Privacy policy


This privacy policy is to provide information to you, our patient, on how your personal information (which includes your health information) is collected and used within our practice, and the circumstances in which we may share it with third parties.

Why and when your consent is necessary

When you register as a patient of our practice, you provide consent for our GPs and practice staff to access and use your personal information so they can provide you with the best possible healthcare. Only staff who need to see your personal information will have access to it. If we need to use your information for anything else, we will seek additional consent from you to do this.

Why do we collect, use, hold and share your personal information?

Our practice will need to collect your personal information to provide healthcare services to you. Our main purpose for collecting, using, holding and sharing your personal information is to manage your health. We also use it for directly related business activities, such as financial claims and payments, practice audits and accreditation, and business processes (eg staff training).

What personal information do we collect?

The information we will collect about you includes your:     

  • names, date of birth, addresses, contact details
  • medical information including medical history, medications, allergies, adverse events, immunisations, social history, family history and risk factors
  • Medicare number (where available) for identification and claiming purposes
  • healthcare identifiers

Dealing with us anonymously

You have the right to deal with us anonymously or under a pseudonym unless it is impracticable for us to do so or unless we are required or authorised by law to only deal with identified individuals.

[Note: The Privacy Act requires you to provide patients with the option of not identifying themselves, or of using a pseudonym, when dealing with you (APP 2) unless it is impracticable for you to do so. Information about this should appear in the practice privacy policy or collection notice.]

How do we collect your personal information?

Our practice may collect your personal information in several different ways.

  1. When you make your first appointment our practice staff will collect your personal and demographic information via your registration. By submitting this duly signed form to us you are giving consent for us to use this information in order to treat you in the best possible way. As the practice uses only electronic records stored in a secure computer system your personal data will be entered on the system.
  2. During the course of providing medical services, we may collect further personal information. This may include but is not limited to medical records transferred with your consent from other doctors- GP s and specialists, allied health practitioners, hospitals, lawyers and insurance companies and other stakeholders.
  3. We may also collect your personal information when you telephone us or send us an email,
  4. In some circumstances personal information may also be collected from other sources. Often this is because it is not practical or reasonable to collect it from you directly. This may include information from:
  • your guardian or responsible person
  • other involved healthcare providers, such as specialists, allied health professionals, hospitals, community health services and pathology and diagnostic imaging services
  • Medicare or the Department of Veterans’ Affairs (as necessary).

When, why and with whom do we share your personal information?

We sometimes share your personal information:

  • with third parties who work with our practice for business purposes, such as accreditation agencies or information technology providers – these third parties are required to comply with APPs and this policy
  • with other healthcare providers
  • when it is required or authorised by law (eg court subpoenas)
  • when it is necessary to lessen or prevent a serious threat to a patient’s life, health or safety or public health or safety, or it is impractical to obtain the patient’s consent
  • to assist in locating a missing person
  • to establish, exercise or defend an equitable claim
  • for the purpose of confidential dispute resolution process
  • when there is a statutory requirement to share certain personal information (eg some diseases require mandatory notification)
  • during the course of providing medical services, through eTP, My Health Record (eg via Shared Health Summary, Event Summary).

Kambah Village Medical Practice advises patients of the practice that we do not upload patient data to MyHealth Record eRx or other aggregated health information services.

Only people who need to access your information will be able to do so. Other than in the course of providing medical services or as otherwise described in this policy, our practice will not share personal information with any third party without your consent.

We will not share your personal information with anyone outside Australia (unless under exceptional circumstances that are permitted by law) without your consent. Exceptional circumstances include postings and travel overseas where you fall ill or suffer an injury. In these cases, we will require you to fill in a transfer of medical records form in order for your request for transfer of your medical records to be carried out. As it is usual for request of this nature to be sent electronically please understand that although the practice takes reasonable care to send the documents securely, we take no responsibility for the improper use of your personal health information by other parties in relation to this matter. Patients should note that some countries do not have secure handling infrastructure for digital personal information as well as secure privacy legislation similar to our own.

If you know in advance that your medical record should accompany you overseas then you can request that your treating doctor provide you with your entire or any part of your medical record that you require. This can be done in various electronic formats including XML or PDF.

Our practice will not use your personal information for marketing any of our goods or services directly to you without your express consent.

How do we store and protect your personal information?

Your personal information is stored at our practice digital format. Our servers and workstations are protected by hardware and software devices (firewalls, virus protection and spyware) supported by professional  IT services with regular back up both on and off site . At the date of this document Cloud Services are not part of our IT infrastructure.

Our practice stores all personal information securely. Our key IT infrastructure- Servers and communication hubs are located out of the public areas of the practice.  Secure individual Passwords are required to access patient data. All staff and IT professional have signed privacy agreements designed to prevent unauthorized entry to the clinical computer system.

How can you access and correct your personal information at our practice?

In the Australian Capital Territory the Health Records (Privacy and Access) 1997 guarantees that all patients in this jurisdiction have the right to request access to, and correction of, your personal information.

Our practice acknowledges patients may request access to their medical records. We ask you to put this request in writing and our practice will respond within 30 days.

Our practice will take reasonable steps to correct your personal information where the information is not accurate or up to date. From time to time, we will ask you to verify that your personal information held by our practice is correct and current. You may also request that we correct or update your information, and you should make such requests directly to your treating doctor or in writing to the practice manager as the case may be.

How can you lodge a privacy-related complaint, and how will the complaint be handled at our practice?

We take complaints and concerns regarding privacy seriously. You should express any privacy concerns you may have in writing. We will then attempt to resolve it in accordance with our resolution procedure. In the first instance you could discuss the breach with your treating doctor and if the matter is not resolved to your satisfaction then the Board of Directors is happy to receive your written complaint and undertakes to take steps to resolve the matter within 30 days.

If the matter remains unresolved following this then you may also contact the OAIC. Generally, the OAIC will require you to give them time to respond before they will investigate. For further information visit or call the OAIC on 1300 363 992Depending on the nature of your complaint then the ACT  Health Services Commissioner may assist with a resolution for you. At the date of this document (1/9/2019)  the commissioner is Karen Toohey who may be contacted on 6205 2222  or in writing to Level 2 ,11 Moore Street Canberra ACT 2601

Privacy and our website

Patients are advised that the practice website is for information only. No personal data can be provided to the practice via the website nor can any personal or medical records be accessed via the website. In addition no financial transactions can be processed via the website.