1. About this policy
1.1 Purpose
GRIP Surgery (GRIP) is committed to ensuring the privacy and confidentiality of your personal information.
GRIP must comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and other privacy laws that govern how private sector health service providers like GRIP handle your personal information (including but not limited to patient health information).
The purpose of this Privacy Policy is to clearly communicate to you how GRIP handles your personal information. It will give you a better and more complete understanding of the type of personal information that GRIP holds about you and the way GRIP handles that information.
This Privacy Policy applies to the Australian companies and facilities in GRIP which are listed at the end of this Privacy Policy.
1.2 Multi-layered approach
This Privacy Policy has been developed in accordance with a 'layered policy' format endorsed by the Office of the Australian Information Commissioner. This means that it offers you the ability to obtain more or less detail about GRIP's information handling practices – depending on how much you wish to read, what you need to know and how quickly you need to obtain the relevant information.
If you only require basic information about GRIP's information handling practices, you can view our 'condensed' privacy policy. This is a summary of how GRIP collects, uses and discloses your personal information and how you can contact GRIP if you would like to access or correct any personal information which GRIP holds about you.
If you require more detailed information about GRIP's information handling practices, then you will need to read this document.
1.3 Currency
This Privacy Policy was last updated in October 2017 and may change from time to time. The most up-to-date copy will be published on the GRIP website or can be obtained by contacting us on the details set out at the end of this policy.
2. How GRIP Surgery handles your personal information
2.1 GRIP's Legal Obligations
As foreshadowed in Part 1 of this Privacy Policy, as a private sector health service provider, GRIP is required to comply with the APPs under the Privacy Act 1988 (Cth).
The APPs regulate how GRIP may collect, use, disclose and store personal information and how individuals may access and correct personal information which GRIP holds about them. For ease of reference, this Privacy Policy sets out GRIP’s position with respect to patient and other individuals’ personal information separately, although the APPs will apply equally.
2.2 Terms used
In this Privacy Policy, we use the terms:
"Personal information" as it is defined in the Privacy Act 1988 (Cth) means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
whether the information or opinion is true or not; and
whether the information or opinion is recorded in a material form or not.
Personal information also includes 'sensitive information' which is information such as your race, religion, political opinions or sexual preferences, biometric information used for biometric verification or identification, and biometric templates, and health information. Information which is 'sensitive information' attracts a higher privacy standard under the Privacy Act 1988 (Cth) and is subject to additional mechanisms for your protection.
“Health information" as it is defined in the Privacy Act 1988 (Cth) is a particular subset of ‘personal information’ and means information or an opinion about:
the health or a disability (at any time) of an individual; or
an individual's expressed wishes about the future provision of health services to him or her; or
a health service provided or to be provided to an individual,
that is also personal information.
“Primary purpose” means the specific function or activity for which the information is collected. Any use or disclosure of the personal information for another purpose is known as the “secondary purpose”.
2.3 Who does GRIP collect information from?
This Privacy Policy applies to GRIP’s collection and use of personal information from patients, visitors, next-of-kin, nominated support persons, referring doctors , Accredited Health Professionals, contracted health professionals, trainees (including medical professionals such as seconded or approved registrars, fellows and advanced trainees) students undertaking training placements in our facilities, contractors, suppliers, and service providers engaged by us, medical representatives attending our facilities and other individuals engaged by or providing services to GRIP.
2.3.1 Patients
In order to provide you with the health care services that you have requested (including assessment for or information in relation to the provision of health care services), GRIP will need to collect and use your personal information. If you provide incomplete or inaccurate information to us or withhold personal health information from us we may not be able to provide you with the services you are seeking.
2.3.2 Other individuals
In order to enable GRIP to engage with you for the relevant primary purpose, GRIP may need to collect and use your personal information. If you provide incomplete or inaccurate information to us or withhold personal information from us we may not be able to engage with you as required to meet that primary purpose.
2.3.3 Anonymity and pseudonymity
You have the option of dealing with GRIP anonymously or by using a pseudonym; however, we note that this may limit the services that we can provide to you if it is impracticable for us to deal with you in such an unidentified manner.
2.4 What information does GRIP collect?
2.4.1 Patients
We collect personal information from you that is reasonably necessary to provide you with health care services and for administrative and internal business purposes related to your attendance at a GRIP facility.
Often this may include collecting information about your health history, family history, your ethnic background or your current lifestyle to assist the health care team in diagnosing and treating your condition.
We will usually collect your health information directly from you. Sometimes, we may need to collect information about you from a third party (such as a relative or another health service provider). We will only do this if you have consented for us to collect your information in this way or where it is not reasonable or practical for us to collect this information directly from you, such as where your health may be at risk and we need your personal information to provide you with emergency medical treatment.
In some circumstances, personal information may be collected in the form of clinical images taken during your admission for the purpose of assisting or recording developments in your treatment. GRIP will, in such cases, manage your personal information contained in these clinical images in accordance with the APPs and this Privacy Policy.
If you have chosen to participate in the MyHealth Record program operated by the Commonwealth Department of Health, GRIP may access personal information stored in your MyHealth Record in accordance with the access controls that you have set within that system. If you do not want GRIP to access personal information stored in your MyHealth Record, it is your responsibility to modify the access controls as required. GRIP will only access information stored in your MyHealth Record to the extent required for your treatment by GRIP.
2.4.2 Other individuals
We collect personal information from you that is reasonably necessary to engage with you for the primary purpose, including the provision of services by GRIP, for GRIP’s functions or activities and for administrative and internal business purposes related to your dealings with GRIP.
We will usually collect your personal information directly from you. Sometimes we may need to collect information about you from a third party; however, we will only do this where it is not reasonable or practical for us to collect this information directly from you.
2.5 How does GRIP store your information?
GRIP may store the personal information we collect from you in various forms. GRIP will comply with the APPs, and this Privacy Policy, in respect of your personal information in whatever form that information is stored by us.
2.5.1 Patients
Storage of personal information may be in physical (paper) form and may also include storage through an electronic medical record system or storage of personal information (including clinical images taken for diagnostic or treatment purposes) on some diagnostic equipment where you have undergone a diagnostic procedure using such equipment in a GRIP facility.
2.5.2 Other individuals
Personal information may be stored in various forms including electronically via various data management software or systems in accordance with usual business practices, and depending on the primary purpose of your engagement with GRIP.
2.6 How does GRIP use your information?
GRIP only uses your personal information for the primary purpose for which you have given the information to us, unless one of the following applies:
The secondary purpose is related (or for sensitive information, directly related) to the primary purpose for which you have given us the information and you would reasonably expect, or we have told you, that your information is usually disclosed for another purpose or to other individuals, organisations or agencies (see related secondary purposes set out below);
you have consented for us to use your information for another purpose;
GRIP is required or authorised by law to disclose your information for another purpose (see related secondary purposes set out below);
the disclosure of your information by GRIP will prevent or lessen a serious and/or imminent threat to somebody's life, health or safety or to public health or public safety; or
the disclosure of your information by GRIP is reasonably necessary for the enforcement of a criminal law or a law imposing a penalty or sanction, or for the protection of public revenue.
GRIP may use or disclose your personal information as specified above via electronic processes, where available or relevant.
Related secondary purposes include:
The following is a list of examples of related secondary purposes for which GRIP may use your personal information, but is not an exhaustive list.
Patient specific examples:
(a) Use among health professionals to provide your treatment
Modern health care practices mean that your treatment will be provided by a team of health professionals working together.
You may be referred for diagnostic tests such as pathology or radiology and our staff may consult with senior medical experts when determining your diagnosis or treatment. With developments in technology (e.g. telemedicine) our staff may consult with health professionals and medical experts located remotely, including outside GRIP, in relation to your diagnosis or treatment, including by sending health information and clinical images electronically. Our staff may also refer you to other health service providers for further treatment during and following your admission (for example, to a physiotherapist or outpatient or community health services). We may disclose your personal information to the relevant provider to the extent required for any such referral (including disclosing that information electronically).
Your personal information will only be disclosed to those health care workers involved in, or consulted in relation to, your treatment and associated administration and to the extent required to meet that purpose.
These health professionals will share your personal information as part of the process of providing your treatment.
We will only do this while maintaining confidentiality of all this information and protecting your privacy in accordance with the law.
If you require prosthesis or another medical implantable product as part of your treatment, we may in some cases disclose your personal information to the manufacturer or supplier of that product for the purpose of ordering the product or to enable appropriate follow up.
(b) Assessment for provision of health care services
GRIP may collect your personal information for the purpose of assessing your suitability for health care services at a GRIP facility. Where personal information is collected and you do not become a patient of the facility, your personal information may be stored for a limited period of time before destruction. Where your assessment has been conducted at the request of a Health Practitioner, GRIP may report the outcome of the assessment to that Health Practitioner as it may be relevant to any ongoing treatment or care provided to you by them.
Where you undergo assessment by a third party provider (for example ACAT or a rehabilitation provider) during your admission to a GRIP facility for the purpose of transferring your care to that third party, GRIP may disclose your personal information to the third party provider for that purpose.
(c) Your local doctor
GRIP will usually send a discharge summary to your referring medical practitioner or nominated general practitioner following an admission to one of our facilities. This is in accordance with long-standing health industry practice and is intended to inform your doctor of information that may be relevant to any ongoing care or treatment provided by them. This discharge summary may be sent to your referring medical practitioner or general practitioner electronically.
If you do not want us to provide a copy of your discharge summary to your nominated general practitioner you must let us know. Alternatively, if your nominated general practitioner has changed or your general practitioner's details have changed following a previous admission, you must let us know.
(d) Other health service providers
If in the future you are being treated by a medical practitioner or health care facility that needs to have access to the health record of your treatment in one of our facilities, we will generally require an authorisation from you to provide a copy of your record to that medical practitioner or health care facility.
However, we may provide information about your health records to another medical practitioner or health facility outside GRIP without your consent in the event of an emergency where your life or health is at risk and you are not able to provide consent or as approved or authorised by law.
(e) Students and trainees
GRIP supports the placement of students and trainees at GRIP facilities and these students and trainees may have access to your personal information for the purpose of the placement. Students and trainees on placement at GRIP facilities are required to comply with the Privacy Act 1988 (Cth) (or other relevant privacy legislation) and where applicable our Privacy Policy.
(f) Relatives, guardian, close friends or legal representative
We may provide information about your condition to your spouse or partner, parent, child, other relatives, close personal friends, guardians, or a person exercising your power of attorney under an enduring power of attorney or who you have appointed your enduring guardian, unless you tell us that you do not wish us to disclose your personal information to any such person.
(g) Other GRIP entities
GRIP may share your personal information amongst its facilities listed at the end of this Privacy Policy. For example, this may occur where you are transferred between any of GRIP's facilities or to coordinate your care.
(h) GRIP Pharmacy and other Pharmacy service providers
The GRIP Pharmacy brand is owned by GRIP Health Care. However, each retail GRIP Pharmacy is an independently owned pharmacy business which is a franchise member of the GRIP Pharmacy network.
Pharmacy services provided to patients of GRIP facilities may be provided by GRIP, a GRIP Pharmacy franchisee or a third party service provider. In order to provide pharmacy services to you, we will disclose your personal information to the relevant pharmacy provider . Your personal information will only be disclosed to the extent required for your treatment and on the condition that the GRIP Pharmacy franchisee or third party service provider (as the case may be) undertakes to comply with the Privacy Act 1988 (Cth) (or other relevant privacy legislation) and where applicable our Privacy Policy.
Your personal information will only be provided to a retail pharmacy provider to provide services to you after your discharge from a GRIP facility where you have requested that service and/or consented to that disclosure.
(i) Contracted services
GRIP provides some health services to public patients and to groups such as Defence or Customs personnel under contracts with government. Where you receive services from us under any such arrangements, GRIP will provide your personal information (which in some cases may include a copy of your medical record for the relevant admission) to those government agencies as required under those contracts.
(j) MyHealth Record
For patients who participate in the MyHealth Record program (operated by the Commonwealth Department of Health), GRIP may upload personal information electronically to the MyHealth Record system unless you opt out.
(k) Maternity services
Some of our facilities which provide maternity services offer postnatal accommodation programs which may include postnatal accommodation services offered and provided at hotels. If you are eligible to, and elect to, participate in any such program, GRIP will disclose your personal details such as name, address and telephone number to the hotel for the purpose of satisfying the hotel’s check-in requirements.
(l) Other common uses
In order to provide the best possible environment in which to treat you, we may also use your personal information where necessary for:
activities such as quality assurance processes, accreditation, audits, risk and claims management, patient satisfaction surveys and staff education and training;
invoicing, billing and account management, including storage of provider details on GRIP billing software;
to liaise with your health fund, Medicare, the Department of Veteran's Affairs or another payer and, where required, provide personal information to your health fund, Medicare, the Department of Veteran's Affairs or other payer to verify treatment provided to you, as applicable and as necessary;
the purpose of complying with any applicable laws – for example, in response to a subpoena or compulsory reporting to State or Federal authorities (for example, for specified law enforcement or public health and safety circumstances);
the purpose of sending you standard reminders, for example for appointments and follow-up care, by text message or email to the number or address which you have provided to us; and
we may anonymise or aggregate the personal information that we collect for the purpose of carrying out customer, service, health outcome and other business analytics.
(m) Other uses with your consent
With your consent we may also use your information for other purposes such as including you on a marketing mail list, fundraising or research, statistical analysis, to promote GRIP goods and services and to improve and personalise our service offerings (including pastoral care visits). Please note, however, that unless you provide us with your express consent for this purpose, we will not use your information in this way.
Other non-patient specific examples:
(n) Associated services provided at GRIP facilities
GRIP may collect personal information (including details such as your name, email address and telephone number) to facilitate your access to associated services at GRIP facilities (for example WIFI), use of which is subject to terms provided at the time of accessing the relevant service. You may decline to provide personal information for this purpose but access to the service may not be granted in that case.
(o) CCTV
GRIP does use camera surveillance systems (commonly referred to as CCTV), at many of its facilities for the purpose of maintaining the safety and security of its staff, patients, visitors and other attendees to those facilities. GRIP's CCTV systems may, but will not always, collect and store personal information. GRIP will comply with the APPs and this Privacy Policy in respect of any personal information collected via its CCTV systems.
(p) Contractors under agreement
GRIP may provide, or allow access to, personal information to contractors engaged to provide professional services to GRIP’s business (e.g. Information Communication Technology providers) or to contractors to whom aspects of our services are outsourced. Where we outsource any of our services or hire contractors to perform professional services within our hospitals or health services (for example visiting medical officers, agency staff or allied health services) we require them to also comply with the Privacy Act 1988 (Cth) (or other relevant privacy legislation) and where applicable our Privacy Policy.
(q) Application for accreditation by health professionals
GRIP collects personal information from health professionals seeking accreditation and submitting to the credentialing process under its Facility Rules. Personal information provided by health professionals in this context is collected, used, stored and disclosed by GRIP for the purposes of fulfilling its obligations in connection with the Facility Rules.
(r) Job applications
GRIP collects personal information of job applicants who have responded to an advertised position for the primary purpose of assessing and (if successful) engaging applicants. The purpose for which GRIP uses personal information of job applicants includes:
managing the individual's employment, engagement or placement;
insurance purposes; and
ensuring that it holds relevant contact information.
GRIP may also store information provided by job applicants who were unsuccessful for the purposes of future recruitment or employment opportunities.
(s) Students / Trainees
GRIP collect personal information of students or trainees on placement for the primary purposes of providing the placement and facilitating assessment. The purposes for which GRIP uses personal information of students or trainees include:
managing the individual's placement;
ensuring the quality and safety of clinical care provided to GRIP patients;
insurance purposes;
ensuring that it holds relevant contact information; and
satisfying its legal obligations including obligations under any placement agreement.
GRIP may also store information provided by students or trainees following placement for the purpose of future recruitment or employment opportunities. If you do not want us to store your information in such circumstances, please let us know.
(t) Education and community engagement
GRIP may offer opportunities for health practitioners to participate in educational events or seminars for the purpose of continuing professional development or community engagement. When you register for or attend an event, GRIP may collect your personal information for the purpose of providing the service and recording your attendance.
GRIP may disclose your personal information to third parties for the purpose of confirming your attendance at the event including the provision of attendance records or certification. With your express consent, we may use your information for other purposes such as including you on a marketing mail list, fundraising or research, to promote GRIP goods and services and to improve and personalise our service offerings.
(u) Other common uses
We may also use your personal information where necessary for:
activities such as quality assurance processes, accreditation, audits, statistical analysis, risk and claims management;
invoicing, billing and account management, including storage of provider details on GRIP billing software;
the purpose of complying with any applicable laws – for example, in response to a subpoena or compulsory reporting to State or Federal authorities (for example, for specified law enforcement or public health and safety circumstances); and
We may anonymise or aggregate the personal information that we collect for the purpose of carrying out customer, service and other business analytics.
(v) Other uses with your consent
With your consent we can also use your information for other purposes such as including you on a marketing mail list, fundraising or research, statistical analysis, to promote GRIP goods and services and to improve and personalise our service offerings. Unless you provide us with your express consent for this purpose, we will not use your personal information in this way.
2.7 Access to and correction of your personal information
You have a right to have access to the personal information that we hold about you (for patients, this includes health information contained in your health record). You can also request an amendment to personal information that we hold about you should you believe that it contains inaccurate information.
GRIP will allow access or make the requested changes unless there is a reason under the Privacy Act 1988 (Cth) or other relevant law to refuse such access or refuse to make the requested changes.
If we do not agree to change your personal information in accordance with your request, we will permit you to make a statement of the requested changes and we will enclose this with your personal information.
Should you wish to obtain access to or request changes to your personal information held by GRIP you can ask for our Privacy Officer (see details below) who can give you more detailed information about GRIP's access and correction procedure.
GRIP may recover reasonable costs associated with supplying this information to you.
2.8 Data quality
GRIP will take reasonable steps to ensure that your personal information which we may collect, use or disclose is accurate, complete and up-to-date.
2.9 Data security
GRIP will take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. We use technologies and processes such as access control procedures, network firewalls, encryption and physical security to protect your privacy.
GRIP will destroy or permanently de-identify any of your information which is in its possession or control and which is no longer needed for the purpose for which it was collected provided GRIP is not required under an Australian law or court/tribunal or otherwise to retain the information.
2.10 Cross border disclosure
GRIP may enter into arrangements with third parties to store data we collect or to access the data to provide services (such as data processing), and such data may include personal information, outside of Australia. GRIP will take reasonable steps to ensure that the third parties do not breach the APPs. The steps GRIP will take may include ensuring the third party is bound by privacy protection obligations which are the same (or substantially the same) as those which bind GRIP and requiring that the third party has information security measures in place which are of an acceptable standard and approved by GRIP.
3. How GRIP handles your personal information when you visit our website
This section of our Privacy Policy explains how we handle your personal information which is collected from our website: www.gripsurgery.com.au or the website.
3.1 Collection
When you use our website, we do not attempt to identify you as an individual user and we will not collect personal information about you unless you specifically provide this to us.
Sometimes, we may collect your personal information if you choose to provide this to us via an online form or by email, for example, if you:
complete your pre-admission form online;
upload personal information into a GRIP App;
submit a general enquiry via our contacts page;
register to receive share market reports;
register for an event or request information; or
send a written complaint or enquiry to our Privacy Officer.
When you use our website, we use the Google Analytics service to record and log for statistical purposes the following information about your visit:
your computer address;
your top level domain name (for example, .com,.gov, .org, .au etc);
the date and time of your visit;
the pages and documents you access during your visit; and
the browser you are using.
Our web-site management team use statistical data collected by Google Analytics to evaluate the effectiveness of our web-site.
Google makes available a browser “add-on” that prevents Google Analytics from collecting information about web site visits, we suggest you refer to the instructions for installation of Google Analytics Opt-out to learn more about this.
We are, however, obliged to allow law enforcement agencies and other government agencies with relevant legal authority to inspect our web server logs, if an investigation being conducted warrants such inspection.
3.2 Cookies
A "cookie" is a small bit of data our server sends to your browser that allows our server to identify and interact more effectively with your computer. Cookies do not identify individual users, but they do identify your ISP and your browser type.
This website uses temporary cookies. This means that upon closing your browser, the temporary cookie assigned to you will be destroyed and no personal information is maintained which will identify you at a later date.
Personal information such as your email address is not collected unless you provide it to us. We do not disclose domain names or aggregate information to third parties other than agents who assist us with this website and who are under obligations of confidentiality. You can configure your browser to accept or reject all cookies and to notify you when a cookie is used. We suggest that you refer to your browser instructions or help screens to learn more about these functions. However, please note that if you configure your browser so as not to receive any cookies, a certain level of functionality of the GRIP website and other websites may be lost.
3.3 Links to third party websites
We may create links to third party websites. We are not responsible for the content or privacy practices employed by websites that are linked from our website.
3.4 Use and disclosure
We will only use personal information collected via our website for the purposes for which you have given us this information.
We will not use or disclose your personal information to other organisations or anyone else unless:
you have consented for us to use or disclose your personal information for this purpose;
you would reasonably expect or we have told you (including via this policy) that your information is usually or may be used or disclosed to other organisations or persons for a related (or for sensitive information, a directly related purpose);
the use or disclosure is required or authorised by law;
the use or disclosure will prevent or lessen a serious and/or imminent threat to somebody's life, health or safety or to public health or public safety; or
the disclosure is reasonably necessary for law enforcement functions or for the protection of public revenue.
If we receive your email address because you sent us an email message, the email will only be used or disclosed for the purpose for which you have provided and we will not add your email address to an emailing list or disclose this to anyone else unless you provide us with consent for this purpose.
3.5 Data quality
If we collect your personal information from our website, we will maintain and update your information as reasonably practical and necessary or when you advise us that your personal information has changed.
3.6 Data security
GRIP is committed to protecting the security of your personal information. We use technologies and processes such as access control procedures, network firewalls, encryption and physical security to protect the privacy of information. We will take all reasonable steps to prevent your information from loss, misuse or alteration.
If you choose to complete our online forms or lodge enquiries via our website, we will ensure that your contact details are stored on password protected databases.
Staff members associated with website maintenance have access to our website's backend system. This is password protected. Our website service is also password protected.
3.7 Access and correction
If you wish to obtain information about how to access or correct your personal information collected via our website, please refer to Access and Correction at Item 2.7 of this document.