Privacy Policy

Surf Coast Superclinic (ABN to be confirmed) operates a general practice clinic at 40 Main Street, Winchelsea VIC 3241. We are committed to protecting the privacy and confidentiality of your personal information in accordance with the Australian Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), and the Health Records Act 2001 (Vic).

This policy explains what personal and health information we collect, why we collect it, how we use and store it, and your rights in relation to that information. It applies to all patients, website visitors, and anyone who submits information to us through our website, over the phone, or in person.

Personal information

• Full name, date of birth, gender, and contact details (address, phone number, email)
• Medicare number, DVA number, pension or concession card details
• Emergency contact details
• Private health insurance details (where applicable)

Health information

• Medical history, current conditions, symptoms, and medications
• Consultation notes and clinical observations
• Pathology results, diagnostic imaging, and test results
• Referral letters and specialist reports
• Immunisation records
• Mental health care plans and treatment plans

Information submitted through our website

When you use our online contact form or registration of interest form, we collect the information you provide, which may include your name, email address, phone number, and any message or health-related details you choose to include. We also collect the date and time of your submission.

We collect personal and health information through:

• In-person consultations and clinical examinations at our clinic
• New patient registration and intake forms
• Phone calls and email correspondence
• Online forms submitted through our website (contact forms, registration of interest forms, referral forms)
• Referral letters and reports from other healthcare providers, specialists, hospitals, and pathology services
• Medicare, DVA, and health fund claims processing
• Third-party booking platforms such as HotDoc

We only collect information that is reasonably necessary for providing medical services or managing our practice. Where possible, we collect information directly from you. If we receive information about you from a third party (for example, a referring doctor), we will take reasonable steps to notify you.

We collect your personal and health information for the primary purpose of providing you with quality medical care. Under the Australian Privacy Principles, we are permitted to collect health information that is reasonably necessary to provide a health service.

Specifically, we collect your information to:

• Diagnose and treat medical conditions
• Provide preventive healthcare, health assessments, and screenings
• Manage chronic conditions and develop care plans
• Arrange referrals to specialists, pathology, and imaging services
• Process Medicare and DVA claims on your behalf
• Fulfil legal and regulatory obligations

Your information is used for:

• Delivering medical consultations, treatment, and follow-up care
• Managing appointments and sending appointment reminders
• Communicating test results and follow-up recommendations
• Coordinating care with other healthcare providers involved in your treatment
• Processing Medicare bulk billing claims
• Meeting mandatory reporting obligations (for example, notifiable diseases under public health legislation)
• Internal clinical audits and quality improvement
• Responding to enquiries submitted through our website

We do not use your personal or health information for marketing purposes. We will never sell your information to third parties.

We only share your personal and health information with your consent, or where we are required or authorised to do so by law. This may include sharing with:

• Other healthcare providers involved in your care (specialists, hospitals, allied health professionals) with your consent
• Pathology and diagnostic imaging services as part of your treatment
• Medicare and the Department of Veterans' Affairs for claims processing
• Accreditation bodies (such as AGPAL) during practice accreditation audits, in de-identified form where possible
• Government health authorities where required by law (for example, notifiable disease reporting)
• Legal authorities where required by a court order or subpoena

We will not share your health information with family members, employers, insurers, or any other third party without your explicit consent, unless required by law or in an emergency where it is necessary to prevent a serious threat to life or health.

We take the security of your personal and health information seriously. Our practice uses a combination of physical and technical safeguards to protect your data.

Electronic records

• Clinical records are stored in secure, access-controlled practice management software
• Data submitted through our website is processed and stored using secure cloud infrastructure hosted in Sydney, Australia (AWS ap-southeast-2)
• All data transmitted between your browser and our website is encrypted using TLS (HTTPS)
• Files uploaded through our referral forms are stored using encrypted cloud storage in Australia and are automatically deleted after 90 days
• Access to patient records is restricted to authorised clinical and administrative staff

Physical records

• Any physical records are stored in locked filing cabinets within the clinic
• Access to the clinic premises is controlled and restricted to authorised personnel
• Physical records are securely destroyed when no longer required

Your data is not transferred outside of Australia. All cloud infrastructure used for website form submissions and file storage is located in the Sydney (ap-southeast-2) region.

We retain health records in accordance with the requirements of the Health Records Act 2001 (Vic) and the Public Records Act 1973 (Vic). In general:

• Adult patient records are retained for a minimum of 7 years from the date of last entry
• Records of patients who were children at the time of treatment are retained until the patient turns 25 years of age, or for 7 years from the date of last entry, whichever is later
• Files uploaded through our online referral forms are automatically deleted from cloud storage after 90 days

When records are no longer required to be retained, they are securely destroyed in accordance with Australian standards for the destruction of health information.

Under the Australian Privacy Act and Victorian health privacy legislation, you have the right to:

• Access your records — You can request access to the personal and health information we hold about you. We will respond to your request within 30 days.
• Request corrections — If you believe any information we hold about you is inaccurate, incomplete, or out of date, you can request that we correct it.
• Request a copy of your medical records — You may request a copy of your medical records. A reasonable administration fee may apply for preparing copies.
• Withdraw consent — You may withdraw consent for us to use or share your information at any time, though this may affect our ability to provide you with medical care.
• Lodge a complaint — If you believe we have breached your privacy, you can lodge a complaint with us directly (see Section 12 below) or with the Office of the Australian Information Commissioner (OAIC).

To exercise any of these rights, please contact our reception team in person, by phone, or by email.

Our website includes online forms that allow you to contact us, register your interest as a new patient, or submit referral documents. When you submit a form through our website:

• Your submission is transmitted securely over an encrypted (HTTPS) connection
• Form data is processed by our server and stored in a secure database hosted in Sydney, Australia
• If you upload files (such as referral letters), they are stored in encrypted cloud storage in Sydney and are automatically deleted after 90 days
• We record an audit log of when your submission was received and when it was accessed by our staff
• Your form data is not shared with any third party other than the infrastructure providers listed in Section 11
• Our forms use Google reCAPTCHA to prevent spam and abuse (see Section 11)

We ask for your consent before you submit any form that includes personal or health information. You will be asked to confirm that you have read this privacy policy and agree to your information being collected and used as described.

Our website and online form infrastructure uses the following third-party service providers. These services are used solely to operate our website and process form submissions securely. We do not sell or share your information with these providers for their own purposes.

Google reCAPTCHA and Google Analytics are subject to the Google Privacy Policy. These services may use cookies and collect IP addresses and browsing behaviour data. No personal health information is shared with Google.

If you believe that we have breached your privacy or mishandled your personal information, we encourage you to raise your concern with us first so we can attempt to resolve it.

To lodge a complaint:

1. Contact our practice manager by phone or email (see Section 13 below)
2. Describe the issue and how you believe your privacy has been affected
3. We will acknowledge your complaint within 7 business days
4. We will investigate and respond to your complaint within 30 days

If you are not satisfied with our response, you may lodge a complaint with:

• Office of the Australian Information Commissioner (OAIC)
  Phone: 1300 363 992
  Website: www.oaic.gov.au
• Health Complaints Commissioner (Victoria)
  Phone: 1300 582 113
  Website: www.hcc.vic.gov.au