Growing Bones Pty Ltd (ABN 88 605 293 721) (Growing Bones, we, us or our) is committed to protecting the privacy and confidentiality of your personal information.
Growing Bones provides osteopathic care, as well as holistic services that are complementary to osteopathic care, including aromatherapy, massage, and women's health/pelvic floor physiotherapy.
We will handle your personal information in accordance with the law. We are bound by the following privacy laws:
- The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) in that Act; and
- The Health Records Act 2001 (Vic) and the Health Privacy Principles (HPPs) in that Act.
What is ‘personal information’?
This Policy applies to our handling of personal information. ‘Personal information’ means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether the information is recorded in a material form or not.
Personal information includes ‘sensitive information’, which is a particular type of personal information. Sensitive information includes identifying health information about you (such as details of your health and medical history or the health services you have received).
Why do we collect personal information?
We may collect personal information from you so that we can provide services to you, or where this is otherwise necessary for our functions or activities. In particular, we may collect your personal information:
- to provide you with health services and other services;
- to provide you with information regarding our services;
- to arrange billing with you for our services; or
- to obtain your consent to the above services and activities.
You are not required to disclose your personal information to us. However, if you do not provide the information requested, we may not be able to provide you with appropriate services or treatment, or provide you with relevant information regarding our services.
If you are a client of Growing Bones, it will not be practicable for you to be treated on an anonymous basis or for you to use a pseudonym, because this would prevent us from being able to provide you with appropriate care.
How do we collect your personal information?
We will collect your personal information in a lawful and fair way and in a manner that is not unreasonably intrusive.
We will only collect your personal information where you have consented, or otherwise in accordance with the law.
We will usually collect your personal information directly from you through your interactions with us.
We may also collect your personal information from third parties, such as family members or guardians or other persons you have authorised to provide your personal information to us.
When we collect your personal information, we will as soon as is practicable take reasonable steps to notify you of the details of the collection (including notifying you through this Policy), such as the purposes for which the information was collected, the organisations (if any) to which the information will be disclosed, and also notify you that this Policy contains details on how you may access or correct your information, or raise any complaints.
What types of personal information do we usually collect?
We may collect personal information and health information about you (and your child if applicable), such as:
- your name and date of birth;
- your contact details, such as your address, email, phone number;
- your current symptoms or any previous diagnosis and/or treatment given to you;
- your health and medical history, lifestyle history, family history and genetic information and ethnic background, including any past medical reports and test results;
- your Medicare number, DVA number, WorkCover details and other government identifiers; and
- your appointment and billing details.
We may also collect personal information from individuals who are not clients, such as employees, contractors and service providers, to enable us to work or transact with them.
How your personal information is used
If you are a Growing Bones client, we generally use your personal information for the following main purposes:
- to provide health services and other services to you;
- to provide you with information regarding our health services and other services;
- to help us manage your accounts, for administrative services, including billing and arrangements with health funds, and for administration of our clinical records and practice management system;
- to refer you to other health professionals, such as your GP or specialist medical practitioners;
- to obtain and discuss medical reports and test results from other health professionals and diagnostic service providers (such as X-ray services);
- for identification and claiming benefits from third parties such as Medicare, private health insurance, the Department of Veteran's Affairs, WorkCover, and TAC; and
- to request your participation in a quality improvement activity (such as a survey) or research.
If you are a service provider, we may use your personal information to manage our relationship with you.
We may also use your personal information for purposes which are permitted under the applicable privacy laws, which may include the following:
- for purposes which are directly related to the main purposes we use your information (as above), in circumstances where you would reasonably expect us to use your information for these purposes;
- for management, planning, monitoring, improvement and evaluation of our services, where we take all reasonable steps to de-identify any information used; and
- for training and educating our own staff, where we take all reasonable steps to de-identify any information used.
Disclosure of your personal information to others
We respect the privacy of your personal information and we will take reasonable steps to keep it confidential and protected.
We may disclose your personal information to:
- other health professionals involved in the provision of your care, such as your GP or specialist medical practitioners; or
- hospitals, clinics, diagnostic service providers, and other organisations involved in the provision of your care,
where this is necessary for your ongoing care and support. If you tell us you do not wish for your personal information to be disclosed to a particular health professional or organisation, we will not do so without your consent.
We will not otherwise disclose your personal information to any third parties unless you have consented, or we are otherwise permitted or required to do so by law. This may include disclosure of your personal information in the following circumstances:
- disclosure to comply with our legal obligations, including, but not limited to, where we are required to provide information under a subpoena or Court order or other mandatory reporting requirements under law;
- to communicate with your private health fund, and other bodies such as Medicare, the Department of Veteran's Affairs, WorkCover, TAC, the Office of the Australian Information Commissioner (if you make a privacy complaint to the OAIC) or the Victorian Health Complaints Commissioner (if you make a health service complaint), as necessary; or
- where we are otherwise authorised or permitted to do so under law, such as where we reasonably believe disclosure is necessary to prevent or lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
If you are a service provider, we may disclose your personal information to manage our relationship with you.
We will only disclose your personal information to a recipient that is located overseas with your consent and in accordance with the requirements of the Privacy Act and the Health Records Act.
It may be necessary to disclose your personal information to persons or organisations outside of Victoria or overseas to provide you with ongoing care and treatment (for example, where a referral is made to a health professional located interstate).
We will only disclose your personal information outside of Victoria or overseas if:
- you have provided your prior consent, and the receiving person or organisation is subject to a law, binding scheme or binding contract that provides substantially similar protection to the APPs and HPPs which you can access and enforce; or
- if the disclosure is otherwise required or authorised by law.
You may revoke your consent to any particular uses or disclosures of your personal information at any time. You may notify us of any revocation using our contact details listed below, or by notifying us at the time you are receiving services from us.
Protection of your personal information
We will protect your privacy and the security of your personal information by taking steps to ensure that your personal information is protected against misuse, interference and loss, and unauthorised access, modification or disclosure.
We also use physical and technological security measures to protect the personal information we hold.
We may hold your personal information in a number of ways including electronically and in physical format.
When your personal information is no longer required (and in the case of your health information, the information has been retained for the required periods under the HPPs or otherwise under law) we will take steps to securely destroy the information or to ensure that the information is permanently de-identified. Note that under law we are generally required to hold your health information for a minimum of seven years from the date of last entry for an adult, and for any clients who are children until they would have reached 25 years old.
Quality of the personal information we hold
We take reasonable steps to ensure that the personal information we collect, use and disclose is accurate, up-to-date, complete, relevant and not misleading.
How to access and correct your personal information
You may request to access the personal information that we hold about you, using our contact details below.
In certain circumstances, we may refuse to allow you access to your personal information where this is authorised by the law, such as where providing access would have an unreasonable impact on the privacy of other individuals, providing access would pose a serious threat to the life or health of any person or to public health or safety, or giving access would be unlawful.
If you believe that the personal information we hold about you requires correction (e.g. because the information is inaccurate, out-of-date, incomplete, irrelevant or misleading), you may request that the information be corrected using our contact details below.
If we refuse your request for access or correction, we will provide you with reasons for the refusal in writing, and details about how you may complain about the decision.
We are required to comply with mandatory ‘notifiable data breach’ scheme (the NDB scheme) under the Privacy Act. The NDB scheme applies when an ‘eligible data breach’ of personal information occurs.
An ‘eligible data breach’ occurs when:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation holds; and
- this is likely to result in serious harm to one or more individuals; and
- the organisation has not been able to prevent the likely risk of serious harm with remedial action.
An organisation may take remedial steps to prevent the likelihood of serious harm occurring for any affected individuals after a data breach has occurred, in which case, the data breach is not an ‘eligible data breach’.
Where we have reasonable grounds to believe that we have experienced an eligible data breach (and remedial action cannot be used), we will promptly notify affected individuals and the Office of the Australian Information Commissioner about the breach in accordance with the Privacy Act.
We respect your privacy and we take all complaints and concerns regarding privacy very seriously.
If you have any complaints or concerns regarding the way we handle your personal information please contact us using the details below.
We will investigate your complaint using our internal processes, under which we will assess your complaint and respond to you as soon as possible, but no later than 30 days from receipt of the complaint.
If you are not satisfied with the outcome of our investigation, or if you do not wish to raise a complaint or concern with us directly, you may wish to contact:
- the Commonwealth Office of the Australian Information Commissioner. See oaic.gov.au; or
- the Victorian Health Complaints Commissioner. See https://hcc.vic.gov.au.
How to contact us
If you would like to contact us regarding any privacy matters, including where:
- you would like to request access to or correction of your personal information; or
- you have a complaint or concern regarding your privacy,
please contact us using the following details:
Updates to this Policy
We may update this Policy from time to time. We will notify you about any changes to this Policy through the Growing Bones website at www.growingbones.com.au.