Telstra Health Privacy Policy 

Your privacy

Privacy matters to us, and we know it matters to you.

As we provide a wide range of health products and services, this involves our collecting and handling a wide spectrum of information.  We take our data responsibilities seriously, and are committed to protecting your privacy and ensuring the security and integrity of your data.

This privacy policy

This policy is issued by Telstra Health Pty Ltd (ABN 38 163 077 236) and its related entities trading as Telstra Health (referred to in this Policy as ‘Telstra Health’, ‘we’, ‘our’ or ‘us’).  It describes how we collect, handle and protect the personal information of any individuals (referred to as ‘you’ or ‘your’) who:

  • are, or are employed or engaged by, one of our business customers (for example, a visiting medical officer, health practitioner or other employee or contractor of a business that acquires our products and services);
  • are a patient of, or receive health services from, a health professional, business or organisation that uses our products and services and in doing so shares your information with us; or      
  • we otherwise deal with in the course of operating our business (for example, users or our website, job applicants, or independent contractors).

If you use our HealthNow app or services, you should review our HealthNow privacy policy located here

If you are interested in our National Cancer Screening Register, you should review our relevant privacy policy here.

This policy is effective as of 9 March 2020.  From time to time, we may need to change it, and will post the updated version on our website www.telstrahealth.com. Please check this policy regularly for any updates.

Our collection, use and disclosure of personal information

The types of information we may collect, and how we use or disclose it, will vary based on the nature of our relationship or dealings with you. 

For a specific description, please select the following heading which best describes you:

1. You are, or are employed or engaged by, a business customer or healthcare provider that uses Telstra Health products or services

The type of information we collect

The standard personal information we collect might generally include details such as your name, date of birth, contact details (including address, email address and phone numbers), occupation (including credentials and specialisation), and username or password to access our products and services. 

Depending on the particular product or service you use (and how you use it), we may also collect more in-depth information including:

  • your financial information such as credit card or bank account numbers, if you pay for our products and services yourself;
  • information about how you use our products and services;
  • records of any interactions or communications you have with us, including your remote desktop connection details if we assist you by providing you with technical support;
  • information that allows us to identify you for verification purposes, such as name, date of birth and email address;
  • technical information about our products and services that you access;
  • the location of where you use our products and services;
  • certificates and identifiers, such as provider and prescriber numbers, that enable healthcare providers, organisations and their authorised users to access and use our products and services; and
  • any other information that you provide to us directly, or that is provided to us by the business that employs or engages you to facilitate your use of our products and services.

How we collect it

There are four ways that we might generally collect your information:

  • you give it to us when you or your representatives interact with us (for example, when you use our products, complete an application or contact form, or contact us for help);
  • your employer/engaging business gives it to us to facilitate your use of our products and services;
  • we capture the information when you use our products and services, including when you contact us through call centres and online services; and
  • we obtain information from outside sources like marketing mailing lists and publicly available information including professional registers.

We understand that you might not want to give us certain information. We can accommodate this, although it might mean that we cannot provide you with the products or services you need, or the level of service on which we pride ourselves.

How we use it

We may use your information for a number of purposes, such as:

  • administration – to properly manage the products and services we provide to you, such as by maintaining and updating our records and administering any charging or billing;
  • identity verification – where appropriate, to verify your identity or to detect and prevent fraud;
  • communication – to provide you with customer service, assist you with enquiries and otherwise communicate with you to enhance your experience with our products and services;
  • operations – to monitor network use, quality and performance, and to operate, maintain, develop, test and upgrade our systems and infrastructure;
  • improvement – to help us maintain, develop, evaluate and improve our products and services;
  • direct marketing – if you have provided your consent or might otherwise reasonably expect us to do so, to enable us (and other Telstra group entities and affiliates) to promote and market health related products and services that we think will be of interest to you - we do not sell or otherwise provide personal information to unrelated third parties for their direct marketing purposes. To opt-out of this type of marketing, please follow the steps outlined in one of our marketing communications or contact us using the details set out in the “How to contact us” section of this policy; and
  • as otherwise authorised or required by law.

Who we might share or disclose it with

We may share your information with:

  • service providers – certain third parties that assist us to provide you with our relevant product and services (such as IT and network service providers, installation, maintenance and repair service providers, and mailing, billing and customer
    service providers).  Where we share your information with a third party service provider, we make sure that they have first agreed to protect the privacy of your information. In some cases, as is standard practice for cloud services, we may share your information with our trusted service providers located in Australia, Canada, countries within the European Union, United Kingdom, India, Israel, New Zealand and the United States of America. Where we do this, we require these parties to take appropriate measures to protect that information in accordance with Australian standards and to restrict how they can use it;
  • research partners – who assist us to engage in research and analyses to help us improve our products and services. Unless we have your consent to do this, this sharing occurs on a de-identified basis only;
  • your employing/engaging business – as our primary customer, we may need to share certain information with the business that employs or engages you and that has procured the relevant products and services you use;
  • NHSD – if you are a representative of a health service provider, we may share your information with the National Health Service Directory (NHSD) (see the NHSD privacy policy at http://nhsd.com.au/privacy) and with third parties that provide services to and assist in the management of the NHSD; 
  • government and regulatory authorities – such as law enforcement and national security agencies, and other government and regulatory authorities, if such disclosures are required or authorised by law;
  • advisors - third parties who assist us to manage or develop our business and corporate strategies and functions, including our corporate risk or funding functions;
  • buyers or prospective buyers – for the purposes of facilitating or implementing a transfer/sale of all or part of our assets or business;
  • our related entities – where appropriate for the purposes of managing our business and providing you with our products and services; and
  • other third parties – if the circumstances warrant such a disclosure or share, but only where this is required or authorised by law.

2. You are a patient of, or receive health services from, a business customer or healthcare provider that uses our products and services

The type of information we might collect or hold

The type of information your health service provider might share with us can include:

  • general information – such as your name, date of birth, sex, contact details (including address, email address and phone numbers) and occupation;
  • health and other sensitive information – while this will vary based on how your practitioner or health service provider uses our product or service, this could include your clinical and health-related information (including any relevant images and diagnostic information and medication details), information about a health service which has or is to be provided to you, details of your nationality, racial or ethnic background and sexual preferences and practices; and
  • unique identifiers – such as your patient ID, Medicare number, Department of Veterans' Affairs file number or individual healthcare identifier.

How we collect or hold it

We provide a wide range of technological solutions to health service providers, to assist them to operate their business (including patient administration), store and manage clinical information, analyse health data, and engage in secure messaging for the exchange of health information (such as diagnostic results, patient notes, referrals and prescriptions).

If we provide products or services to your health service provider (for example, a doctor, hospital, aged care provider or pathology lab), that provider might share your information with us.

We have strict requirements about how we handle sensitive information (which includes health information), including to only collect it with your consent or otherwise in accordance with applicable privacy and health records laws.  In this regard, we rely on your health service provider to have obtained your permission to share your information with us.

How we use it

As a general rule, we will only access or use your personal information (including health information) if this is necessary to enable any technical support that we might provide to your health service provider. However, there may also be limited circumstances where we are required to use or disclose your information as required or authorised by law.

While we might also engage in analytical uses of certain data and information (for example, to provide reports to our customers for benchmarking and other service improvement purposes), this is undertaken on an anonymised or de-identified basis only.

We do not use your information for direct marketing purposes.

Who we might share or disclose it with

Many of our products and services help our health service provider customers share information securely with other members of the healthcare community. How your provider uses our products or services to share your information with others will be explained in your provider’s privacy policy. In limited circumstances, we may also share your information with:

  • our service providers – certain third parties who provide services to us, including organisations and contractors that assist us in connection with the limited purposes for which we use that personal information.  Where we share your information with a third party service provider, we make sure that they have first agreed to protect the privacy of your information.  In some cases, as is standard practice for cloud services, we may share your information with our trusted service providers located in Australia, Canada, countries within the European Union, United Kingdom, India, Israel, New Zealand and the United States of America.  Where we do this, we require these parties to take appropriate measures to protect that information in accordance with Australian standards and to restrict how they can use it; and
  • other third parties – if the circumstances warrant such a disclosure or share (for example, if you directly request us to do so), but only where this is required or authorised by law.

3. You are someone that we otherwise deal with in the course of operating our business (for example, users or our website, job applicants, or independent contractors)

The type of information we might collect or hold

The type of information we collect will ultimately depend on the nature of our dealings with you.  For example, this might include:

  • communications – a record of any correspondence or communication we have with you (e.g. if you make an enquiry), along with your name, contact details, and any other identifying information provided;
  • if you are applying for employment or are an independent contractor – your name, contact details, date of birth, sex, professional background, expertise and qualifications, any references which are provided by third parties about you, and any other information which you provide to us or which is relevant to our assessment of your potential employment or our engagement of your services; or
  • if you are a user of our website – any information you submit to us via that website or otherwise provide. While we might also collect certain data about your visit to our website (through the use of cookies and other tracking devices), this will be collected on an anonymised basis only.

How we collect or hold it

Most personal information we collect will be received from you directly.  However, depending on the circumstances, it may also be collected from third parties such as recruitment agencies or our business partners and affiliates.

How we use and disclose it

We will only use or disclose your personal information for the primary purpose for which it was collected (for example, to assess your application or employment), or for any secondary purposes which you might reasonably expect and which are related to that primary purpose.  Such purposes can generally be determined based on the circumstances in which the information was provided to us. 

Examples of the types of third parties we might disclose your information to include:

  • service providers – certain third parties that assist us to provide you with our relevant product and services (for example, IT and network service providers, or mailing operations and customer service providers). Where we share your information with a third party service provider, we make sure that they have first agreed to protect the privacy of your information.  In some cases, as is standard practice for cloud services, we may share your information with our trusted service providers located in Australia, Canada, countries within the European Union, United Kingdom, India, Israel, New Zealand and the United States of America. Where we do this, we require these parties to take appropriate measures to protect that information in accordance with Australian standards and to restrict how they can use it;
  • professional referees – if you have provided us with their name and contact details within an application for employment or engagement;
  • buyers or prospective buyers – if relevant for facilitating or implementing a transfer/sale of all or part of our assets or business (for example, this might occur if you are a contractor);
  • our related entities; and
  • other third parties – if the circumstances warrant such a disclosure or share, but only where this is required or authorised by law.

If you require more specific information in this regard, please contact us using the details provided below.

How we store your information

Any personal information held by us is stored in facilities within Australia.

We take all reasonable precautions to protect your information.  This includes:

  • using encrypted secure messaging for sensitive data;
  • implementing monitoring and access controls to restrict who can access particular information;
    appropriately securing our electronic networks and physical facilities, such as by using business grade firewalls for all servers, and video monitoring and onsite security staff at the data centres where servers are hosted;
  • designing our products and services with privacy in mind, including by:
    - ensuring that your user account is only accessible by you (or people you have authorised);
    - requiring your account to be password protected; and
    - enforcing a strong password policy and
    - non-reversible hashing for storage of passwords; and
  • security auditing and reviews of our products and services – for some products, this includes penetration testing and security vulnerability testing.

Access to third party services

Some of our products and services allow you to share information with third party services or products. You should review the relevant third party terms and conditions and privacy policies before using a third party service or product. We are not responsible for these services or products.

How to access or correct your personal information or make a privacy complaint

If you want to access your personal information that we hold, or would like to correct any errors in that information, please contact us using the details in the “How to contact us” section.

You can also use these contact details if you have a privacy query or complaint against us. We hope to resolve any complaints without needing to involve third parties, but you may also be able to lodge a complaint with a relevant regulator such as the Office of the Australian Information Commissioner (www.oaic.gov.au or 1300 363 992).

How to contact us

If you have any questions in relation to this policy or if you would like a copy of this policy sent to you (including in an accessibility format) please let us know by contacting us on the following details: