your information and take all reasonable precautions to protect it from unauthorised access, modification or disclosure. Your electronic information is stored on secure servers that are protected in controlled facilities. Our employees have limited access to your personal information. However, as we cannot guarantee the security of communications over the Internet, we cannot give an absolute assurance that your information will be secure at all times. Transmission of personal information over the Internet is at your own risk, and HealthShare will not be held responsible for events arising from unauthorised access to your personal information.
6. Future Changes
7. Additional Requirements for Health Information
Where we collect and/or hold Heath Information (within the meaning of section 6 of the Health Records and Information Privacy Act 2002 (Cth) as a result of our contractual relationships with Health Provider Organisations (being those organisations that are a health service provider or that collects, holds or uses health information and are required to comply with the Health Records and Information Privacy Act 2002 (Cth)) (Health Provider Organisations) we will treat Health Information in compliance with the Privacy Act and all applicable State and Territory legislation governing privacy of Health Information. We will only use or disclose health information for the purpose for which it was collected or a directly related purpose that is expected.
In the event of a Data Breach or suspected Data Breach, we will provide the Health Provider Organisation within 14 days of the Data Breach of suspected Data Breach:
- The identity and contact details of the relevant client/s of the Health Provider Organisation (if identifiable by us);
- A description of the data breach;
- The kinds of information concerned (if identifiable by us);
- Recommendations about the steps that those affected should take in response to the data breach; and
- Steps taken by us to secure our systems against further breach;
Unless otherwise agreed between us and the Health Provider Organisation in writing, we will not identify whether the Data Breach is a NDB in circumstances where we are in possession of Health Information as a result of providing services to a Health Provider Organisation. The Health Provider Organisation will be responsible for making an assessment as to whether the Data Breach constitutes an NDB and to report the NDB in compliance with the NDB Scheme.
We are not otherwise bound by the privacy policies and procedures of Health Provider Organisations unless we have had prior notice of the same and provided written acceptance of those policies and procedures to the Health Provider Organisation.