A guide to how St.LukesHealth is committed to protecting your personal information and respecting your privacy.
In this policy, the following terms have the following meanings:
- APPs means the Australian Privacy Principles.
- Customer means all current, prospective, and former recipients of Products and Services from St.LukesHealth and Astute Simplicity Health.
- Customer Collection Purpose means the purpose of providing, managing and improving the health-related Products and Services available to you as a Customer of St.LukesHealth.
- Other Applicable Person(s) means individuals whose Personal Information we have collected in relation to the provision of our Products and Services who are not Customers, including service providers, contractors, job applicants and persons authorised to operate or administer a private health insurance policy on behalf of a member.
- Personal Information has the same meaning given to it in the Privacy Act. In general terms, it is information that can be used to personally identify you such as your name, contact details (such as phone number, addresses and email), employment information or date of birth. If the information we collect personally identifies you, or you are reasonably identifiable from it, the information will be considered personal information. Personal information also includes sensitive information and, in this policy, a reference to Personal Information includes Sensitive Information.
- Privacy Act means the Privacy Act 1988 (Cth).
- Product(s) and Service(s) means products, services, programs, events, and activities.
- Sensitive Information is defined in the Privacy Act. In general terms, sensitive information is personal information and includes an individual’s health information (as defined in the Privacy Act) and genetic information. Unless required by law, we will only collect sensitive information about you with your consent (including the consent you provide under this policy).
- St.LukesHealth means St Luke’s Medical and Hospital Benefits Association (ACN 009 479 618, and also may be referred to in this policy as “we”, “us” or “our”.
Our privacy commitment to you
St.LukesHealth recognises the importance of keeping the Personal Information that you entrust to us private and confidential. This policy has been compiled to outline how your Personal Information is handled and to inform you of the steps taken by St.LukesHealth to protect your privacy. Our staff are trained to respect your privacy in accordance with applicable privacy laws and our standards, policies and procedures. We are committed to manage your Personal Information in an open and transparent manner.
This policy outlines how we manage your Personal Information and how we comply with the Privacy Act and the APPs. It also describes in general terms, the types of Personal Information held, for what purpose Personal Information is held, and how that Personal Information is collected, held, used and disclosed. This policy may be updated from time to time.
This policy applies to all your dealings with St.LukesHealth whether it be at one of our customer care centres, at an agency, by telephone, electronically or personally with a St.LukesHealth representative.
Who does this policy apply to?
This policy applies to all Customers and all Other Applicable Persons.
When you become a Customer or Other Applicable Person you agree that we will collect, hold, use and disclose your Personal Information as described in this policy.
What personal information do we collect and why?
We will collect your Personal Information in a manner consistent with the Privacy Act and the APPs.
The Personal Information that we collect about you will depend on your relationship with us as a Customer or Other Applicable Person.
As a Customer of St.LukesHealth, we will collect Personal Information about you for the Customer Collection Purpose. This includes:
- identification information such as your name, date of birth, contact phone details, residential, postal and email addresses, gender, your family/single status, , records of service contacts;
- your dependants’ information, namely, names, contact phone details, residential, postal and email addresses, to ensure they are eligible to be covered under your membership;
- Sensitive Information, including information about your claims, health, medical history, health services provided to you, and general and professional health care providers you see or have previously seen;
- information related to your health and wellbeing such as lifestyle interests, diet, exercise, and programs or activities you participate in with St.LukesHealth or third-party service providers with whom St.LukesHealth has a commercial relationship;
- financial information such as bank/credit card details if you wish to pay your premium by direct debit or have benefits transferred directly into your account;
- details relating to membership and coverage (including where applicable, details from any previous health insurer to determine eligibility for benefits and any applicable waiting periods),
- employer details for members paying by payroll deduction;
- as required or authorised by law, such as your Medicare number and information to verify your eligibility for the Australian Government Rebate on Private Health Insurance and to correspond with Services Australia;
- if you join a health management program, a chronic disease management program, or any other program developed to enhance the services available to you, we may hold information relating to your participation in that program;
- information about persons who have been designated to pay or act on behalf of you;
- other Personal Information that we consider necessary to provide our products and services to you.
For Other Applicable Persons, we may collect Personal Information about you for the purposes of administering our business relationship. This type of information may include:
- Identification information such as your name, contact phone details, business, residential, postal and email addresses.
- Information provided or sourced by us specific to your relationship with us.
How do we collect your personal information?
When it is reasonable or practicable to do so, we will collect Personal Information directly from you (referred to as 'solicited information'). This may occur when you fill out a form or give Personal Information over the telephone, in one of our customer care centres, or electronically. It is important that you always keep your contact details up to date.
We may also collect Personal Information from:
- a person authorised to provide information on your behalf, such as your carer, guardian or holders of your power of attorney, an individual nominated by you, or if you are a dependant under a policy we may collect Personal Information from the policy holder;
- hospital, medical and general treatment providers who treat you or have previously treated you;
- another health insurer (if you have transferred your membership to St.LukesHealth);
- your employer (if your premiums are paid via payroll deduction);
- a government agency or their authorised representatives (such as Services Australia);
- any subsidiary company of St.LukesHealth, or third-party service provider with whom St.LukesHealth has a commercial relationship, that provides health-related services Products and Services to you;
- your or your dependants’ participation in health management programs, chronic disease programs, or any other program developed to enhance the services available to you;
- your attendance at events and activities organised or hosted by St.LukesHealth;
- service providers engaged by St.LukesHealth, or acting on our behalf;
- CCTV cameras in operation at our offices and retail centres; or
- other sources as required or authorised by law.
You, your policy and your dependants
When you commence a family, couples, or single parent membership with us you have the following responsibilities regarding your nominated dependants (spouse/partner and children):
- you consent to the collection, use and disclosure of the Personal Information of the nominated dependants for the purposes outlined in this policy.
- you will ensure that each dependant aged 16 years and over is made aware of this policy.
- you will only supply us with Sensitive Information pertaining to dependants aged 16 years and over with their consent. We will assume that when a member makes a claim on behalf of a dependant aged 16 years and over, that the member has consent from the dependant to supply us with the information relevant to processing the claim.
- you authorise all hospital, medical and general treatment providers to supply Personal Information to us (as reasonably required) consistent with the Customer Collection Purpose for yourself and your nominated dependants and/or membership. Furthermore, you will ensure that you have the consent of each dependant aged 16 years and over, to give this authority on their behalf.
What happens if we receive unsolicited personal information?
If we receive Personal Information about you that we have not sought out (referred to as ‘unsolicited information’), we will check whether that information is reasonably necessary for our functions or activities. If it is, we will handle this information in accordance with this policy. If we are not permitted to collect this Personal Information, it will be either destroyed or de-identified, but only if it is lawful and reasonable to do so.
Do you have to provide information?
For Customers, the Personal Information collected by us is necessary to provide, manage and improve the health-related Products and Services available to you as a Customer of St.LukesHealth. Failure to provide Personal Information may result in coverage being cancelled, a claim being rejected, or us being unable to provide you with the Products and Services you want.
For Other Applicable Persons, the Personal Information collected by us is necessary to administer and maintain our business relationship with you. Failure to provide Personal Information may result in us being unable to enter into, or to continue, a business relationship with you.
Use and disclosure of your Personal Information
We will use and disclose your Personal Information in a manner consistent with the Privacy Act and the APPs.
We will use and disclose your Personal Information with your consent. Otherwise, our use and disclosure of your Personal Information will depend on your relationship with us as a Customer or Other Applicable Person.
For Other Applicable Persons we will use and disclose your Personal Information for the purposes of administering our business relationship with you, or if you would reasonably expect your Personal Information to be disclosed because it is related to that purpose.
For Customers, we will use and disclose your Personal Information:
- for the Customer Collection Purpose; or
- where you would reasonably expect it to be disclosed because it is related (or, for Sensitive Information, directly related) to the Customer Collection Purpose.
For example, we may use and disclose your Personal Information to:
- identify you or verify your authority to act on behalf of a member;
- establish, maintain, and administer your membership, including assessing and processing your claims, and processing and receiving payments;
- deliver Products and Services to you;
- manage our ongoing relationship with you;
- provide effective risk management and to protect against fraud or improper claiming;
- meet internal functions such as administration, information technology, and accounting systems;
- for operational reasons including to maintain, review and develop our business systems, procedures and infrastructure including testing or updating our computer systems in order to securely and efficiently deliver our services to you and other Customers;
- train staff and perform quality assurance;
- investigate and resolve complaints relating to Products and Services provided by/or on behalf of St.LukesHealth;
- develop and improve the Products and Services that we offer to Customers that may enhance your experience as a Customer;
- identify whether you might benefit from participating in a health management program, chronic disease program or other health-related program, and, if so, contact you to provide you with further information about the relevant program(s);
- conduct surveys and market research in relation to our Products and Services;
- provide direct marketing communications to you;
- research and evaluate our Products and Services to provide more relevant Products and Services to you;
- keep you informed of other relevant information relating to St.LukesHealth;
- comply with any law or legislative requirements;
- act reasonably in exceptional circumstances, such as when there are reasonable grounds to believe that the disclosure is necessary to prevent a threat to an individual’s health and safety, for law enforcement purposes, or to protect public revenue;
Who do we disclose your Personal Information to?
The third parties to whom we may disclose your Personal Information, include:
- persons authorised by you to act on your behalf;
- hospital, medical and general treatment providers who treat you or have previously treated you;
- service providers engaged by St.LukesHealth, or acting on our behalf;
- a subsidiary company of St.LukesHealth, or third party with whom St.LukesHealth has a commercial relationship, where you have agreed to participate in their program;
- a subsidiary company of St.LukesHealth, or third party with whom St.LukesHealth has a commercial relationship, that provides or has provided health-related services, products, events or activities to you;
- other health insurers if you transfer between health insurers;
- your employer if you choose to pay by payroll deduction. The information disclosed would only be that relating to payment of your membership.
- government agencies, regulatory bodies, industry bodies, complaints adjudicators, medical referees and others, including Medicare, Services Australia, the Australian Taxation Office, the Department of Health, and the Commonwealth Ombudsman;
- our professional advisors;
- other parties as authorised by law.
The health management programs, chronic disease programs, and other health-related programs offered by St.LukesHealth may be provided to you by third parties. For them to administer these programs and provide continuity of care to you within the programs, it is necessary for us to disclose your Personal Information to them. In relation to such programs:
- we will make it clear that the program will be provided to you by a third party and we will ask for your consent to participate in the program;
- your decision to participate in the program is voluntary;
- your premiums, claims and relationship with St.LukesHealth will not be affected by acceptance or non-acceptance of an offer to participate in the program;
- you may decline an offer to participate in the program, or may, at any time, withdraw from further participation; and
In some circumstances, we may disclose de-identified data to a third party, such as the entity that funds your participation, your employer, or a research institute for research purposes, to evaluate our service or to report on the global health of a population. In such circumstances we will ensure that the data cannot be reidentified or matched back to you personally in any way.
People dealing on your behalf
St.LukesHealth requires a written or verbal authority from you, or from an authorised representative (such as an attorney under a power of attorney) if you would like someone to deal with St.LukesHealth on your behalf or on behalf of any dependants on your membership. Before an executor or other representative can act on your behalf, or on behalf of your estate, St.LukesHealth requires evidence that an appropriate authority exists.
For Customers, we may use your Personal Information to provide direct marketing communications to you to notify you of new Products and Services and promotions that we think might be of interest to you, and that are being offered by St.LukesHealth, our related entities, or third parties with whom we have a commercial relationship.
For Other Applicable Persons, we may use your Personal Information to provide direct marketing communications to you that we think might be of interest to you based on our business relationship with you.
When you become a Customer or Other Applicable Person you agree that we can use your Personal Information to provide direct marketing communications to you, and you agree that permission continues until you contact us to withdraw it.
We may provide direct marketing communications to you via email, telephone, SMS, mail, our social media and mobile applications, or any other electronic means. We may provide direct marketing communications to you directly or through third parties on our behalf.
Direct marketing communications that you receive from us (or third parties on our behalf) will provide you with the option to ‘opt out’ of receiving them in the future.
You can also request to “opt out” from receiving direct marketing communications at any stage, if you no longer wish to receive them, by contacting our customer care centre on 1300 651 988, by email to email@example.com or on our website at https://www.stlukes.com.au/optout.aspx.
We will not sell your Personal Information to any organisation outside of St.LukesHealth.
How is your Personal Information protected and how long is it kept?
St.LukesHealth securely stores your Personal Information in a variety of ways including physical and digital formats. We have a range of digital and physical security measures in place to protect the Personal Information we hold from misuse, loss, unauthorised access, modification or disclosure.
Your Personal Information is kept while we need it to provide the Products and Services that you have requested from us and where applicable, we are required to keep it to comply with statutory requirements. Where St.LukesHealth determines it is no longer necessary to hold your Personal Information we will securely destroy, delete or permanently de-identify that information, wherever possible.
In the event that security of data is compromised, we will take reasonable steps to confirm any possible breach. If a breach is confirmed and it has the potential to cause you serious harm, we will notify you and provide you with a description of the breach, the kinds of information involved, and any recommended actions you could take to protect yourself.
Can you deal with us anonymously or using a pseudonym?
Yes, you can deal with us anonymously or using a pseudonym where it is lawful and practicable to do so. For example, if you were making a general inquiry as to the benefits we pay on a dental procedure there would be no need to provide your personal details. However, to verify that you are covered for a procedure and waiting periods or limits do not apply, membership details will be required.
In general, St.LukesHealth will not be able to deal with you anonymously or where you are using a pseudonym when:
- it is impracticable to do so; or
- we are required or authorised by law to deal with you personally.
Do we disclose your personal information to anyone outside Australia?
St.LukesHealth conducts its business operations within Australia and we generally use systems and service providers located in Australia.
However, we may use cloud-based systems or networked data storage systems that store Personal Information overseas. We may also use third party service providers who store Personal Information overseas. We commit to review the terms of service of any service provider of cloud or networked data storage, and any third party who we will share Personal Information with pursuant to a commercial relationship, to ensure that the security of your Personal Information is addressed in any service level agreement.
We may also use social media platforms and digital content operators that are based overseas in our direct marketing communications and we may transfer some Personal Information to those platforms for that purpose.
Because we, and third parties that we deal with, may use cloud-based systems or networked data storage systems to store Personal Information it is not practicable for us to identify all of the countries to which your Personal Information may be transferred.
How can you access your personal information?
You are entitled to access your Personal Information (or that of any dependant aged under 16 years) unless there are certain legal reasons why you cannot.
When a dependant is aged 16 years or older, St.LukesHealth will not give access to, or allow correction of, the dependant’s Personal Information by the dependant’s parents or other relevant guardians, unless it can be proven that the dependant is not able to exercise sound judgment, is of impaired capacity, or the depdendant has provided us with authority to do so.
St.LukesHealth may allow dependants under the age of 16 years to access, and correct their Personal Information if it can be reasonably established that they are able to exercise sound judgment. In this instance, their Personal Information will be handled in the same manner as a dependant who is 16 years or older.
Access is subject to some exceptions allowed by law. These include where:
- access would pose a serious threat to the life or health of an individual.
- access would have an unreasonable impact on the privacy of others.
- the request is frivolous or vexatious.
- the information relates to a commercially sensitive decision making process.
- access would be unlawful.
- access would prejudice enforcement activities relating to criminal activities and other breaches of law, public revenue, a security or negotiations with you.
- access relates to existing or anticipated legal proceedings.
- denying access is required or authorised by or under law.
If you wish to access your Personal Information, please contact one of our customer care centres or send your request by email to firstname.lastname@example.org. We will give you access to your information in the form that you want it where it is reasonable and practical to do so and we are satisfied as to your identity. There may be a charge associated with retrieving your Personal Information depending on the complexity of your request. However, we will inform you of any fee payable at the time a request is made.
If we cannot provide your information in the way you have requested, we will advise you of the reasons in writing.
What if my information is incorrect?
St.LukesHealth will take reasonable steps to ensure that the Personal Information we collect, use or disclose is accurate, complete and up to date. Please contact us at email@example.com if you believe that your Personal Information is inaccurate, incomplete, irrelevant, misleading or out of date. St.LukesHealth may also correct the Personal Information it holds about you if we become aware it is out of date or inaccurate.
If you ask St.LukesHealth to correct any Personal Information, we will assist you. We will help you manage corrections.
Whether St.LukesHealth made the mistake or it was someone else we will help you ask for the Personal Information to be corrected, in this circumstance we may be required to discuss this correction with other parties.
If St.LukesHealth is able to correct your Personal Information, we will let you know within five business days of deciding to do this. If you ask us to do so, we will advise any relevant third parties of the correction, unless it is impracticable or unlawful for us to do so.
If St.LukesHealth is unable to correct your Personal Information, we will let you know within five business days of making this decision. If you are dissatisfied with our decision you can refer your complaint to the Office of the Australian Information Commissioner. Contact details are listed at the end of this policy.
If St.LukesHealth agrees to correct your Personal Information, we will do so within 30 days from when you requested the change, or a longer period that has been agreed by you.
If we cannot make the correction within a 30 day time frame or the agreed time frame, we must:
- let you know about the delay, the reasons for it and when we expect to resolve the matter;
- ask you to agree in writing to give us more time; and
- let you know you can complain to the Office of the Australian Information Commissioner.
Any correspondence received by St.LukesHealth, including via the post, fax or email, is retained and recorded within St.LukesHealth membership communications. St.LukesHealth keeps these records in order to maintain the highest possible customer service levels and for any future enquiries. St.LukesHealth also retains any correspondence St.LukesHealth sends to you. The retention of these records may also help us in the investigation of potential fraud and violations of the St.LukesHealth User Agreements. We maintain policies and procedures for the retention of documents and data which governs the use of, and access to such material.
Our Web Site
St.LukesHealth recognises the importance of providing you a secure environment when communicating with us via the Internet and appropriate measures have been put in place to protect your Personal Information. For example we use industry accepted methodology to secure your Personal Information when you register for and use St.LukesHealth Connect. Your secured information is protected from unauthorised access through the use of firewalls, secure passwords and SSL Certificates.
St.LukesHealth may collect usage data from your computer when you visit our website through the use of tracking and/or cookies. This collection is to enable us to maintain and improve our online service. Any information collected is not linked in any way to personal identification details of members. Visitors to our website can adjust their browser preferences to prevent the collection of data. However, if you adjust your browser preferences, there may be some features of our website that will not be available to you and/or some pages may not display properly.
How do I make a complaint?
St.LukesHealth will make every attempt to ensure that your privacy is not breached; however, if you believe that your privacy has been breached, you can visit a Customer Care Centre, phone 1300 651 988, send an email to firstname.lastname@example.org or complete and send a Customer Feedback form, to the address mentioned below.
The Privacy Officer
P.O. Box 915
Launceston TAS 7250
We will endeavor to resolve any issues you may have promptly and amicably. However, if you believe that we have not resolved the issue you may refer the matter to the Office of the Australian Information Commissioner:
Mail: GPO Box 5218, Sydney, NSW 2001
Phone: 1300 363 992
St.LukesHealth reviews this policy frequently to keep it up to date with laws, technology and industry changes. An up to date copy of the policy can be viewed or downloaded from www.stlukes.com.au
For more information on your privacy you can visit www.oaic.gov.au
A guide to how St Lukes is committed to protecting your personal information and respecting your privacy.