How we handle your personal information
Cornerstone, as a private sector health service provider, is required to comply with the Australian Privacy Principles (APPs) under the Privacy Act. The APPs regulate how we may collect, use, disclose and store personal information and how individuals may access and correct personal information which we hold about them.
Your personal and health information
Personal information under the Privacy Act is defined as ‘information or an opinion about an identified individual, or
an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not’
Cornerstone collects personal information, such as your name, address, phone number, email address, date of birth, gender and emergency contact information.
Cornerstone collects ‘health information’ as defined under the Privacy Act, including information about your health or disability (at any time), your medical records (including for example your clinical history, diagnoses, medications, results of tests/procedures and other circumstances), billing information, Medicare number, insurance details, and genetic information and could be held in any form, including paper, electronic and visual information.
What happens if we can’t collect your personal information?
If you do not provide us with your personal information, we may not be able to provide or provide to the same standard the services requested by you and/or your diagnosis and treatment may be inaccurate or incomplete.
How do we collect your personal information?
Cornerstone collects and uses your personal information with your consent and will obtain that information from you directly, unless it is unreasonable or impractical to do so, for the purpose of providing you with the health care services you seek.
Your personal information is collected by Cornerstone from you in the following ways:
- by clerical employees of Cornerstone, including receptionists;
- by independent health practitioners in our medical centres and diagnostic imaging sites co-located in our medical centres and recorded on patient medical records that belong to Cornerstone; or
- through our websites in the form of online enquiries and requests for appointments.
There may be occasions when Cornerstone needs to obtain personal information and health information about you indirectly from a third party. For example, Cornerstone may collect personal information indirectly in the following ways:
- from referring health care practitioners;
- from medical specialists; or
- from the ‘My Health Record’ system.
What information does Cornerstone collect?
We collect information from you that is necessary for healthcare practitioners and allied healthcare professionals in our medical centres to provide you with health care services and diagnostic imaging services. This includes the personal information and health information referred to above, and may include collecting information about your health history, family history, your ethnic background or your lifestyle to assist with the diagnosis and treatment of your condition.
For what purposes do we collect, hold, use and disclose your personal information?
We collect, hold, use and disclose your personal information for the following purposes:
- to enable the health care practitioners and other allied healthcare professionals co-located within and external to our facilities to provide medical services, diagnostic imaging services, and treatment to you;
- to enable the health care practitioners and other allied healthcare professionals co-located within and external to our facilities to provide specialist referrals;
- to enable the health care practitioners and other allied health professionals co-located within and external to our facilities to report to referring practitioners and any such other medical practitioners as your referring healthcare practitioners may nominate;
- to enable the health care practitioners and other allied health professionals within our facilities to input information into your ‘My Health Record’ as required;
- for administrative and billing purposes;
- to comply with any legal or regulatory obligations;
- to send appointment reminders (including by SMS or email);
- for inclusion in a recall register to be advised of follow up visits;
- for the purpose of reporting back to your employer or a prospective employer, their authorised representatives and their insurer in the case of a work-related consultation or service;
- to provide notifications (including by mail, telephone call, SMS or email) from time to time, of the health care and clinical services that you or a dependent can access at our medical centre;
- to process and respond to any complaint made by you;
- to assess and engage with job applicants;
- to conduct business processing functions including providing personal information to our related bodies corporate, contractors, service providers or other third parties;
- for the administrative, marketing (including direct marketing), planning, product or service development, quality control and research purposes of Cornerstone, its contractors or service providers; and
- to meet obligations of notification to our medical defence organisations or insurers.
We will only use your personal and health information for the purposes described above, unless one of the following applies:
- The other purpose is directly related to the purpose for which you have given us the information and you would reasonably expect that we would use or disclose the information for that purpose, including but not limited to:
- storage of the data by a contractor engaged to provide storage services to Cornerstone, including a cloud storage service provider. Our agreements with such contractors require that they keep your personal information confidential, and that they only use or disclose your personal information for the purposes of providing those goods or services to us.
- You have consented for us to use your information for another purpose;
- Cornerstone is required or authorised by law to disclose your information for another purpose (for example, to prevent a threat to the life, health or safety of any individual); or
- We reasonably believe that the use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body.
How can you access your data?
On request, you may have access to your personal information held by Cornerstone. You will need to complete a request for access form which is available at the medical centre or diagnostic imaging sites co-located in the medical centre that you attend. Please note that you may have access to your personal information held by Cornerstone, except in circumstances where access may be denied under the Privacy Act or other law. Examples of these circumstances are:
- where providing access will pose an unreasonable impact on the privacy of another individual; or
- where your request for access is frivolous or vexatious; or
- where the information relates to existing or anticipated legal proceedings between Cornerstone and you, and the information would not be accessible by the process of discovery in those legal proceedings; or
- where providing access would be unlawful, would pose a threat to the life or health of an individual, may prejudice an investigation of possible unlawful activity, may prejudice enforcement of laws, or denying access is specifically authorised by law.
Cornerstone will endeavour to acknowledge a request for access to personal information and provide the information requested within 30 days.
If access is provided to you as the result of a request, you will be charged a fee for costs incurred in providing access to that information.
If access is denied, Cornerstone will provide you with reasons for its decision.
Quality and correction of your health information
Cornerstone takes reasonable steps to ensure the personal information we collect, store and disclose from you is accurate, up-to-date and complete.
If you believe that personal information of a clinical or medical nature that Cornerstone holds about you is inaccurate, out-of-date, incomplete, irrelevant or misleading you will need to contact either your treating health practitioner at the medical centre that you attend or alternatively contact the Practice Manager of the centre who will assist you.
If your non clinical or medical type personal information such as name, address or contact phone numbers are incorrect or out – of-date or incomplete it is important that you correct that information as soon as possible or when you next attend the medical centre. Alternatively, where reasonable and practical, Cornerstone will correct it and will advise any third parties to whom we may have previously disclosed that information of the correction.
If you request that your information be corrected and we do not agree that it is incorrect, we may refuse to update that information. In such a scenario, we will provide written notice of our refusal to do so within 30 days and upon your request, will place a statement of what you allege is correct where your personal information is kept and accessed.
Do we disclose your personal information to anyone overseas?
Direct marketing materials
From time to time we may send you direct marketing communications such as by mail, SMS or email, in accordance with the Spam Act 2003 (Cth). If your preference is to opt-out of receiving marketing communications from us, you may unsubscribe in the manner described in the particular communication you have received. Alternatively, you can opt out of receiving our communications by emailing us at firstname.lastname@example.org or phoning (02) 8311 1000.
Cornerstone takes reasonable steps, and implements reasonable safeguards, to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. All patient information is handled securely and in accordance with professional duties of confidentiality. We will destroy or permanently de-identify any of your information once it is no longer required for the purpose for which it was collected provided we are not otherwise required by law to retain that information.
Cornerstone is subject to a range of rules relating to the periods for which it must retain certain health information and records. As the owner of medical records and a health service provider, Cornerstone must generally retain health information about an individual:
- for 7 years from the last occasion on which we provided a health service to the individual – if we collected the information when the individual was 18 years old; or
- until the individual turns 25 – if we collected the information when the individual was less than 18 years old.
We are committed to protecting the privacy of visitors to our website. Information collected via our website is voluntarily provided by you.
Cornerstone is not responsible for the content or privacy policies employed by any website linked to ours.
We endeavour to take all reasonable steps to protect your personal data including use of encryption technology However, the internet is inherently insecure and therefore we cannot guarantee the security of transmission of information you communicate to us online. Accordingly, any information which you transmit to us online is transmitted at your own risk.
What is the process for complaining about a breach of privacy?
If you have any complaints or questions about this policy or with regard to our collection, use or management of your personal information, please contact:
Cornerstone Health Pty Ltd
Level 6, 139 Macquarie Street
Sydney NSW 2000
We will endeavour to respond to your complaint within a reasonable period. If you are unhappy with our response, you may refer your complaint to the Office of the Australian Information Commissioner: www.oaic.gov.au.