Injurynet Australia Pty Ltd (Injurynet) is committed to complying with its obligations under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APP’s) and all relevant state-based health records and information privacy legislation.
- who to contact;
- what personal information we collect;
- how we collect personal information and why;
- who we collect personal information from;
- how we hold, use and disclose personal information;
- how we handle our website and internet links;
- the security measures that we take;
- the processes available to request access to or correction of your personal information or make complaints; and
- the process of breach notification.
This policy applies to the services provided by Injurynet and binds all of our employees and health professionals.
1. Who to contact
For all privacy related queries and for access and information requests, please contact the Privacy Officer via email to firstname.lastname@example.org or by mail to Privacy Officer, Injurynet, Level 1, 173 Burke Road, Glen Iris, Victoria 3146
2. What personal and sensitive information we collect
2.1 What is personal information?
Personal information is information or an opinion about someone we can identify or who we can reasonably identify from the information we have, whether it is true or not and whether it is recorded or not. It includes ‘sensitive information’ such as your information about your health.
2.2 The kinds of personal information we collect
The personal information we collect about you depends on who you are and your interaction with us. As a provider of workplace medical services, Injurynet may collect the following types of personal and sensitive information about you:
- contact details (such as name, address, phone number, email address);
- date of birth and gender;
- financial and payment information;
- health information including your medical history, injury/illness/accident details, medical certificate, images of your injury supplied by you;
- employment details;
- nature of your enquiry;
- questionnaires and surveys that you complete;
- information about your use of our website.
3. How we collect personal and sensitive information
Injurynet will collect personal information directly from you where it is reasonable and practicable to do so.
We collect personal and sensitive information in many ways including when you:
- visit our office;
- call our office or send Injurynet an email;
- log in to and use the Injurynet website or submit an enquiry;
- contact us as part of a health assessment, triage service or to request an health appointment;
- contact us to receive medical consultancy;
- consent to a third party, including medical service providers, employers or insurers, providing Injurynet with your information;
- apply for employment at Injurynet;
- provide services on our behalf.
We may collect this information from you, including in person, over the telephone, via our website or email. Subject to your consent, we may also collect information from third parties such as:
- the Person who makes the referral to our service;
- Your employer or potential employer; and
- Healthcare providers (including doctors, physiotherapists, nurses, psychologists and pathology services) who are engaged by Injurynet to assist in the provision of our assessment and treatment services.
4. Why we collect personal and sensitive information
Injurynet collects your personal and sensitive information to provide our services to you and/or provide information and services to our clients. Some examples of why we collect personal and sensitive information include:
- To contact you to provide information about, and to deliver our services to you and the person or organization that referred you to us (such as your employer or insurer)
- To manage our relationship with you
- To access and obtain medical information from treating healthcare providers
- To engage healthcare providers to provide our services
- To review, evaluate, develop and improve our services
- To recruit our staff
Injurynet will only collect information that is necessary for these purposes.
5. Who we collect personal and sensitive information from
Where practicable, we will collect your personal information directly from you. However, we may also need to collect information about you from others such as companies employing you, insurance companies, financial institutions, medical or health service providers and other similar organisations that are permitted to share your personal information with us for the purposes of providing our services.
6. How we use and disclose personal and sensitive information
6.1 Uses of personal information
Injurynet will use your personal and sensitive information to provide you with services that:
- you purchase;
- are purchased by your employer or insurer;
- are part of your employment (eg: medical assessments);
- assist in the management of your injury;
- allow the performance of medical assessments or services, nurse triage services, referral to our network of healthcare practitioners or medical advisory services.
Injurynet will also use your personal and sensitive information:
- to administer and invoice for services provided;
- to respond to complaints, access and correction requests;
- for purposes related to the primary purpose for which we collected the information that you would reasonably expect;
- to comply with an Australian court/tribunal order or where required or authorised by law.
6.2 Disclosures of personal information
Injurynet will disclose your personal and sensitive information to third parties where:
- you consented to the disclosure e.g. for a pre-employment medical assessment or fitness for duties assessment or for the management of your injury; to provide information to your healthcare providers or healthcare providers engaged by us; to the organisation who referred you to our service (ie. Your employer or insurer); or
- the disclosure is necessary because you are at risk of harm without treatment and you are unable to give consent (eg. you might be unconscious after an accident);
- to our service providers, advisors and contractors who assist us in operating our business (eg IT service providers) or who assist us in providing services to you; or
- your health service provider is legally obliged to disclose the information; or
- otherwise required or authorised by or under an Australian law or court/tribunal order.
6.3 Overseas disclosures of personal information
Injurynet will disclose your personal and sensitive information overseas only if required for the purposes of providing you with the services that:
- are purchased by your employer or insurer;
- are part of your employment (eg: medical assessments);
- assist in the management of your injury;
- allow the performance of medical assessments or services, nurse triage services or medical advisory services.
6.4. How we hold personal information
The protection of your personal information is a priority and we take reasonable precautions to ensure your personal information is protected from misuse, unauthorised access, modification or disclosure.
To safeguard your personal information we have in place a range of policies and procedures to ensure protection of your information. These include:
- signed confidentiality agreements with all employees
- both external and internal security systems at all premises restricting access to stored personal information; and
- regularly updated security systems to prevent unauthorised computer or electronic access to information.
7. Where your personal information is stored
We may store your personal information in both, or either, hard copy or electronic format.
Hard copy information is kept under lock and key with restricted access either on our premises or in secured external storage. Information stored in electronic format is protected from unauthorised access through the use of secure passwords and user log on or other security procedures. All data is stored within Australia.
When you enter sensitive information (such as credit card numbers) on our website, we encrypt that information using secure socket layer technology (SSL). When Credit Card details are collected, we simply pass them on in order to be processed as required. We never permanently store complete Credit Card details.
8. Your online activity
The Injurynet website may contain links to other websites. These are provided as a convenience to you and not as an endorsement by Injurynet of the contents of other websites.
We collect information from our website using server logs and data analytics service providers. When you visit the site to read, browse or download information, our system will record/log your IP address (the address which identifies your computer on the internet and which is automatically recognised by our web server), date and time of your visit to our site, the pages viewed and any information downloaded. This information will only be used for the purpose of site analysis and to help Injurynet offer you improved online services. We may automatically collect non-personal information about you such as the type of internet browsers you use or the site from which you linked to our websites. You cannot be identified from this information and it is only used to assist us in providing an effective service on our website.
9. Online Payments
Injurynet uses the eWAY Payment Gateway for its online credit card transactions. eWAY processes online credit card transactions for thousands of Australian merchants, providing a safe and secure means of collecting payments via the Internet.
All online credit card transactions performed on this site using the eWAY gateway are secured payments.
- Payments are fully automated with an immediate response.
- Your complete credit card number cannot be viewed by Injurynet or any outside party.
- All transactions are performed under 128 Bit SSL Certificate.
- All transaction data is encrypted for storage within eWAY’s bank-grade data centre, further protecting your credit card data.
- eWAY is an authorised third party processor for all the major Australian banks.
- eWAY at no time touches your funds; all monies are directly transferred from your credit card to the merchant account held by Injurynet.
For more information about eWAY and online credit card payments, please visit www.eway.com.au
10. Data security
Injurynet takes steps to protect your information from misuse, interference, loss, and from unauthorised access, modification or disclosure. Your information may be stored in hard copy documents or electronically on Injurynet’s internal servers. These servers are protected with high level security protocols.
To prevent unauthorised access or disclosure, we have put in place physical, electronic and managerial procedures to safeguard and secure the information, including the information we collect online. Examples include keeping hardcopy information within secured premises, using daily encrypted backups that are stored offsite, and restricting access to information provided to us by third parties to relevant personnel only.
11. Data Breach
11.1 Establishing whether an eligible data breach has occurred
An eligible data breach occurs where there is unauthorised access, disclosure or loss of personal
information, the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates, and no exemptions apply.
Unauthorized access, disclosure or loss of personal information will be satisfied in two circumstances under the Privacy Act:
- where an entity is satisfied that there is unauthorised access to, or unauthorised disclosure of, personal information; or
- where the information is lost in circumstances where unauthorised access or unauthorised disclosure of the information is likely to occur. Information is “lost” in circumstances where there has been accidental or inadvertent loss of personal information held by an entity. This includes when an entity physically loses personal information, for example, by leaving it in a public place, or electronically loses personal information, such a failing to adequately back up data. Loss also refers to unauthorised access where there has been a natural disaster, such as a power outage.
An eligible data breach occurs where there is a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the breach. Serious harm could include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm that a reasonable person in the entities position would identify as a possible outcome of the data breach.
Where a reasonable person could conclude that, as a result of the remedial action taken, the eligible data breach is not likely to result in serious harm to the affected individuals, the breach would no longer be considered an eligible data breach.
Whether an entity has reasonable grounds to believe that there has been an eligible data breach will vary depending on the circumstances. If the situation merely provides an entity with reasonable grounds to suspect that there has been an eligible data breach, the Privacy Act requires that entity to undertake reasonable and expeditious assessment (situation assessment) of whether there are reasonable grounds to believe that an eligible data breach has taken place.
11.3 Data Breach Management
As required by the Privacy Amendment (Notifiable Data Breaches) Act 2017, Injurynet has developed a data breach response plan that sets out the steps that Injurynet will follow when it becomes aware or suspects that a data breach has occurred.
11.4 Where an eligible data breach is identified
There is no single method of responding to a data breach. Any data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved and using a risk assessment to decide the appropriate course of action.
In the event Injurynet establishes an eligible data breach, on reasonable grounds Injurynet will undertake the following tasks:
- We activate our data breach response plan as soon as a data breach occurs and contain the breach and do a preliminary assessment.
- Evaluate the risks associated with the breach.
- We will notify the individual/s affected, any others that may need to be notified (such as law enforcement) and our clients.
- Our Privacy Officer will work with our Information Technology team (reporting to our Managing Director) to contain, assess, notify and review all incidents.
- Prevent further breaches.
- promptly notify the Commissioner of the breach by preparing and forwarding a statement in accordance with s 26WK of the Privacy Act. Injurynet must also notify individuals affected by the breach as soon as practicable after completing the statement prepared for notifying the Commissioner.
- The statement notifying the Commissioner and affected individuals must include the following information:
- the identity and contact details of the entity
- a description of the breach
- the types of information concerned, and
- recommendations about the steps which individuals should take in response to the breach.
- notify the Commissioner of the breach as soon as practicable. What is considered to be a “practicable” timeframe will vary depending on the entity’s circumstances, and may include considerations of the time, effort, or cost required to prepare the statement.
12. How you can access and correct your personal information held by Injurynet
You may, in most cases, access the personal information we hold about you by making a request in writing to our Privacy Officer (email@example.com) or via mail.
Your employers or prospective employers may also request certain information we hold about you however we will only provide this information to them where it is appropriate and we have obtained your prior written consent.
When making this request, please provide as much detail as possible regarding the information you require access to, including the person to whom the information has been provided and when. We also need information to positively identify you.
We may also charge you a reasonable administration fee for the provision of the information.
Injurynet will acknowledge your request within 10 business days and providing Injurynet has the personal information requested, access should be granted within 10 business days. Injurynet will inform you if this timeframe is not achievable in the particular circumstance.
We will endeavour to provide you with access in the manner requested, however in some circumstances the nature of the information or the record it is contained in may mean that we can only provide you with access in a particular manner. Depending on the circumstances, this may be by mail, email, or you may personally be given access to inspect the information.
12.2 Can my request be refused?
In some circumstances, Injurynet may not be able to provide access to your personal information. The following circumstances are permitted by the Privacy Act. These circumstances include where:
- Access would pose a serious threat to the life, health or safety of any individual;
- Access would have an unreasonable impact on the privacy of others
- The request is frivolous or vexatious
- Information relates to a commercially sensitive decision making process
- Access would be unlawful or denying access is required or authorized by law
- Access would be likely to prejudice enforcement activities conducted by an enforcement body
- We suspect that unlawful activity, or misconduct of a serious nature, that relates to our functions or activities has been, is being or may be engaged in and access would be likely to prejudice the taking of appropriate action in relation to the matter;
- Access would prejudice negotiations with the individual; or
- The information is subject to existing or anticipated legal proceedings with the individual and would not be accessible by the process of discovery in those proceedings.
If access is refused to some or all of the information, our reasons will be provided to you in writing with details of the complaint mechanisms available to you if you are not satisfied with our decision.
If Injurynet has collected your personal information on behalf of a third party, we recommend that you approach the third party directly for access to your information.
12.3 Accuracy of your personal information
While we will endeavour to ensure that the personal information collected from you is up to date, accurate and complete, we will assume that any personal information provided by you is free from errors and omissions. You may request that we update or vary personal information that we hold about you using the contact details set out below
13. If you are not satisified with the management of your complaint
If you are not satisfied with our handling of your complaint, you can refer your concerns to the Office of the Australian Information Commissioner (www.oaic.gov.au).
14. Changes to this policy
Injurynet may amend and update this policy from time to time to reflect changes to our practices and procedures, systems or obligations. Any amendments to this policy will be notified by posting an amended version on our website, and the changes will take effect at that time.