1. BACKGROUND
Thompson Brain and Mind Healthcare Ltd ACN 658 798 933 (“TBMH”, “we”, “our”, or “us”) is a not-for-profit mental health organisation established on the Sunshine Coast, Queensland with a vision to reconceptualise mental healthcare at a community level.
Our mission is to minimise the burden of mental illness through personalised care and world-class treatment. Founded on a commitment to pioneering research and precision medicine, we strive to harness the potential of technology and innovation to deliver improved patient outcomes.
In doing so, we recognise the importance of protecting the privacy and the rights of individuals in relation to their Personal Information and are committed to protecting an individual’s privacy in compliance with relevant legislation as set out below.
This policy (“Policy”) has been developed to explain how, when and why the TBMH collects, holds, uses and discloses Personal Information as well as how individuals can access any documents TBMH controls that contains their Personal Information.
The purpose of the Policy is to outline the considerations and responsibilities of TBMH in relation to the collection, handling, disclosure (including to overseas recipients) use and secure storage of Personal Information and the steps we take to protect it.
2. POLICY STATEMENT
TBMH complies with the Information Privacy Act 2009 (Qld) (“Information Privacy Act”) and the Privacy Act 1988 (Cth) (“Privacy Act”), including the Australian Privacy Principles (“APPs”). If we provide services under contract to a Queensland public‑sector agency and are bound as a contracted service provider, we will also comply with the Information Privacy Act 2009 (Qld) for that work and the Guidelines under sections 95 and 95A of the Privacy Act 1988 (Cth) (2014) (“Guidelines”) with respect to privacy in the provision of Health Services and in the conduct of medical research.
Our Privacy Policy is kept up to date and made available free of charge. On request, we will take reasonable steps to provide a copy in the form requested.
We respect an individual’s right to privacy, and we take reasonable steps to comply with under the Information Privacy Act and the Privacy Act, comply with all State and Commonwealth legislation in respect of the collection, management, use, and disclosure of Personal Information and with any other privacy laws that apply to TBMH in specific contexts (for example, if we are bound as a contracted service provider to a Queensland public-sector agency).
As such, this Policy is based on the following principles:
(a) TBMH supports the responsible and secure handling of Personal Information; and
(b) TBMH respects an individual’s right to know how their Personal Information will be collected, held, used, and disclosed, as well as how it can be accessed and corrected, if necessary.
TBMH has adopted the APPs contained in the Privacy Act. The APPs govern the way in which we collect, use, disclose, store, secure, and dispose of an individual’s Personal Information.
3. WHAT IS PERSONAL INFORMATION?
When used in this Policy, the terms “Personal Information” and “Sensitive Information” have the meaning given to them in the Privacy Act.
In general terms, Personal Information is any information that can be used to personally identify an individual. This may include name, address, telephone number, email address, date of birth and profession or occupation. If the information we collect personally identifies an individual, or an individual is reasonably identifiable from it, the information will be considered Personal Information.
Sensitive information is Personal Information that is:
(a) information or an opinion (that is also personal information) about an individual’s:
(i) racial or ethnic origin;
(ii) political opinions;
(iii) membership of a political association;
(iv) religious beliefs or affiliations;
(v) philosophical beliefs;
(vi) membership of a professional or trade association;
(vii) membership of a trade union;
(viii) sexual orientation or practices; or
(ix) criminal record;
(b) health information about an individual;
(c) genetic information (that is not otherwise health information);
(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
(e) biometric templates.
4. COLLECTION OF PERSONAL INFORMATION
4.1 Why we collect Personal Information and Sensitive Information
We may collect Personal Information and Sensitive Information from you so that we can provide services to you if you are a client, to manage our relationship with you, or where this is otherwise necessary for our functions or activities. In particular, if you are a client, we may collect your Personal Information to provide you with Health Services and other services, or to provide you with information regarding our services. The type of Personal Information we collect about you depends on the type of dealings we have with you. Most of the Personal Information we hold is provided directly by you for a stated purpose.
When we collect Personal Information, we take reasonable steps to notify you of, or otherwise make you aware of, the APP 5 matters at or before collection, or, if that is not practicable, as soon as practicable after collection, including our identity and contact details, the purposes of collection, consequences of non‑collection, our usual disclosures (including any likely overseas disclosures), and how you may access or correct your information or complain.
We may collect and record Personal Information when you:
(a) send us a message (e.g. where you contact us through our Website/s) or email us;
(b) ask us to provide you with services – including as a client, online or by phone;
(c) interact with us or make a comment via our Website/s or social media;
(d) make a donation;
(e) ask to receive newsletters/updates;
(f) ask to obtain resources such as promotional materials;
(g) complete a feedback form;
(h) complete an intake questionnaire or a patient information and consent form;
(i) participate in a publicity photo shoot or other audio-visual activity;
(j) apply for a job with us; or
(k) supply goods / services to us.
If you do not provide the Personal Information requested, we may not be able to provide you with the information or services you require, or a receipt for your tax deductible donation. Similarly, you may not have the opportunity to provide us with your goods or services.
4.2 Clinical Health Services and Medical Research
a) Collection of Personal Information
TBMH collects Personal Information and Sensitive Information, including health information, for the purpose of providing services to you. The collection of Personal Information and Sensitive Information in the course of providing you Health Services will be following an informed consent process so that valid consent can be obtained by you.
All Personal Information and Sensitive Information collected for the purpose of medical research will be following the approval of the research activity by an approved Human Research and Ethics Committee. A patient information and consent form will be provided prior to your involvement in the research and will include information on how your Personal Information and Sensitive Information will be used, stored, and destroyed in accordance with our statutory obligations.
We may collect Personal Information and Sensitive Information directly from individuals for clinical treatment purposes and/or for medical research, but information may also be collected from the following parties:
o Parents or guardians of minors/persons with cognitive impairments;
o Commonwealth and State agencies (e.g. medical records and results);
o Insurers;
o Registries (e.g. Death and Cancer registries);
o Universities and government agencies;
o Private medical research bodies;
o Support groups and communities; and
o Healthcare providers (e.g. general practitioners and specialists).
We will only collect information from third parties with your consent or where it is otherwise permitted under law. One such permitted circumstance where we would not seek your consent, is where it was unreasonable or impracticable to obtain your consent, and we need to collect your Personal Information from someone else to prevent a serious threat to your life or safety, or that of any other person.
The types of Personal Information and Sensitive Information we may collect for Health Services and/or medical research includes:
o biographical information (e.g. names, titles, relationships and birthdates);
o contact information (e.g. addresses, emails and telephone numbers);
o financial information (e.g. billing/payment information, health insurance claims information etc);
o gender identity;
o sexual identity;
o Medicare Number;
o DVA number;
o NDIS participant identification number;
o Comcare case number;
o third party reference number;
o Aboriginal or Torres Strait Islander origin;
o ethnicity and any cultural information (e.g. languages spoken at home);
o private health insurance details;
o copies of referrals and/or reports from treating practitioners;
o physical appearance information;
o current physical and mental health;
o physical/mental/social/reproduction/drug/travel/family history;
o treatment history;
o family history of diseases;
o information from physical health and virus screens;
o genetic information derived from DNA and RNA;
o treating team contact information;
o next of kin contact information;
o occupational information; and
o any other relevant health information.
We do not adopt a government‑related identifier (for example, a Medicare number) as our own identifier and we only use or disclose such identifiers as permitted by APP 9.
(b) Why this information is collected
The purposes for collection of Personal Information and Sensitive Information for Health Services and/or medical research purposes, include for:
o provision of Health Services including clinical treatments and diagnostics;
o coordination of services via patient portals and/or digital applications;
o undertaking clinical trials;
o undertaking human research projects;
o development of tissue and/or data banks; and
o publication of research (as non-identifiable data).
(c) Use and disclosure of this information
This information is used to:
o help us provide you with an appropriate service;
o evaluate and report on how well we are providing Health Services to you and the broader community;
o record an individual’s involvement in clinical trials and other human research projects undertaken by us;
o process the results of research and clinical trials; and
o contact individuals about participation in future projects or trials.
Personal Information for medical research can be used by TBMH without prior consent in certain circumstances in accordance with the National Statement on Ethical Conduct in Human Research and any related guidance or publications. In such circumstances, the Personal Information will be de-identified and TBMH must satisfy itself that the research involving the use of Personal Information has been approved by a Human Research Ethics Committee, for the particular research purpose in accordance with the Guidelines.
Where it is impracticable to obtain consent, TBMH may collect, use, or disclose health information for research, the compilation or analysis of statistics, or the management, funding or monitoring of a health service in accordance with the section 95A Guidelines under the Privacy Act (“Section 95A Guidelines”), and only where a Human Research Ethics Committee has approved the proposal after weighing the public interest in the activity against the public interest in privacy. For example, this can arise in a large‑scale retrospective records review where contacting all affected individuals to obtain consent is genuinely impracticable and de‑identified data would not achieve the research aims, and the Human Research Ethics Committee has approved the activity under the section 95A Guidelines.
If TBMH handles agency‑held information under a Commonwealth contract, TBMH will follow the agency’s Human Research Ethics Committee approval and any conditions related to the section 95 Guidelines under the Privacy Act (“Section 95 Guidelines”) as specified for that project within the relevant Commonwealth contract. We will not otherwise disclose your Personal Information to any third parties without your consent unless this is permitted or required by law, or where an exception under the Privacy Act applies.
If any of your communications with us raises safety concerns, we will, subject to the relevant statutory obligation, try to contact you to check that you and/or others are safe. If necessary, we may need to pass on your contact information (if you have supplied it) to authorities who can help protect you and/or others, such as a crisis service or emergency services. Where possible we will work with you openly, letting you know if our concerns reach the point where we need to involve other services. Any such use or disclosure will be limited to what is reasonably necessary and may rely on an exception in the Privacy Act, such as a permitted general situation to lessen or prevent a serious threat to life, health, or safety.
We sometimes undertake and/or engage partners to conduct evaluation, research and reporting activities using information we provide. The information disclosed by TBMH to these partners for their evaluation, research and reporting purposes will be de-identified. We will take reasonable steps to ensure individuals are not reasonably identifiable in the relevant release context – for example, by removing direct identifiers and, where appropriate, altering or aggregating other data and applying controls in the data‑access environment.
4.3 Fundraising
a) Collection of Personal Information
Personal Information is collected in order to raise funds for TBMH for the purpose of furthering its objectives.
We may collect Personal Information directly from individuals for fundraising purposes. We may also collect limited Personal Information from:
o corporate partners;
o agents acting on behalf of us and/or our supporters;
o publicly available sources; and
o prospect research consultants,
where this is reasonably necessary for our functions or activities.
Where we collect Personal Information from someone other than the individual, we will take reasonable steps at or before collection (or as soon as practicable afterwards) to notify the individual of the APP 5 matters.
The types of Personal Information we collect for fundraising include:
o biographical information (e.g. names, titles, relationships, and birthdates);
o contact information (e.g. addresses, emails, and telephone numbers);
o information about an individual’s interests in respect of TBMH’s functions or research; attendance at TBMH events; donations, gifts or bequests made to TBMH (including payment details); and
o any other information required by TBMH to build and maintain an appropriate relationship with its supporters.
(b) Why this information is collected
We collect Personal Information for fundraising purposes, which include:
o marketing to and informing supporters/donors about TBMH research, appeals and events;
o soliciting/requesting and processing donations, gifts and bequests from supporters/donors;
o maintaining appropriate relationships with supporters/donors;
o organising fundraising events; and
o building profiles on supporters/donors in order to better understand their areas of interest in TBMH.
We do not use Sensitive Information for direct marketing without consent.
4.4 Employees and Other
(a) Collection of Personal Information
Personal Information is collected for some other limited purposes. The types of Personal Information we collect for other purposes include:
o contact information such as full name, address, phone numbers and email address;
o employment details, including but not limited to an individual’s job title and training and skills;
o insurance policies and details (if applicable);
o payment or billing information (including bank account details, credit card details, billing address and invoice details);
o any additional information relating to an individual that is, or has been, provided to us directly through our Website/s or Mobile Application;
o information provided to us through our service teams, surveys or personally to our representatives from time to time.
(b) Why this information is collected
Personal Information is collected for other purposes which include:
o an individual’s employment or potential employment with us;
o to record arrangements with individuals such as visiting scientists and consultants in relation to the conduct of clinical trials and/or human research projects;
o to record arrangements with volunteers or visitors to TBMH;
o the provision of services to individuals, including but not limited to healthcare and scientific services;
o the processing of scholarships, awards and grants;
o the processing of purchase orders for goods and services, including to communicate with individuals concerning such orders;
o to provide customer service functions, including handling customer enquiries and complaints; and
o compliance with applicable laws and any other matters reasonably necessary to provide services.
4.5 Aggregate information
From time to time, we may collect general, non-personal, statistical information about the use of our Website/s or Mobile Application, such as survey feedback. In addition to this, we will track Website/s or Mobile Application users to determine their status (i.e. whether active or inactive on our Website/s or Mobile Application).
We collect this information through the use of “cookies” and other tracking technologies, which are discussed in greater detail below. We collect this information in order to enhance our Website/s, Mobile Application, and our services.
We may group this information into aggregated data in order to describe the use of our Website/s or Mobile Application to our existing or potential business partners, sponsors, advertisers, or other third parties, or in response to a government request. Aggregate data will in no way personally identify any individuals or any other users of our Website/s or Mobile Application.
4.6 Third party information
From time to time, we may be provided with, and we may collect, the Personal Information of a third party including but not limited to through the Referrer Portal (see section 17 below). Where the Personal Information of third parties is provided, the provider agrees that the provider will ensure that those persons are aware of this Policy and have consented to the provision of that Personal Information.
To the extent we comply with our obligations under this Privacy Policy, the provider of third party Personal Information must indemnify us and agree to keep us indemnified from any costs, expense, loss, or liability we suffer from using the third party’s Personal Information that is provided to us.
5. COLLECTION, USE, AND DISCLOSURE OF PERSONAL INFORMATION AND SENSITIVE INFORMATION
Notwithstanding the above, the Personal Information you provide to us may be used by us for the following purposes:
(a) for marketing and research purposes;
(b) for internal administrative purposes;
(c) to respond to:
(i) ‘Contact Us’ form enquiries such as via our Website/s;
(ii) educational programs;
(iii) general Website/s feedback or assistance; and
(iv) media enquiries;
(d) to update our records and keep contact details up-to-date;
(e) for research, advice and information, including for benchmarking purposes;
(f) to send emails about our programs, campaigns or activities to persons who have agreed to receive our emails (you will be provided with an opportunity in each email to decline to receive any further emails from us by unsubscribing);
(g) in the case of marketing automation, to improve the emails that are sent to individuals and to improve the personalisation, services, programs, content and resources that are offered by us;
(h) to assess any application for employment; or
(i) if an individual lodges a complaint or query with us, to process and respond to that complaint or query.
Personal Information
TBMH will not use Personal Information for purposes other than for the medical research, fundraising and other purposes outlined above, unless the other purpose is related to the primary purpose (and, in the case of sensitive information, directly related), or another APP 6 exception applies (for example, if required or authorised by law).
TBMH will not sell, exchange or disclose Personal Information for commercial gain.
TBMH will not disclose an individual’s Personal Information to persons or entities other than the individual, or without the individual’s consent, except in limited circumstances, which include disclosure to the following, where appropriate:
o grant and award providers;
o collaborators such as other clinical research organisations;
o third party service providers, agents, consultants and contractors;
o regulatory authorities;
o government departments and agencies;
o auditors;
o as required or authorised by or under an Australian law or court/tribunal order; and
o when a clinical situation requires information to be disclosed for patient safety, or otherwise where an exception under the Privacy Act applies.
We may also disclose Personal Information to our employees and related bodies corporate, contractors or service providers for the purposes of operation of our Website/s or Mobile Application and to otherwise provide our services including, without limitation, web hosting providers, publisher networks, IT systems administrators, data entry service providers, electronic network administrators and professional advisors such as accountants, solicitors, business advisors and consultants.
If we do disclose Personal Information under the Privacy Act’s exceptions, we will do so only to the extent permitted (for example, a permitted general situation under section 16A of the Privacy Act, or a permitted health situation under section 16B of the Privacy Act for health information). Where we rely on the sections 95 and 95A Guidelines for research, we will follow those Guidelines and any Human Research Ethics Committee conditions as appropriate.
Sensitive Information
We will only collect Sensitive Information where reasonably necessary, and with the individual’s consent, unless an exception under the Privacy Act applies.
Subject to the other provisions of this section 5, Sensitive Information will only be disclosed in accordance with the Privacy Act as follows:
o for the primary purpose for which it was collected;
o for a secondary purpose that is directly related to the primary purpose; or
o as required by law.
We will not otherwise disclose Sensitive Information of an individual without the individual’s prior written consent unless required or authorised by law, or where another exception under the Privacy Act applies.
6. AUTOMATED DECISION MAKING
TBMH will not use your Personal Information and make an automated decision about the services we provide you without the involvement of a TBMH clinician or technician. If an automated decision is made during your engagement with the organisation, TBMH will take reasonable steps to ensure that the use of such systems is lawful, fair, and reasonable in the circumstances.
If an automated decision about your care is made that is wholly or partly automated and has a legal or similarly significant effect, TBMH will upon request provide you with information about:
o the use of automated decision-making in relation to that automated decision; and
o the types of Personal Information used to make the automated decision.
You may also contact TBMH to raise concerns or request further information about automated decisions. Please refer to section 19 for contact details of our Privacy Officer.
7. ALING WITH US ANONYMOUSLY OR USING A PSEUDONYM
7.1 General
In some circumstances you may deal with us anonymously or by using a pseudonym (a fictitious/made-up name), for example, if you are enquiring about our services generally. However, we will need to identify you if it is not practicable for you to remain anonymous or use a pseudonym when you deal with us.
8.COOKIES AND OTHER TRACKING TECHNOLOGIES
Cookies
In some cases, we may also collect your Personal Information through the use of “cookies”. Our Website/s may utilise “cookies” and other tracking technologies. A cookie is a small text file that a website transfers to an individual’s hard drive for record-keeping purposes.
When you access our Website/s, we may send a “cookie” to your computer or internet enabled device. This allows us to recognise your computer or internet enabled device, and whether you have already registered and greet you each time you visit our Website/s. It also enables us to keep track of services you view so that, if you consent, we can send you news about those services. We also use cookies to measure traffic and engagement patterns, to determine which areas of our Website/s have been visited and to measure overall, aggregate transaction patterns.
We use this to research to track the habits of visitors on our Website/s and what users are looking for and accessing, so that we can continually improve our services, programs, content and resources.
If you do not wish to receive non-essential cookies, you can set your browser or cookie preferences where available, so that your computer does not accept them. Users may set most browsers to notify the user if the user receives a cookie, or users may choose to block cookies with their browser. However, please be aware that some non-essential features of our Website/s may not function properly or may be slower if users refuse cookies.
Where possible, we seek to use cookies and analytics data in a de-identified or aggregated form. However, some cookie and tracking data (such as Internet Protocol (IP) addresses or device identifiers) may constitute Personal Information under the Privacy Act.
Tracking technologies may record information such as internet domain and host names, IP addresses, browser software and operating system types, clickstream patterns, and dates and times that our Website/s or Mobile Application is accessed.
It is not our practice to link the information we record using tracking technologies to any Personal Information submitted while on our Website/s. However, we reserve the right to use IP addresses and other tracking technologies to identify a visitor only when we feel it is necessary to enforce compliance with our Website/s’ policies (including this Policy), to protect our Website/s and its users, participants (patients, volunteers, employees, etc.), or others, or when we believe in good faith that the law requires it.
If an individual does not provide us with the Personal Information described above, then that user may not be able to utilise our Website/s.
Website Analytics
(a) Google Analytics
Our Website/s use ‘Google Analytics’, a product provided by Google, to help us understand traffic and usage in order to help improve our services, programs, content and resources.
Google Analytics may collect information such as IP addresses, device identifiers and usage data.
By using our Website/s, you consent to the processing of information about you by Google in the manner described in Google’s privacy policy and for the purposes set out above. You can opt out of Google Analytics if you disable or refuse the Google cookie, disable JavaScript, or use the opt-out service provided by Google.
(b) Meta Analytics
Our Website/s use analytics products provided by Meta (including ‘Meta Pixel’), which track your actions on our Website/s and collect information about your device, whether or not you have a Meta account or are logged into a Meta platform.
By using our Website/s, you consent to us disclosing this information to Meta and using the information about you in the manner described in Meta’s data policy.
You can opt out of Meta analytics by logging into Meta and visiting the app settings page. Refer to Meta procedures on how this can be updated in accordance with your preferences.
9. CHILDREN AND YOUNG PEOPLE
TBMH is committed to protecting the privacy, safety and best interests of children and young people. In handling Personal Information relating to children, TBMH takes additional steps to ensure that collection, use and disclosure is lawful, fair, reasonable and in the best interests of the child.
TBMH collects and uses Personal Information of children and young people only where appropriate and permitted by law. Where Personal Information relates to a child or young person, TBMH will give primary consideration to the best interests of the child, including their safety, wellbeing and rights when making decisions about how that information is collected, used, disclosed and stored.
Where a child does not have the capacity to provide informed consent, TBMH will seek consent from a parent or legal guardian before collecting or using the child’s Personal Information, unless an exception under the Privacy Act applies.
Where a child or young person is assessed as having sufficient maturity and understanding to provide informed consent (a mature minor), TBMH may rely on the child’s own consent, consistent with applicable law and clinical or professional standards.
For children and young people, TBMH applies higher privacy protections by default, including:
o limiting the collection of Personal Information to what is reasonably necessary for the provision of services;
o using the highest privacy protective settings for digital services, platforms and analytics where practicable; and
o avoiding the use of targeted advertising, behavioural tracking or profiling in relation to children unless it is strictly necessary and permitted by law.
TBMH does not use or disclose a child’s Personal Information for secondary purposes (such as marketing, analytics or research) unless:
o the secondary purpose is directly related to the primary purpose of collection and reasonably expected; or
o consent has been obtained from a parent or guardian, or from a mature minor where appropriate; or
o the use or disclosure is otherwise required or authorised by law, or another exception under the Privacy Act applies.
TBMH seeks to provide privacy information in a way that is clear, accessible and age-appropriate. Parents, guardians, and mature minors may request access to, or correction of, Personal Information in accordance with this Privacy Policy and the Privacy Act.
If TBMH becomes aware that Personal Information relating to a child has been collected, used, or disclosed in a way that is inconsistent with this Privacy Policy or applicable law, TBMH will take reasonable steps to address the issue promptly, including limiting use, deleting or de-identifying the information where appropriate.
10. DIRECT MARKETING MATERIALS
We may send direct marketing communications and information about us and our services via post, SMS, and email.
These communications will be sent in accordance with applicable marketing laws, such as the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth).
If users indicate a preference for a method of communication, we will endeavour to use that method whenever practical to do so.
In addition, at any time users may opt-out of receiving marketing communications from us by contacting us in writing via our email set out in Section 19 below or, if applicable by unsubscribing to the marketing communication.
11. ACCESSING AND CORRECTING PERSONAL INFORMATION
Users may request access to any Personal Information we hold about that user at any time by contacting us (see the details below). Where we hold information that users are entitled to access, we will try to provide users with suitable means of accessing it (for example, by mailing or emailing it). We reserve the right to charge a reasonable fee for searching for and providing access to an individual’s Personal Information to cover our administrative and other reasonable costs.
In order to protect your Personal Information, we may require identification from you before releasing the requested information.
There may be instances where we cannot grant access to the Personal Information we hold. For example, we may need to refuse access if granting access would interfere with the privacy of others or if it would result in a breach of confidentiality. If that happens, we will give written reasons for any refusal.
If a user believes that Personal Information, we hold about that user is incorrect, incomplete or inaccurate, then that user may request us to amend it. We will then consider if the information requires amendment, and respond to your amendments request within a reasonable period. If we correct your information and you ask us to notify another organisation to which we disclosed it, we will take reasonable steps to do so. If we do not agree that there are grounds for amendment then we will give written reasons and explain how to complain, and we will add a note to the Personal Information stating that the user disagrees with it. We do not charge for correction or for adding a note to the Personal Information stating that the user disagrees with it.
12. DATA SECURITY
TBMH will store personal information via a third party online cloud server that is located within Australia and meets the Australian Privacy Principles. TBMH will not store any personal information on a server outside of Australia without informing you.
TBMH takes all reasonable steps to protect the Personal Information that it holds from interference, misuse and loss and from unauthorised access, modification or disclosure.
TBMH will hold Personal Information for as long as necessary in order to meet the purposes described in this Policy. Your Personal Information is stored in a manner that reasonably protects it from misuse and loss and from unauthorised access, modification or disclosure. However, most of the Personal Information we hold is or will be stored in client files which will be kept by us for a minimum of 7 years upon clients exiting our service, or 7 years from their 18th birthday, or longer if required by law.
Our third-party service providers may store Personal Information overseas when providing support or other services. For example:
o when traffic information is disclosed to Google when users visit our Website/s and Mobile Applications; and
o communications with us through a social network service (i.e. Facebook or X),
may result in the provider and its partners collecting and holding Personal Information, including overseas.
TBMH will comply with the mandatory data breach notification scheme for any eligible data breaches under the Privacy Act.
13. DISCLOSURE OF PERSONAL INFORMATION TO OVERSEAS RECIPIENTS
We may disclose Personal Information to selected overseas recipients in limited cases, including to service providers that support our Website/s, digital platforms and IT operations, or to research collaborators where appropriate. Before disclosing Personal Information overseas, we take reasonable steps to ensure the recipient will handle the information in accordance with the APPs, or we rely on another APP 8 exception where applicable. TBMH remains accountable for overseas recipients as set out in section 16C of the Privacy Act.
Where possible we use information that has been stripped of direct identifiers and either aggregated or statistically processed so that specific individuals can no longer be reasonably distinguished or re‑identified in the release context. If re‑identification risk cannot be reduced to a very low level, we will treat the information as Personal Information.
Depending on the purpose, the information disclosed may include: personal data; identity document details; personal health history; and relevant medical information. The purpose of any such disclosure is to determine suitability of precision diagnosis and therapies, or to support agreed clinical or research activities.
We are likely to disclose Personal Information to overseas recipients in connection with analytics, hosting, support, and research collaborators. Where it is practicable to specify the countries of those recipients, we will do so on our Website/s or at the point of collection.
14. NOTIFIABLE BREACHES SCHEME
In the event of any unauthorised access or unauthorised disclosure or loss of your Personal Information that is likely to result in serious harm to you, and where remedial action has not been able to prevent the likely risk of serious harm, we will investigate and notify you and the Office of the Australian Information Commissioner (OAIC) in accordance with the Privacy Act.
15. WHAT IS THE PROCESS FOR COMPLAINING ABOUT A BREACH OF PRIVACY?
If an individual believes that their privacy has been breached, that individual can contact us using the contact information in Section 19 below and provide details of the incident so that we can investigate it. Our Privacy Officer will investigate and deal with alleged privacy breaches that have been notified to us.
If that individual is still unsatisfied, that user may wish to direct the complaint to the Office of the Australian Information Commission at http://www.oaic.gov.au/ or alternatively:
Phone: 1300 363 992
In writing: The Office of the Australian Information Commissioner (OAIC)
GPO Box 5288,
SYDNEY NSW 2001
Email: enquiries@oaic.gov.au
16. SECURITY
The security of Personal Information is important to us.
We intend to store information electronically but there may be some circumstances that we will need non-electronic forms of electronic information. In this case, the information will be stored in accordance with the relevant legislation.
We take reasonable steps to ensure Personal Information is protected from misuse and loss and from unauthorised access, modification or disclosure.
We restrict access to Personal Information to employees, contractors and agents who need to know that information in order to operate, develop or improve our processes and services.
As our Website/s or Mobile Application are on the internet, and the internet is inherently insecure, we cannot provide any assurance regarding the security of transmission of information transmitted to us online.
We also cannot guarantee that the information supplied by users will not be intercepted while being transmitted over the internet. Accordingly, any Personal Information or other information which is transmitted to us online is transmitted at the user’s own risk.
17. ACCOUNT
Patient Portal
Our Practice Management System and integration systems may incorporate a patient portal feature (“Portal”). The Portal serves as a tool for patients to book online appointments, oversee online appointment scheduling, access to and payment of invoices. Patients are required to register for and set up a patient Portal account in order to access the Portal. To register and set up a patient Portal account, we will collect Personal Information from the patient (including but not limited to the patient’s name, date of birth, phone number and email address).
The collection and storage of Personal Information and Sensitive information for the purposes of the patient Portal account will be in accordance with this Policy and the Privacy Act. If the patient opts-in through the patient Portal account, we may send correspondence (including but not limited to newsletters and other notifications) to an identified phone number and/or email if provided on that account. The patient has the ability through the patient Portal account to opt-in or opt-out of the dissemination of such information and correspondence.
Referrer Portal
Referring bodies may refer clients to TBMH for the provision of services through the referrer portal (“Referrer Portal”). The Referrer Portal is a secure platform where the referring body may disclose Personal Information or Sensitive Information for the purposes of making a referral which will be collected and retained and will form part of a patient’s record.
All Personal Information and Sensitive Information received by us through the Referrer Portal will be used and stored by us in accordance with this Policy and the Privacy Act.
18. CONTACT US
To ask questions about this Policy, raise any concerns, or make a complaint regarding the treatment of an individual’s Personal Information or a possible breach of an individual’s privacy, please contact our Privacy Officer using the details set out below.
We will take all reasonable steps to respond to and resolve any complaint about information privacy by an individual promptly. Individuals wishing to make a privacy complaint should contact the Privacy Officer in writing (contact details below). Our representative will make contact within a reasonable time after receipt of the complaint to discuss the concerns and outline options regarding how they may be resolved. We will endeavour to respond to an individual’s privacy complaint within 30 days of receiving an individual’s complaint, or such other reasonable timeframe as may be agreed depending upon the nature of the complaint.
If we are unable to resolve the complaint, a formal complaint may be made to the Office of the Information Commissioner Queensland.
19. PRIVACY POLICY
We will treat any requests or complaints seriously and in confidence. Please contact our Privacy Officer at:
Post: Thompson Brain & Mind Healthcare Ltd
PO Box 1544
SUNSHINE PLAZA QLD 4558
Email: privacy@tbmh.org.au
Phone: (07) 5220 8793
20. CHANGES TO OUR PRIVACY POLICY
This Policy will be regularly reviewed from time to time, following legislative or organisational changes, or as a minimum, every three years.
Any updated versions of this privacy policy will be posted on our Website/s.
21. DEFINITIONS
In this Policy:
Health Service/s includes the following activities:
(a) assessing, maintaining or improving an individual's physical or psychological health;
(b) diagnosing an individual's illness or disability;
(c) treating an individual's illness or disability or suspected illness or disability; and
(d) recording an individual’s physical or psychological health for the purposes of assessing, maintaining, improving or managing the individual’s health.
Mobile Application means the mobile application that has been developed solely for the use of TBMH.
Website/s means in all of the pages located on the following website/s:
Homepage - Brain & Mind Hub
https://www.brainandmindhub.org.au/ and