Our privacy commitment to you
St Luke’s Medical and Hospital Benefits Association (ACN 009 479 618) (“St.LukesHealth”, “we”, “us” or “our) recognises the importance of keeping the personal information that you entrust to us private and confidential. This policy has been compiled to outline how your personal information is handled and to inform you of the steps taken by St.LukesHealth to protect your privacy. Our staff are trained to respect your privacy in accordance with applicable privacy laws and our standards, policies and procedures. We are committed to manage your personal information in an open and transparent manner. Any individual health information entered or uploaded into your Snug account is not disclosed to St.LukesHealth and is not used for any purpose in relation to your health insurance policy, without you consent.
This policy outlines how we manage your personal information and how we comply with the Privacy Act 1988
This policy applies to all your dealings with St.LukesHealth whether it be at one of our customer care centres, at an agency, electronically or personally with a St.LukesHealth representative. Our commitment to handling personal information extends to members (current, prospective and past) and to dependants (including your spouse or partner).
What is your personal information?
What is your sensitive information?
What personal information do we collect?
As a member of St.LukesHealth, certain personal and sensitive information will be required to establish and maintain your membership, and for other related purposes. The type of information we will collect includes:
- Identification information such as your name, date of birth, contact phone details, residential, postal and email addresses, gender, your family/single status, your dependants names, contact phone details, residential, postal and email addresses, health information, claims information, Medicare number, details relating to membership and coverage (including where applicable, details from any previous health fund), Australian Government Rebate on Private Health Insurance registration details, employer details for members paying by payroll deduction, records of service contacts, bank/credit card details and other information that we consider necessary to provide you our services.
- If you join a health management program, a chronic disease management program, or any other program developed to enhance the services available to you, we may hold information relating to your participation in that program.
- We may hold information about persons who have been designated to pay or act on behalf of St.LukesHealth members.
How do we collect your personal information?
When it is reasonable or practicable to do so, we will collect personal information directly from you (referred to as 'solicited information'. This may occur when you fill out a form or give personal information over the telephone, in one of our customer care centres, or electronically. It is important that you always keep your contact details up to date.
We may also collect personal information from:
a person authorised to provide information on your behalf, such as your carer, guardian or holders of your power of attorney, or if you are a dependant under a policy, we may collect personal information from the policy holder;
hospital, medical and general treatment providers relating to the ongoing management of your membership;
another health fund (if you have transferred your membership to St.LukesHealth);
your employer (if your premiums are paid via payroll deduction);
a government agency or their authorised representatives (such as Medicare);
any subsidiary company of St.LukesHealth that provides health-related services to you;
a service provider engaged by St.LukesHealth; or
as required by law.
Under some circumstances, we may contact a service provider who has treated you in the past, if the information would be relevant to your membership and the services you may receive or are to receive in the future.
You, your policy and your dependants
When you commence a family, couples or single parent membership with us you have the following responsibilities regarding your nominated dependants (spouse/partner and children):
you will only supply us with sensitive information, pertaining to dependants aged 16 years and over with their consent. We will assume that when a member makes a claim on behalf of a dependant aged 16 years and over, that the member has consent from the dependant to supply us with the information relevant to processing the claim.
you authorise all hospital, medical and general treatment providers to supply information (as reasonably required) that is relevant to the management of your health insurance membership for yourself and your nominated dependants and/or membership. Furthermore, you will ensure that you have the consent of each dependant aged 16 years and over, to give this authority on their behalf.
What happens if we receive unsolicited personal information?
If we receive information about you that we have not sought out (referred to as ‘unsolicited information’), we will check whether that information is reasonably necessary for our functions or activities. If it is, we will handle this information in accordance with this policy. If we are not permitted to collect this information, it will be either destroyed or de-identified, but only if it is lawful and reasonable to do so.
Why do we collect certain personal information?
We will collect information that we are legally required to do so as a registered health insurer and to enable us to provide you with a health insurance product and/or related services.
Information concerning the relationship of your dependants to you is collected to verify that they meet our definition of a “dependant” to ensure that the dependants are eligible to be covered under that membership.
Transfer details relating to your previous health fund are collected to ensure that there is continuity of cover and to determine and inform you of your eligibility for benefits, or if waiting periods will apply.
If you wish to pay your premium by direct debit or have benefits transferred directly into your account, Credit Card or Bank account details are required to process and maintain payments.
Your Medicare number is collected to enable you to collect the Australian Government Rebate on Private Health Insurance. We also require this number for correspondence with Medicare Australia.
Your Medicare number is not used for any other purpose. Information that we collect on behalf of the Government is a requirement under the Private Health Insurance Act 2007.
While in certain circumstances we are required to collect government identifiers such as your Medicare number, we do not disclose this information other than when it is required or authorised by law. St.LukesHealth uses its own membership numbers to identify you.
We may collect information about you because we are required or authorised by law to collect it. For example, we require personal information to verify your eligibility for the Australian Government Rebate on Private Health Insurance.
What use is made of your personal information?
The information that you provide to St.LukesHealth is used only for purposes that you would reasonably expect in providing you with a health insurance product and associated services. Including:
to identify you or verifying your authority to act on behalf of a member;
to establish and maintain your membership;
to process receipts and claims;
to answer your enquiries;
to provide effective risk management and to protect against fraud or improper claim;.
analysis of information for product and services development and marketing purposes;
to meet internal functions such as administration and accounting systems;
information technology maintenance and development;
to train staff;
to investigate and resolve complaints relating to services provided by/or on behalf of St.LukesHealth.
to comply with any law or legislative requirements;
to keep you informed about your membership and other relevant information relating to St.LukesHealth; or
for any other purpose for which you have given your consent including to subscribe for services provided to St.LukesHealth members.
The personal information that St.LukesHealth collects from its members may be used to develop health management programs, chronic disease programs and other products to enhance your membership (“the further services”). We may use your personal information to identify whether you are a suitable candidate for the further services, and if so, provide you with information about the further services.
In relation to all further services:
your decision to participate in the further services is voluntary;
your premiums, claims and relationship with St.LukesHealth will not be affected by acceptance or nonacceptance of an offer to participate in the further services;
you may decline the offer, or may, at any time, withdraw from the further services or a program in which you have enrolled; and
Do you have to provide information?
The information collected by us is necessary to provide you with a health insurance product or service, to be able to accurately assess your claims and to maintain your membership. Failure to provide information may result in coverage being cancelled, a claim being rejected, or us being unable to provide you with the product or service you want.
Your contact information may be used to notify you of new products, services or promotions being offered by St.LukesHealth. If at any time you no longer wish to receive this information, you can request to “opt out” from receiving this information by contacting our customer care centre on 1300 651 988 or by email to email@example.com.
We may conduct these marketing activities via email, telephone, SMS, mail or any other electronic means. We may also market our products or services to you through third party channels such as social networking sites. We will provide the option to 'opt out' of receiving our third-party marketing offers.
Where we market to prospective members, we are happy to disclose to you how we have obtained this information and will provide the option to 'opt out'.
We will not sell your personal information to any organisation outside of St.LukesHealth.
What information do we disclose?
The information St.LukesHealth collects from members or concerning members and their dependants will be kept strictly confidential and secure at all times. Where your personal information is disclosed, it will be disclosed in a manner consistent with the APP’s and disclosed in a manner that is consistent with the reason it was originally collected.
Personal information may also be disclosed at the member’s request; for example, to a member’s representative or any person acting on behalf of the member.
St.LukesHealth requires a written authority from you, or from an authorised representative (such as an attorney under a power of attorney) if you would like someone to deal with St.LukesHealth on your behalf or on behalf of any dependants on your membership. Before an executor or other representative can act on your behalf, or on behalf of your estate, St.LukesHealth requires evidence that an appropriate authority exists.
Information will be disclosed to third parties in the following circumstances:
Where you would reasonably expect us to in order to provide the service in respect of which the information was originally collected. For example, when providing verification of your membership to a hospital prior to you receiving treatment, when sending claim data to Medicare for the payment of Medicare benefit, to enable electronic claiming, or when transferring between Health Funds
Where a third party has a confidentiality agreement with St.LukesHealth and it is required to perform a core business function on behalf of St.LukesHealth. For example, an agent transacting business for and on behalf of St.LukesHealth or a mailing house. Organisations that deliver services on behalf, or to St.LukesHealth may require your personal information for accounting and auditing purposes, claims assessment, review and analysis or providing other services and products.
Where you have elxected to enrol in further services or in other third party programs St.LukesHealth offer to its members.
Where St.LukesHealth provide de-identified data. For example for the purpose of conducting health related research.
In some circumstances, we may disclose de-identified data to a third party, such as the entity that funds your participation, your employer, or a research institute for research purposes, to evaluate our service or to report on the global health of a population. In such circumstances we will ensure that the data cannot be reidentified or matched back to you personally in any way.
Other third party service providers deliver products and services to St.LukesHealth members, such as health management programs, chronic disease management programs and other healthcare products and services. In order for them to administer these programs, products and services it is necessary to disclose your personal information to them. These organisations and third party service providers are under contractual obligations imposed by St.LukesHealth to not disclose your personal information and to use any information solely to deliver services on our behalf, and not for any other purpose. At the conclusion of the program, the service provider is required to return that information to St.LukesHealth or destroy any personal information about that member provided by St.LukesHealth. If you choose to participate in further services where a program requires the disclosure of personal information, third party service providers may collect personal information, including sensitive information from you. That personal information is not disclosed to St.LukesHealth, except as permitted under the Privacy Act. For example, this may include information for conducting clinical audits and for billing purposes.
Your employer, if you choose to pay by payroll deduction. The information disclosed would only be that relating to payment of your membership.
For Operational Reasons. For maintaining, reviewing and developing our business systems, procedures and infrastructure including testing or upgrading our computer systems in order to securely and efficiently deliver our services to you and other members.
In Exceptional Circumstances. Disclosure of personal information may be deemed necessary in some exceptional circumstances such as when there are grounds to believe that the disclosure is necessary to prevent a threat to an individual’s health and safety, for law enforcement purposes or to protect public revenue.
For Compliance Reasons. To ensure compliance with the relevant laws and regulations of being a registered health insurer, we are required to provide information to regulatory bodies, government agencies, complaints adjudicators, medical referees and others.
How is your personal information protected and how long is it kept?
St.LukesHealth stores your personal information in different ways, including paper and electronic format. We take the security of your personal information very seriously and take reasonable steps to protect it from misuse and loss, unauthorised access, modification or disclosure.
The methods we use to ensure this includes the implementation or existence of the following measures:
St.LukesHealth employees are bound by the Private Health Insurance Code of Conduct and confidentiality agreements.
Confidentiality agreements with subsidiaries, third party service providers, agents and sub-contractors.
Document storage security policies.
Internal system access security policies including authenticated access of employees and contractors.
Verification procedures to identify an individual before personal information is disclosed.
Access control for our buildings.
The use of data encryption, firewalls and other security systems for our computer system.
Your information is kept while we need it to provide the products and services that you have requested from us and where applicable, we are required to keep it to comply with statutory requirements. Where St.LukesHealth determines it is no longer necessary to hold your personal information we will securely destroy, delete or permanently de-identify that information, wherever possible.
In the unlikely event that security of data is compromised, we will take reasonable steps to confirm any possible breach. If a breach is confirmed, we will notify you and provide you with a description of the breach, the kinds of information involved, and any recommended actions you could take to protect yourself.
Can you deal with us anonymously or using a pseudonym?
Yes, you can deal with us anonymously or using a pseudonym where it is lawful and practicable to do so. For example, if you were making a general inquiry as to the benefits we pay on a dental procedure there would be no need to provide your personal details. However, to verify that you are covered for a procedure and waiting periods or limits do not apply, membership details will be required.
In general, St.LukesHealth will not be able to deal with you anonymously or where you are using a pseudonym when:
Do we disclose your personal information to anyone outside Australia?
St.LukesHealth conducts its business operation within Australia and your information is stored by means of electronic storage within Australia. We commit to review the terms of service of any service provider of cloud or networked data storage to ensure that the security of your personal information is addressed in any service level agreement. We will not disclose your personal information to anyone located overseas without your consent.
How can you access your personal information?
You are entitled to access your personal information (or that of any dependant aged under 16 years) unless there are certain legal reasons why you cannot.
When a dependant is aged 16 years or older, St.LukesHealth will not give access to, or allow correction of, the dependant’s information by the dependant’s parents or other relevant guardians, unless it can be proven that the dependant is not able to exercise sound judgment, is of impaired capacity, or the dependant has provided us with authority to do so.
St.LukesHealth may allow dependants under the age of 16 years to access, and correct their personal information if it can be reasonably established that they are able to exercise sound judgment. In this instance, their personal information will be handled in the same manner as a dependant who is 16 years or older.
Access is subject to some exceptions allowed by law. These include where:
access would pose a serious threat to the life or health of an individual.
access would have an unreasonable impact on the privacy of others.
the request is frivolous or vexatious.
the information relates to a commercially sensitive decision making process.
access would be unlawful.
access would prejudice enforcement activities relating to criminal activities and other breaches of law, public revenue, a security or negotiations with you.
access relates to existing or anticipated legal proceedings.
denying access is required or authorised by or under law.
If you wish to access your information, please contact one of our customer care centres or send your request by email to firstname.lastname@example.org. We will give you access to your information in the form that you want it where it is reasonable and practical to do so. In some cases, we may be able to deal with your request over the phone if we are satisfied as to your identity, or in a customer care centre. There may be a charge associated with retrieving your information depending on the complexity of your request. However, we will inform you of any fee payable at the time a request is made.
If we cannot provide your information in the way you have requested, we will advise you of the reasons in writing.
What if my information is incorrect?
St.LukesHealth will take reasonable steps to ensure that the information we collect, use or disclose is accurate, complete and up to date. Please contact us at email@example.com, if you believe that your personal information is inaccurate, incomplete, irrelevant, misleading or out of date. St.LukesHealth may also correct the information it holds about you if we become aware it is out of date or inaccurate.
If you ask St.LukesHealth to correct any information, we will assist you. We will help you manage corrections.
Whether St.LukesHealth made the mistake or it was someone else we will help you ask for the information to be corrected, in this circumstance we may be required to discuss this correction with other parties.
If St.LukesHealth is able to correct your information, we will let you know within five business days of deciding to do this. If you ask us to do so, we will advise any relevant third parties of the correction, unless it is impracticable or unlawful for us to do so.
If St.LukesHealth is unable to correct your information, we will let you know within five business days of making this decision. If you are dissatisfied with our decision you can refer your complaint to the Office of the Australian Information Commissioner. Contact details are listed at the end of this policy.
If St.LukesHealth agrees to correct your information, we will do so within 30 days from when you requested the change, or a longer period that has been agreed by you.
If we cannot make the correction within a 30 day time frame or the agreed time frame, we must:
let you know about the delay, the reasons for it and when we expect to resolve the matter;
ask you to agree in writing to give us more time; and
let you know you can complain to the Office of the Australian Information Commissioner.
Any correspondence received by St.LukesHealth, including via the post, fax or email, is retained and recorded within St.LukesHealth membership communications. St.LukesHealth keeps these records in order to maintain the highest possible customer service levels and for any future enquiries. St.LukesHealth also retains any correspondence St.LukesHealth sends to you. The retention of these records may also help us in the investigation of potential fraud and violations of the St.LukesHealth User Agreements. We maintain policies and procedures for the retention of documents and data which governs the use of, and access to such material.
Our Web Site
St.LukesHealth recognises the importance of providing you a secure environment when communicating with us via the Internet and appropriate measures have been put in place to protect your personal information. For example we use industry accepted methodology to secure your information when you register for and use St.LukesHealth Online Member Services. Your secured information is protected from unauthorised access through the use of firewalls, secure passwords and SSL Certificates. Further, we send confirmation letters to your postal address before you can access your online information to verify that you are entitled to online access.
St.LukesHealth may collect usage data from your computer when you visit our website through the use of tracking and/or cookies. This collection is to enable us to maintain and improve our online service. Any information collected is not linked in any way to personal identification details of members. Visitors to our website can adjust their browser preferences to prevent the collection of data. However, if you adjust your browser preferences, there may be some features of our website that will not be available to you and/or some pages may not display properly. For your convenience, St.LukesHealth has provided a ‘Help and Support’ link with guidance on minimum system requirements for optimal use of our website.
How do I make a complaint?
St.LukesHealth will make every attempt to ensure that your privacy is not breached; however, if you believe that your privacy has been breached, you can visit a St.LukesHealth Customer Care Centre, phone 1300 651 988, send an email to firstname.lastname@example.org or complete and send a Privacy Complaint form, to the address mentioned below.
The Privacy Officer
P.O. Box 915
Launceston TAS 7250
We will endeavor to resolve any issues you may have promptly and amicably. However, if you believe that we have not resolved the issue you may refer the matter to the Office of the Australian Information Commissioner:
Mail: GPO Box 5218, Sydney, NSW 2001
Phone: 1300 363 992
For more information on your privacy you can visit www.oaic.gov.au