Privacy policy

1. About this Policy

1.1 Purpose

Epworth Healthcare (Epworth, we, us, our) cares about your privacy.

Epworth complies with its obligations under all applicable privacy and health records laws, including the Health Services Act 1988 (Vic), the Privacy Act 1988 (Cth) (and its Australian Privacy Principles) and the Health Records Act 2001 (Vic) (and its Health Privacy Principles). Where Epworth provides public health services, those service arrangements may also require Epworth to comply with public sector privacy obligations under the Privacy and Data Protection Act 2014 (Vic) from time to time.

Epworth recognises that the privacy principles under those laws apply to our relationship with patients, employees, service providers and others. Epworth requires that all health professionals and organisations doing business with us will similarly adhere to those privacy principles.

The purpose of this Privacy Policy is to clearly communicate to you how Epworth manages the personal information that we collect, use and disclose. This Privacy Policy also describes how you may contact us if you have any questions or complaints about your privacy or would like to access the personal information we hold about you.

1.2 Who does this Policy apply to?

This Privacy Policy applies to all Epworth facilities and entities which operate as part of the Epworth Group.

1.3 Terms used in this Policy

When used in this Privacy Policy, the term:

• “personal information”, “sensitive information” and “health information" have the meanings given to those terms in the Privacy Act 1988 (Cth);
• “primary purpose” means the specific function or activity for which the personal information is collected; and
• “secondary purpose” means any use or disclosure of the personal information for a purpose other than the primary purpose.

References in this Privacy Policy to personal information include sensitive information and health information.

2. What personal information does Epworth collect?

As part of our activities in health care, training, research and charitable services, Epworth collects a wide range of personal information.

2.1 Patients

In order to provide health care services (including assessment for or information in relation to the provision of health care services) to current and prospective patients, it is necessary for Epworth to collect and use personal information. Where we collect your sensitive information or health information we will only do so with your consent or as otherwise permitted by law. The personal information that we may collect from you if you are, or will become, a patient includes:

• name, address, email and contact numbers;
• preferred name;
• previous name;
• date of birth;
• gender and sex;
• marital status;
• occupation;
• next of kin and their contact details;
• country of birth;
• ethnic background;
• preferred language;
• religion;
• organ donor status;
• health and medical history;
• payment information (e.g. credit card details);
• Medicare, concession card or PBS entitlement details;
• details regarding your current health insurance or health fund;
• advance care directives;
• community pharmacist; and
• details regarding your treating doctors (such as your general practitioner).

We may also collect personal information about someone else from you where that information forms part of your family, social and medical history and it is necessary for us to collect that information in order to provide your care and treatment.

Personal information may also be collected in the form of clinical images taken on or during your admission at an Epworth facility for the purpose of assisting with your treatment or recording developments in your treatment. Epworth will, in such cases, manage your personal information contained in these clinical images in accordance with the law and this Privacy Policy.

If you attend the private clinic of a doctor or other health professional at an Epworth facility, that doctor or other health professional may maintain and keep their own separate medical record about you.

2.2 Other individuals

We collect personal information from other individuals such as:

• emergency contacts;
• employees;
• health professionals;
• contractors and service providers;
• students or trainees;
• job applicants; and
• referees for job applicants.

The personal information we collect from these individuals will depend on the way they are engaging with Epworth. We collect personal information that is reasonably necessary for us to engage with you for the primary purpose, including the provision of services by Epworth, for Epworth’s functions or activities and for administrative and internal business purposes related to your dealings with Epworth.

In relation to individuals employed by Epworth, individuals providing services to Epworth, students or trainees, the personal information we collect may include sensitive information including national police check or working with children check, health information and biometric data.

2.3 Incomplete or inaccurate information

If you provide incomplete or inaccurate information to us or withhold personal information from us we may not be able to provide you with the services you are seeking or to otherwise work or transact with you.

2.4 Anonymity and pseudonymity

You have the option of dealing with Epworth anonymously or by using a pseudonym. However, this may limit the services that we can provide to you if it is impracticable for us to deal with you in such an unidentified manner. For example, if you are a patient at Epworth, you cannot choose to be anonymous or use a pseudonym because this would prevent us from being able to treat you appropriately.

3. How Epworth collects personal information

Epworth collects personal information from a variety of sources including the individuals to whom the information relates, family members and associates, other health care providers, law enforcement agencies, insurance companies, Federal and State Government agencies, employers, and other individuals and/or entities who may have information relevant to Epworth’s activities.

We will usually collect your personal information directly from you. When collecting personal information from you, we may collect that information in various ways, including when you:

• access or use our website;
• speak with one of our representatives;
• contact us for information;
• fill out an online form or make an online application;
• participate in surveys or research; or
• submit a job application or accept employment with us.

Occasionally we may need to collect personal information about you from a third party such as your general practitioner, another health service provider, your family or carer, private health fund, Medicare or other Government agencies, credit reporting bureaus or law enforcement agencies. However, we will only do so if:

• you have previously expressly or impliedly consented to the collection;
• we cannot reasonably obtain the information from you, and we require the information for your care and treatment; or
• the law otherwise permits us to do so.

If we become aware that we have received personal information about you from someone else that we have not requested and we determine that we would not have been permitted to collect that information under privacy laws, we will destroy or de-identify that information.

4. How Epworth uses and discloses personal information

4.1 Primary purpose

We collect personal information for the purposes of carrying out our functions in health care, training, research and charitable services, as well as in our capacity as an employer, landlord, tenant, and for other associated functions. We will generally only use your personal information for the primary purpose for which you have provided it to us. For example, if you are a current or prospective patient of Epworth, we will use and disclose your personal information for the purpose of providing health care services to you, including:

• using and disclosing your information to the health professionals and other staff involved in your care and treatment at Epworth; and
• using and disclosing your information to refer you to external services providers for diagnostic tests or to other health professionals during your care and treatment or after you are discharged.

If you are an individual other than a patient (such as a service provider or contractor), we may use your personal information to manage our relationship with you.

4.2 Secondary purposes

Epworth may also use and disclose your personal information for secondary purposes if one of the following applies:

• the secondary purpose is related (or for sensitive information, directly related) to the primary purpose for which you have given us the information and you would reasonably expect, or we have told you, that your information is usually disclosed for another purpose or to other individuals, organisations or agencies; you have consented for us to use your information for another purpose;
• Epworth is required or authorised by law to disclose your information for another purpose;
• the disclosure of your information by Epworth will prevent or lessen a serious and/or imminent threat to somebody's life, health or safety or to public health or public safety; or
• the disclosure of your information by Epworth is reasonably necessary for the enforcement of a criminal law or a law imposing a penalty or sanction, or for the protection of public revenue.

We may use and disclose personal information for secondary purposes where permitted by law.

4.3 Examples

Examples of common ways we use and disclose personal information can be found here.

5. Fundraising support

Epworth is a not-for-profit hospital group which relies on the generosity of its community to assist it to continue to deliver excellence in treatment and care. As part of your hospital admission process, you will be asked on your admission form whether you do not wish to be contacted by Epworth Medical Foundation (EMF) in relation to fundraising support for Epworth. Where you have not opted-out of such contact on the admission form by ticking the relevant box, we will disclose your contact information to EMF. EMF may contact you to seek your support or to ask you to participate in Epworth’s fundraising activities.

Where you have not opted-out of receiving fundraising contact from EMF, you may be contacted by a representative of EMF or by an external fundraising agent engaged by EMF. In either circumstance, only your contact details are available to the person or organisation who will contact you, and no information regarding your medical treatment or condition is disclosed by us to them. External fundraising agents will inform you as to who they are, why they are calling and that the contact relates to fundraising for EMF or Epworth. If you are not provided with this information, please advise EMF through the contact details provided on the EMF website www.emf.org.au.

Should you wish to opt-out of fundraising contact at any time, you can contact Epworth’s Privacy Officer on the contact details set out below in Section 11 or use the opt-out mechanism provided under EMF’s Community Charter on the EMF website www.emf.org.au.

6. How we protect your personal information

The security of personal information is important to us. We store personal information in both paper and electronic form. Epworth has implemented measures to protect your personal information from misuse, interference, loss, unauthorised access, modification and disclosure. We use various procedures and technologies to protect your privacy, including requiring our staff to maintain confidentiality, access control procedures, audit trails, network firewalls and physical security. Epworth will take reasonable steps to destroy or permanently de-identify any of your information which we no longer require for the purpose for which we collected it, provided we are not required under law or otherwise to retain the information.

7. Overseas Use or Disclosure

Ordinarily, Epworth will not transfer your personal information to any person or organisation outside Australia without your permission. However, Epworth may enter into arrangements with service providers who may store some of Epworth’s data (which may include personal information) overseas and arrangements to outsource some of our internal business processes. If we do, we will ensure we comply with any privacy law requirements that relate to cross border disclosures of personal information.

We will take reasonable steps to ensure that overseas recipients of personal information do not breach Australian Privacy Principles. These steps may include ensuring the receiving person or organisation is subject to a law, binding scheme or binding contract that provides substantially similar protection to the Australian Privacy Principles and requiring that the recipient has appropriate information security protections in place.

8. Your use of our website

8.1 Scope

This section of our Privacy Policy explains how we handle your personal information which is collected from any Epworth website.

8.2 Collection

We will only collect personal information through our websites if you voluntarily provide it. Any personal information you provide to us through our websites will be handled in accordance with the principles described in the preceding sections of this Privacy Policy.

We may collect your personal information if you choose to provide this to us via an online form or by email, for example, if you:

• complete your pre-admission form online;
• submit a general enquiry via our websites;
• register for an event or request information;
• send a written complaint or enquiry to our Privacy Officer; or
• register for access to an online portal.

Epworth cannot ensure that any information transmitted over the internet is secure and you transmit such information at your own risk. However, once we receive a transmission of personal information, we take reasonable steps to ensure that the information is secure on our systems in accordance with this Privacy Policy. When you access any of our websites, we will keep a record of your visit. We may collect the following information that does not identify you in relation to your use of our websites:

• your computer address;
• the date and time of your visit;
• the type of browser you use;
• the pages you visit;
• the information you request; and
• the country from which you request information.

We collect this information for statistical purposes and to monitor and improve our websites and services. We may be obliged to allow law enforcement agencies and other government agencies with relevant legal authority to inspect our web server logs if an investigation being conducted warrants such inspection.

8.3 Cookies

We use cookies. A cookie is a small data file that is stored on your browser or device and allows our computer server to identify your computer or device. This information allows content on our websites to load and function as intended when you access them and to monitor various statistics on use of our websites.

Cookies will not identify you, but they do identify your ISP (internet service provider) and browser type. Personal information such as your email address is not collected unless you provide it to us. We do not disclose domain names or aggregate information to third parties other than agents who assist us with our websites and who are under obligations of confidentiality. You can configure your browser to accept or reject all cookies and to notify you when a cookie is used. We suggest that you refer to your browser instructions or help screens to learn more about these functions. However, please note that if you configure your browser so as not to receive any cookies, a certain level of functionality of our websites may be lost.

8.4 Links to third party websites

Our websites may contain links to third party websites unrelated to Epworth. This Privacy Policy has no application to third party websites. Epworth makes no representation regarding, and is not responsible for, the content or the privacy practices of third party websites and has no knowledge of whether cookies or other tracking devices may be used by those sites.

8.5 Facebook ads

Epworth uses the Facebook pixel, an analytics tool to measure the effectiveness of our advertising. Epworth uses the pixel to serve related content to users based on their use of our websites and to optimise advertising based upon a user's likeliness to be interested in Epworth services. Additionally, the Facebook Pixel is used to inform targeting, by creating lookalike audiences with interests similar to those who've already visited our websites.

Opt-out: you can opt-out of Facebook's use of the pixel by visiting https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen or https://www.facebook.com/ads/about.

8.6 Google ads

Epworth uses Google Ads to serve interest-based ads, and to personalise advertising based on a user's engagement with our websites.

Opt-out: You can opt-out of personalised ads from Google by visiting https://support.google.com/ads/answer/2662922?hl=en-AU or http://optout.networkadvertising.org/?c=1.

9. How you may request access to or correction of your personal information

You have a right to have access to the personal information that we hold about you (for patients, this includes health information contained in your health record). You can also request an amendment to personal information that we hold about you should you believe that it contains inaccurate information.

You may also request that we correct the personal information we hold about you if you believe that it is inaccurate by contacting us at the details set out below in Section 11.

Epworth will allow access or make the requested changes unless there is a valid reason, including under the Privacy Act 1988 (Cth) or other relevant law to refuse such access or refuse to make the requested changes.

If we do not agree to change your personal information in accordance with your request, we will permit you to make a statement of the requested changes and we will enclose this with your personal information.

Should you wish to obtain access to or request changes to your personal information held by contacting us at the details set out below in Section 11.

We may charge you for giving you access to your personal information in accordance with the fees and charges we are permitted to charge under the applicable laws.

10. How can you make a complaint or find out more information?

If you have any queries regarding how Epworth handles your personal information or wish to make a complaint about how we may have handled your personal information, you may contact us at the details set out below in Section 11. We will consider your complaint promptly and provide a written response on the outcome.

11. Our contact details

You may contact us about this Privacy Policy in any of the following ways:

By letter

Privacy Officer, Legal Services
Epworth HealthCare Corporate Office
c/- 89 Bridge Road, Richmond VIC 3121

By email

• [email protected]
• [email protected] – to submit a medical records access request (including by subpoena)

Please refer to this webpage for access to medical records (including by subpoena).

Online

Through the feedback form on the Patient Feedback page of our website.

If you would prefer to make your complaint to an external complaint body, or you are not satisfied with the handling or outcome of the Epworth complaints process, you may contact the following organisations to lodge a complaint:

Australian Information Commissioner
Online: https://www.oaic.gov.au/individuals/how-do-i-make-a-privacy-complaint

Health Complaints Commissioner (Victoria)
Online: https://hcc.vic.gov.au/make-complaint

12. Updates

This Privacy Policy was last updated in July 2023 and may change from time to time.