The Skin & Cancer Foundation Australia (ACN 001 578 105) trading as The Skin Hospital (The Hospital, we, us, our) is committed to protecting the privacy of individuals (you, yours). The Hospital is subject to the Privacy Act 1988 (Cth) (Privacy Act), the Australian Privacy Principles (APPs) and the Health Records and Information Privacy Act 2002 (NSW).

The Hospital is committed to protecting the privacy of the personal information and sensitive information of individuals which it collects. This Privacy Policy (Policy) sets out the scope of The Hospital’s commitment to data privacy and provides a clear statement of how personal information will be managed by The Hospital.

This Policy covers the collection, use, disclosure and storage of all personal information provided to us and explains:

• the kinds of information that The Hospital may collect about you and how that information is held;
• how The Hospital collects and holds personal information;
• the purposes for which The Hospital collects, holds, uses and discloses personal information about you;
• how you can access the personal information The Hospital holds about you and seek to correct such information; and
• the way in which you can complain about a breach of your data privacy and how The Hospital will handle that complaint.

In this Policy we use the following terms:

Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is:

• true or not; and
• recorded in a material form or not.

Sensitive information means personal information or an opinion about an individual’s:

• racial or ethnic origins;
• political opinions or political associations;
• philosophical beliefs or religious beliefs or affiliations;
• sexual preferences or practices;
• criminal record;
• photographs; or
• health information about an individual.

Health information is personal information or an opinion about:

• an individual’s physical or mental health or disability (at any time);
• an individual’s express wishes about the future provision of health services for themselves;
• a health service provided, or to be provided, to an individual; or
• other personal information collected to provide, or in providing, a health service.

All staff at The Hospital are responsible for ensuring compliance with this Policy.

The Hospital will only collect information which is necessary to facilitate provision of health care services by a member of The Hospital to you or to manage, conduct and oversee the Hospital’s businesses. This may include (as applicable):

• Patients/clients/research participants: The Hospital collects information from you to facilitate the provision of health care services to you by members of The Hospital or to enable you to participate in research studies. This includes collecting personal information such as your name, address, as well as sensitive and health information such as your health history, family history, past and current treatments, lifestyle factors, patient photographs and any other information which is necessary to assist the health care team in providing appropriate care, or our research team in conducting its research.
• Medical Practitioners, students, contractors and volunteers: The Hospital collects information from you which is necessary to properly conduct, manage and oversee The Hospital’s businesses. This includes collecting personal information such as your name, address, professional experience, qualifications and past employers, and any other information which may be necessary to appropriately conduct, manage and oversee The Hospital’s businesses.
• Referring Doctors: The Hospital collects information from you for the purpose of contacting you about your patient(s) and to maintain our relationship with you. For example, The Hospital may send you educational material and invite you to webinars and conferences. To do this, we collect personal information from you such as your name, number, phone number, email address (if applicable) and any other information which may be reasonably necessary to maintain our relationship with you.
• Job applicants: The Hospital collects information from you, which is necessary to assess and engage job applicants. This includes collecting personal information such as your name, address, professional experience, qualifications, references and past employers, and any other information which is necessary to process your job application. We may need to collect sensitive information such as disabilities or tax file number.
• Donors: Where you have consented, The Hospital collects information from you for the purposes of fundraising for The Hospital group including agreeing to the terms of and managing any donations you agree to make. This includes collecting personal information such as your name and address which may be used to provide communications including newsletters and promotions for the purpose of fundraising.

If you provide sensitive information to us voluntarily, you consent to us collecting this information.

Where possible and practicable, you will have the option to deal with The Hospital on an anonymous basis or by using a pseudonym. However, if the personal information you provide us is incomplete or inaccurate, we may not be able to provide the assistance or support you are seeking, or deal with you effectively.

You don’t have to give us all the information we request. However, if you do not provide us with some or all of the personal information required, we may not be able to provide you with services or information you request, to the requested standard or at all. You may also miss out on receiving valuable information about us and our services.

We will usually collect your personal information directly from you, including in person, by phone, our website and through the General Patient Consent Form and patient photographs. Sometimes we may need to collect information about you from third parties, such as:

• Another health service provider;
• Past employers and referees; or
• Related entities, if any.

We will only collect information from third parties where:

• You have consented to such collection;
• Such collection is necessary to enable us to provide appropriate health care services by a member of The Hospital;
• Such collection is reasonably necessary to enable us to appropriately manage, conduct and oversee The Hospital’s businesses; or
• It is legally permissible for us to do.

The Hospital only use, holds and discloses your personal information for the purpose for which it was collected by us (primary purpose), unless:

• There is another purpose (secondary purpose) and that secondary purpose is directly related to the primary purpose, and you would reasonably expect, or the Hospital has informed you, that your information will be used for that secondary purpose;
• You have given your consent for your personal information to be used for a secondary purpose; or
• The Hospital is required or authorised by law to use your personal information for a secondary purpose (including for research and quality improvements within The Hospital).

The primary purpose may include to:

• Facilitate the provision of health care services to you by a member of the Hospital group including doctors, specialists and Medical Practitioners;
• Facilitate the provision of any ongoing health related services to you;
• Conduct research; appropriately manage, conduct and oversee The Hospital’s businesses, such as assessing insurance requirements, conducting audits, and undertaking accreditation processes;
• Assist The Hospital to manage, conduct and oversee The Hospital’s businesses, including quality assurance programs, billing, improving its services, implementing appropriate security measures, conducting research and training personnel;
• Maintain appropriate records of current staff personnel, assess and process applications of prospective employees and carry out general HR functions;
• Where required, effectively communicate with third parties, including Medicare Australia, private health insurers and Department of Veterans’ Affairs; and conduct fundraising activities (where you have consented).

The Hospital will confine its disclosure of your personal information to the primary purpose for which that information has been collected, or for a related secondary purpose. This includes when disclosure is necessary for a member of The Hospital to provide health care services to you, to help us manage, conduct and oversee the Hospital’s businesses, or for security reasons. We may provide your personal information to:

• Medical and other healthcare professionals involved in your care;
• Government agencies, such as the Department of Defence or the Department of Veterans’ Affairs, where an individual is receiving services with a member of The Hospital under arrangements with those agencies;
• Government departments responsible for health, aged care and disability where the Hospital is required to do so;
• Third parties contracted to provide services to The Hospital, such as entities contracted to assist in accreditation or survey processes;
• Research institutions with which The Hospital collaborates;
• Private health insurance providers including Department of Veteran Affairs and Medicare Australia;
• Anyone authorised by you to receive your personal information (your consent may be express or implied);
• Fundraising institutions associated with The Hospital (where you have consented); and/or
• A person if disclosure of your personal information to that person is required by law.

Where we engage third party service providers, we may disclose personal information to those service providers who may use, process and/or store that information locally. In circumstances where a third party may be based or have servers located overseas, we will take all reasonable steps to ensure that your information is only disclosed and used for authorised purposes and adequately protected using the appropriate technical, organisational, contractual and other lawful means. Currently, The Hospital discloses personal information provided by referral from doctors to servers located in Japan.

We require that all third parties, to whom we disclose personal information or who may have access to personal information, to have appropriate controls to protect your personal information in a manner that is consistent with our Privacy Policy, including in relation to security and confidentiality. They must only process your personal information for authorised purposes.

• Data quality – The Hospital takes reasonable steps to ensure that your personal information which is collected, used, or disclosed is accurate, complete and up to date.
• Storage – all your personal information held by The Hospital is stored securely in either hard copy or electronic form.
• Data security – The Hospital implements a range of technical, administrative and physical measures to safeguard your information from misuse, interference, loss and unauthorised access, modification or disclosure, including electronic and physical access restrictions to files containing personal information and ensuring encryption of personal information sent and received. The Hospital also reviews and updates (where necessary) its security measures in light of current technologies.
• We require that all third parties, to whom we disclose your personal information to or who may have access to your personal information, have appropriate controls to protect your personal information in a manner that is consistent with our Privacy Policy, including in relation to security and confidentiality. They must only use your personal information for authorised purposes.
• Online transfer of information – While The Hospital does all it can to protect the privacy of your personal information, no data transfer over the internet is 100% secure. When you share your personal information with The Hospital via an online process, it is at your own risk. There are ways you can help maintain the privacy of your personal information, including:
  •  always close your browser when you have finished your user session;
  • always ensure others cannot access your personal information and emails if you use a public computer; and
  • never disclose your username and password to third parties.

• Data Retention – Your personal information will be retained for as long as reasonably necessary for the purpose for which it was collected, or as required by law. When we no longer need your personal information, we have procedures in place to either destroy it in a secure manner or to permanently de-identify the information.

A ‘cookie’ is a small data file placed on your machine or device which lets The Hospital identify and interact more effectively with your computer. Cookies are industry standard and are used by most websites, including those operated by The Hospital. Cookies can facilitate a user’s ongoing access to and use of a website. Cookies allow The Hospital to customise our website to the needs of our users. If you do not want information collected through the use of cookies, there is a simple procedure in most browsers that allows you to deny or accept the cookie feature. However, cookies may be necessary to provide you with some features of our on-line services via the Hospital website.

The Hospital may provide links to third party websites. These linked sites may not be under our control and the Hospital is not responsible for the content or privacy practices employed by those websites. Before disclosing your personal information on any other website, we recommend that you carefully read the terms and conditions of use and privacy statement of the relevant website.

You have a right to access your personal information which The Hospital holds about you. If you make a request to access your personal information, we will ask you to verify your identity and specify the information you require. You can also request an amendment to any of your personal information if you consider that it contains inaccurate information.

You can contact The Hospital Privacy Officer about any privacy issues using the Contact details below.

While The Hospital aims to meet all requests for access to personal information, in a small number of cases and where permitted to do so by law, The Hospital may not give access or may do so only under conditions. Subject to applicable laws, The Hospital may destroy records containing personal information when the record is no longer required by The Hospital.