MIGRAINE SPECIALIST INSTITUTE PRIVACY POLICY

A copy of this document can be downloaded as a PDF here

OVERVIEW

1. 1. At Migraine Specialist Institute Pty Ltd (ACN 662 320 774) (MSI, Company, we, us and our), we recognise the importance of your privacy and understand your concerns about the security of the personal information you provide to us.
   2. Consequently, we comply with the Australian Privacy Principles (APPs) as contained in the Privacy Act 1988 (Cth). We take pride in our adherence to these Principles.
   3. This Privacy Policy (Policy) details how the Company collects, manages, processes and handles Personal Information about you. By using our Website, or by submitting your Personal Information to us (whether via the completion of our new patient form or any other manner), you acknowledge that you have read and understood, and agree to the use of your Personal Information in accordance with this Policy.
   4. We reserve the right to revise this Policy or any part of it from time to time. Please review this Policy periodically for changes.

PRIMARY DEFINITIONS

Australian Privacy Principles (APP)

5. 5. Reference to APP in this policy means the Australian Privacy Principles contained in Schedule 1 of the Privacy Act. The APPs detail how personal information may be collected, used, disclosed, stored and destroyed, and how an individual may gain access to or make complaints about the personal information held about them.

Health Information

6. 6. Health Information has the same meaning as under the Privacy Act being and is a subset of Personal Information and includes:
      (a) information or an opinion about an individual’s health or disability;
      (b) the health services provided or to be provided to an individual;
      (c) an individual’s expressed wishes for the provision of future health services;
      (d) information collected about an individual to provide a health service; and,
      (e) information collected in connection with organ and body-part donation, and predictive genetic information.

Personal Information

7. 7. Personal Information has the same meaning as under the Privacy Act, being the information or an opinion about an identified individual, or about an individual who is reasonably identifiable from such information.

Privacy Act

8. The Privacy Act means the Privacy Act 1988 (Cth).

Sensitive Information

9. 9. Sensitive Information has the same meaning as under the Privacy Act being a sub-set of Personal Information, for information or an opinion about an individual’s racial or ethnic origin, political opinions, political association membership, religious beliefs or affiliations, philosophical beliefs, professional or trade association membership, trade union membership, sexual orientation, or practices or criminal record, and includes Health information and genetic information.

Services

10. 10. Our health services in relation to headache and migraine diagnosis, treatment, and management.

Website

11. 11. Means our website located at the domain https://migrainespecialist.com.au/ and which is operated by us and/or our corporate entities.

WHAT PERSON INFORMATION WE COLLECT AND HOLD

General

12. 12. At MSI, the collection of Personal Information, Sensitive Information and Health Information about you (and sometimes that of your family) is a necessary and unavoidable part of the health services we provide. All of the foregoing information is collected in order to enable our provision of the Services to you.

The Common Forms of Personal Information Collected by Us

13. 13. The kinds of Personal Information that we commonly collect and hold includes:

a) Identity information:

(i) such as your name, date of birth, gender, address, phone number, email address, and information about your family and/or next of kin;

b) Health Information:

(i) such as your medical history, family medical history, past and current medical treatments, lifestyle factors, treatment preferences and goals, other doctors involved in your care, previous or current investigations, reports and correspondence, as well as prescription and prescriber
history;

c) Information which is relevant to or necessary for the provision of our Services to you and/or required by law:

(i) Such as your Medicare number, health fund details, insurance information, concession details, Individual Healthcare Identifier (IHI), QScript history;

d) Details of how you paid for our Services:

(i) Such as bank account and credit card details, direct debit or cash transactions.

14. 14. We may also collect and hold any other Personal Information which is expressly necessary
        for us to carry out and provide to you our Services.

Collection of Sensitive Information

15. 15. We will only collect Sensitive Information about you with your specific consent, unless otherwise allowed or obliged by law to collect such information. For clarity, we may collect Sensitive Information about you where such collection is necessary to provide you with our Services. In circumstances where the collection of Sensitive Information about you is necessary, we shall endeavour only to collect the minimum amount of Sensitive Information or Health Information necessary to properly provide our Services to you.
    16. In circumstances where we are permitted by law to collect your Sensitive Information, we
        will nevertheless endeavour to first obtain your consent to do so.

Information Collected Automatically

17. 17. In visiting and/or interacting with our Website, our server’s will automatically log the
        following information provided by your browser:
        a) the type of browser and operating system you are using;
        b) the referring site that you visited;
        c) your computer’s IP address (a number which is unique to the device through which you are connected to the Internet);
        d) the date on which you visited the Website;
        e) the time which at which you visited the Website;
        f) the pages you visited on the Website; and,
        g) any documentation you downloaded from the Website.

Website Information

18. 18. The Website Information is used solely to generate statistics and analyse activity on the Website.

Cookies

19. 19. We may use cookies and similar tracking technologies to track activity on our Website.
    20. Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies are also used such as beacons, tags and scripts to collect and track information and to improve and analyse our Service. For more information on cookies, you may visit the third-party site located at the domain: https://allaboutcookies.org/.
    21. We may use your Personal Information to customise and improve your user experience on our Website and other social media platforms. By using our Website, you agree that we can record this information from your device and access them when you visit the Website in the future.
    22. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. We confirm that you do not need to have configured your browser to enable the accepting or sending of Cookies in order to use the Website.
    23. Examples of cookies we may use include:
        a) Session Cookies: used to operate and improve your experience on the Website.
        b) Preference Cookies: used to remember your preferences and various settings on the Website.
        c) Security Cookies: used for security purposes.
    24. If you want to delete any cookies that are already on your computer, please refer to the help and support area on your internet browser for instructions on how to locate the file or directory that stores cookies.

HOW WE COLLECT AND HOLD PERSONAL INFORMATION

Direct Collection

25. 25. We aim to collect Personal Information (including Sensitive Information and Health Information) only directly from you, unless it is unreasonable, impracticable or necessary for us to do so.
    26. For example, we collect Personal Information from you or about you:
        a) from your direct interactions with us when you inquire about and/or obtain one of our Services;
        b) from your correspondence with us, including emails, letters and telephone calls;
        c) when you participate in our events, conferences, ceremonies, contests, programs or promotions;
        d) from new patient forms, contracts, questionnaires, surveys and other documents that you submit to us; and
        e) from your activity on our Website.
    27. Under the Privacy Act and the APP’s, you have the right to deal with us anonymously or under a pseudonym unless:
        a) the use of your true identity is a legal requirement; or
        b) it is impracticable for us to deal with you on such basis.
    28. Owing to the nature of our business and the Services offered, please be aware that it is generally impractical for us to deal with you anonymously or under a pseudonym. Where you provide us with inaccurate or incomplete information, we may not be able to properly provide you with and carry out our Services. We therefore request that you provide us with your full and correct name in respect of all interactions with us.

Collection from third-parties

29. 29. We may collect or acquire Personal Information from third-parties where it is necessary
        for us to do so in operating our business (e.g., to provide you with our Services) or
        otherwise permitted or required by law.
    30. For example, we may collect Personal Information about you from:
        a) Third-party health service providers (such as your referring general practitioner or another health service provider involved in your care);
        b) Medical institutions, boards, departments or authorities;
        c) Your relatives or friends (as strictly necessary);
        d) Your health insurance provider(s); and/or
        e) Financial institutions in control of your personal funds.

Collection of unsolicited Personal Information

31. 31. Any unsolicited personal information we receive from you shall be dealt with in accordance with APP 4.
    32. Specifically, we shall first determine if the unsolicited personal information could have reasonably been collected by us in accordance with APP 3. In the event it was not open to us to obtain the information under APP 3, we shall either destroy (provided it is lawful and reasonable to do so) or return the information.

WHY WE COLLECT, HOLD AND USE PERSONAL INFORMATION

33. 33. Under Australian privacy legislation, we may use your Personal Information only:
        a) for the primary purpose for which it was collected;
        b) reasonably expected secondary purposes which are related to the primary purpose;
        c) where we have obtained your consent; or,
        d) where we are otherwise required or authorised by law to do so.

34. 34. We collect, hold and use Personal Information from you or about you where it is reasonably necessary for us to carry out our business functions and activities. For example, we collect, hold, use and disclose your Personal Information as necessary to:
        a) reply to your inquiries;
        b) fulfill our ongoing obligations to you (e.g., provision of our Services) as a purchaser or prospective purchaser of our Services;
        c) adhere to our customer service and health service requirements and standards;
        d) to appropriately manage our practice and business (such as conducting audits, undertaking accreditation processes, managing billings and training our staff);
        e) develop and improve upon our Service offerings;
        f) market our Services;
        g) provide you with information about our existing Services;
        h) provide you with information on new Services or service offerings (such as where new health treatments and/or technologies are available);
        i) effectively communicate with third parties (such as health insurances, Medicare Australia and other governmental departments);
        j) carry out research (although we shall always request your consent to be involved in suchresearch); and
        k) deal with any complaints you may have.
    35. Where we use your Personal Information for marketing and promotional communications, please be aware that you can opt-out at any time by:
        a) notifying us via the contact information contained within paragraph 61 of this Policy;
        b) following the ‘opt-out’ procedures which are included in all of our marketing communications.
    36. We also collect, hold, use, and disclose your Personal Information for purposes related to
        the operation of our business that you would reasonably expect, including:
        a) our administrative and accounting functions;
        b) conducting fraud checks;
        c) conducting market research; and,
        d) using the Website Information to generate interaction statistics and conduct traffic analysis;
    37. Finally, we may also collect and use your Personal Information to:
        a) comply with our legal obligations;
        b) assist Government and enforcement bodies or regulators; or
        c) where we are otherwise required or authorised by or under law to do so.
    38. If we do not collect, hold, use or disclose your Personal Information, or if you choose not to provide certain Personal Information to us or do not consent to our collection, holding, use or disclosure of your Personal Information, we may not be able to provide you with the Services that you or your organisation have requested us to provide.

DISCLOSURE OF YOUR PERSONAL INFORMATION – AUSTRALIA

Collection of unsolicited Personal Information

39. 39. Under Australian privacy legislation, we may disclose your Personal Information only:
        a) for the primary purpose for which it was collected;
        b) reasonably expected secondary purposes which are related to the primary purpose;
        c) where we have obtained your consent; or,
        d) where we are otherwise required or authorised by law to do so.
    40. To this end, we do not use or disclose your Personal Information to any third parties except where we engage such parties to perform services for us, which may involve that party handling your Personal Information. In this situation, the relevant third party is prohibited from using your Personal Information for purposes other than the specific purpose for which such information was provided.
    41. Depending on your engagement with us, we may disclose your Personal Information to:
        a) Contractors and/or employees whom we have engaged to carry out or otherwise assist with our provision of the Services to you;
        b) Healthcare professionals who are directly involved in your treatment;
        c) Third-parties directly involved in your care, such as:

        i) your parents, children, relatives and close friends, guardians or a person exercising a power of attorney or enduring power of attorney (Please advise us if it is your wish no third party as stated is to have access to your personal information);
        ii) government departments and agencies, such as Defence or Department of Veterans Affairs, or departments responsible for health, aged care and disability where we are required to do so;
        iii) private health insurers and Medicare Australia; and,
        iv) anyone expressly authorised by you to receive your personal information.

    42. In circumstances where your medical records or Health Information is required in the case of a medical emergency, and where we consider the disclosure of such information is in your best interests, we may provide this information to relevant medical professionals without waiting for your consent.
    43. If our business operations are ever restructured, sold or merged with another organisation, your Personal Information may be disclosed and transferred as part of that restructure.
    44. In circumstances where we undertake research studies or activity which may involve the disclosure of your Personal Information, we shall:
        a) always request your consent to be involved in such research; and,
        b) ensure that your Personal Information is de-identified and/or anonymised prior to publishing any research papers and/or providing such research to third parties.

Other disclosures

45. 45. We may also disclose your Personal Information to third parties (including government departments, industry lobbying and advocacy groups and enforcement bodies) where required or permitted by law.
    46. Where we wish to use or disclose your Personal Information for all other purposes, we will first obtain your consent.

DISCLOSURE OF YOUR PERSONAL INFORMATION – OVERSEAS

47. 47. We generally do not disclose Personal Information to persons or entities located overseas.
    48. In the limited circumstances where it may be necessary to disclose your Personal Information to recipients outside of Australia, we will not disclose such information unless you have consented to the disclosure and:
        a) we have taken reasonable steps to ensure that the recipient does not breach the Privacy Act or the APPs; or
        b) the recipient is subject to an information privacy scheme similar to that provided under Privacy Act.

HOW WE HOLD AND STORE PERSONAL INFORMATION

49. 49. Your Personal Information is held and stored on paper, by electronic means or both. We have physical, electronic, and procedural safeguards in place for Personal Information and take reasonable steps to ensure that your Personal Information is protected from misuse, interference, loss and unauthorized access, modification, and disclosure. The measures we take include:
        a) storing Personal Information held on paper in locked offices in secure premises;
        b) secure archiving of documentation; on premises and replication to encrypted
        data centre stored in Australia
        c) protecting Personal Information held electronically with firewalls, encryption and password access;
        d) online data storage encryption, including 128 Encryption Security used for all Health Information and payment information;
        e) where we disclose Personal Information to third parties, our contractual arrangements with those third parties contain specific privacy requirements; and
        f) Our staff receive regular training on privacy procedures, and we have various internal processes and systems aimed to protect your privacy.

Destruction and De-identification

50. 50. We will retain your Personal Information whilst it is required for any of our business functions and activities, the provision of our Services, or for any other lawful purpose. Subject to applicable laws, we may destroy records containing Personal Information when the record is no longer required by us. However, as you may require your medical record in the future, we will generally retain your medical record on our system for your future use in accordance with this Policy and applicable legislation.
    51. In those circumstances where your Personal Information is no longer required, we will take reasonable steps and we will use secure methods to destroy or to permanently de-identify your Personal Information.
    52. As an example, our destruction and de-identification methods may include:
        a) Paper records being placed in security bins and shredded and/or sent for secure destruction; or
        b) Electronic records being:
        i) Deleted from all locations; or
        ii) Encrypted and/or placed beyond use.

LINKS TO THIRD-PARTY WEBSITES

53. 53. Our Website may contain links to other websites of interest. However, once you have used these links to leave our Website, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any Personal Information which you provide whilst visiting such sites and such sites are not governed by this Policy. You should exercise caution and look at the privacy statement applicable to the website in question.

REQUESTS FOR ACCESS AND CORRECTION

54. 54. We have procedures in place for dealing with and responding to requests for access to, and correction of, the Personal Information held about you. To this end, we encourage you to contact us if you have a query regarding your Personal Information. You may request an amendment to your personal information if you consider that it contains inaccurate, incorrect or incomplete information.
    55. Generally, you are able to access and request the correction of Information we hold about you by contacting us in one of the manners in the “Contact Us” section of our Website. In the alternative, you may submit requests using the contact information listed in paragraph 61 of this policy.
    56. In most cases, we expect that we will be able to comply with your request. However, if we do not agree to provide you access or to correct the information as requested, we will give you written reasons why. For further information, please contact us.
    57. To assist us to keep our records up-to-date, please notify us of any changes to your personal information.

DATA BREACHES

58. 58. If we suspect that a data breach has occurred, we will undertake an assessment into the circumstances of the suspected breach within 30 days after the suspected breach has occurred. Where it is ascertained that a breach has occurred and where required by law, we will notify the Privacy Commissioner and affected individuals as soon as practicable after becoming aware that a data breach has occurred.

COMPLAINTS AND CONCERNS

59. 59. We have procedures in place for dealing with complaints and concerns about our practices in relation to the Privacy Act and the APPs.
    60. If you have any concerns about our Policy or wish to make a complaint, please contact our Privacy Officer whose details appear below. We will deal with your complaint fairly and confidentially. On receipt of your complaint, we will contact you within 10 business days to confirm what investigation action will occur. We will then communicate the outcome to you in writing and invite a response to our conclusion about the complaint. If we receive a response from you, we will also assess it and advise if we have changed our view. If you are not happy with the response, you may refer the complaint to the Office of the Australia Information Commissioner on 1300 363 992 or enquiries@oaic.gov.au.

COMPLAINTS AND CONCERNS

61. 61. If you have any questions about this document, the data we hold, or you would like to exercise one of your rights regarding the data, please contact us using the information listed below:

Company Migraine Specialist Institute Pty Ltd
(ACN 662 320 774)

Attention Privacy Officer
manager@migrainespecialist.com.au
(07) 3831 1611

Postage
St Andrew’s Place,
Suite 312 Level 2, 33 North Street,
Spring Hill QLD 4000

© Migraine Specialist Institute Pty Ltd 2023
This Privacy Policy has been prepared with our legal team at
Macpherson Kelley Lawyers