Group Privacy Policy
Published on: 9 May 2018
Updated on: 5 December 2022
1. Purpose
Icon Cancer Centre is proud to be part of the Icon Group.
Integrated Clinical Oncology Network Pty Ltd and its subsidiaries (the “Icon Group”, “we” or “us”) is committed to providing exceptional cancer care and treatment and to protecting your Personal Information while doing so.
We comply with the Personal Data Protection Act (Act 26 of 2012) (“PDPA”) which governs how organisations handle your Personal Information, and comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth).
For Patients in the PRC: We will also comply with the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law (PIPL), and applicable regulations, rules, and national standards in relation to the protection of your Personal Information.
The principles set out in this policy apply to Personal Information, including Health and Sensitive Information, you provide to us including information provided at consultations, treatments, via our web site or under any agreement or arrangement.
2. Scope
This Privacy Policy sets out and explains how all members of the Icon Group collect, use, store, protect and disclose your Personal Information. The Policy is supplementary to any specific consent you provide. For example, we will normally request your prior written consent for the collection, use or disclosure of your sensitive Health Information.
For Patients in the PRC: We will request your prior and separate consent (whether in written or electronic forms) for the collection, use or disclosure of your sensitive Health Information or other kinds of sensitive information.
3. Definitions
Key terms used in this policy are as follows:
Term | Definition |
Personal Information | means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not. Personal Information as used in this policy covers Health Information and Sensitive Information. For Patients in the PRC: Some information that cannot identify an individual, i.e. de-identified personal information, but relates to an individual, will also be regarded as personal information – for example, the medical record of an individual with the name/ID of this individual being removed. |
Health Information | means: (a) information or an opinion about:
(i) the health or a disability (at any time) of an individual; or (ii) an individual’s expressed wishes about the future provision of health services to the individual; or (iii) a health service provided, or to be provided, to an individual; that is also personal information; (b) other personal information collected to provide, or in providing, a health service to an individual (c) other personal information collected in connection with the donation, or intended donation, by an individual of his or her body parts, organs or body substances; (d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual. |
Sensitive Information | Means:
(a) information or an opinion about an individual’s: racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association; membership of a trade union; sexual orientation or practices; criminal record; that is also personal information; or (b) health information about an individual; or (c) genetic information about an individual that is not otherwise health information; or (d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or (e) biometric templates. For Patients in the PRC: Your information about your financial account, whereabouts, and other Personal Information that can easily lead to the infringement of the personal dignity of natural persons or the harm of personal or property safety once leaked or illegally used. Specifically, all Personal Information of minors under 14 years old will be regarded as Sensitive Information. |
4. Collection of Information
We collect Personal Information for the principal purpose of providing you with medical care, treatment and services, as well as for billing and administrative purposes, including submitting health fund claims on your behalf. We will also, where permitted, collect Personal Information for other related or ancillary purposes.
For Patients in the PRC: We will inform you of such other related or ancillary purposes, the means of handing, and the types and retention period of Personal Information to be collected separately, and obtain your consent, where required, before we collect your Personal Information for such purposes.
The types of personal information that we collect may include your name, address, telephone number, private health fund membership details, and Health Information such as your past, current, and family health conditions, test results, treatments, procedures and medical advice.
Without limiting the foregoing, we may collect Personal Information from patients that we consider to be reasonably necessary to provide health care services, including:
- medical history
- family medical history
- next of kin
- ethnic background
- current lifestyle and activities
- clinical observations
- test results
- billing information
- NRIC
- Concession Card numbers
- Private health insurance membership numbers and details of level of cover.
In most circumstances we will collect your Personal Information directly from you rather than third parties. But if necessary and permitted by law, we may need or be required to collect Personal Information from third parties. For example, in cases of emergency where collection of your Personal Information is necessary to prevent or lessen a serious and imminent threat to your life or health, then we may collect such information from third parties without your consent if you are physically or legally incapable of doing so.
You are not obligated to disclose your Personal Information to us. However, if you do not provide the information requested, we may not be able to provide you with the best possible health care or meet the expectations you may have of us as care providers.
In some cases, we will require you to specifically consent to any collection, use or disclosure of your Personal or Health Information as part of a Treatment Consent or Financial Consent, or other specific consent.
In most cases your consent will be requested in writing, but we may also accept your verbal consent. Sometimes your consent may also be implied through your conduct with us, or due to anticipated activities/reasons ancillary to the primary purpose of your prior consent.
Icon will destroy unsolicited information where it is determined that the information would not normally have been collected
5. Use and Disclosure of Information
We may use and disclose your Personal Information for the purpose for which it was collected, including related secondary purposes, and for other purposes authorised by you or required by law.
Examples of uses and disclosures of your Personal Information may include:
a) Use and disclosure amongst health professionals to provide treatment
Modern health care practices require a patient’s treatment to be provided by a team of health professionals. These health professionals share patient Personal Information as part of the process of providing treatment. This is managed while maintaining confidentiality and protecting the patient’s privacy in accordance with the law. Personal Information will only be disclosed to those health care professionals directly involved in a patient’s treatment. Icon may disclose Personal Information via electronic processes or standard or express post where relevant.
b) A patient’s General Practitioner or referring Medical Specialist
Icon may send a discharge summary or letter to the referring medical practitioner, nominated practitioner and/or General Practitioner following consultation or treatment. This is intended to inform the referring practitioner of information that may be relevant to any ongoing care or treatment provided by them. Icon will confirm the most up to date details of a patient’s nominated General Practitioner at the time of consultation/treatment.
c) Other health service providers
Medical practitioners or health care facilities that require access to patient health records of treatment will require an authorisation from the patient to provide a copy of the medical record to that medical practitioner or health care facility. Disclosure will be provided without consent if it is not reasonable or practicable to obtain consent and Icon reasonably believes that the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety.
d) Students, medical, nursing, allied health disciplines
Medical, nursing and allied health disciplines undertake placements at Icon facilities. As part of their placement, students may access patient health records of treatment. All students undertaking placement with Icon sign a Confidentiality Agreement.
e) Relatives, guardian, close friends or legal representative
Icon may provide information about a patient’s condition to their parent, child, other relatives or guardians, where the patient is incapable of giving consent or cannot communicate the consent. Icon will disclose Personal Information where it is satisfied that the disclosure is necessary to provide care or treatment to the patient or for compassionate reasons, unless the patient tells Icon that they do not wish Icon to disclose their Personal Information to any such person. Where a patient does not have capacity, Icon will disclose information about the patient’s health to a person exercising that patient’s power of attorney under an enduring power of attorney or advance care directive.
For Patients in the PRC: Icon is not a medical services provider dedicated to provide medical services for Children. Any handling of a child’s Personal Information shall be consented to by his/her parents or other guardians. Icon will not handle Personal Information of children unless Icon obtains the consent of children’s parents or other guardians, and when required, Icon will formulate specialized rules for handling such Personal Information of children.
f) Off-shore facilities or entities
Icon may share Personal Information to entities at other Icon Group facilities or other third parties located outside of China. This may include transfer of Personal Information to Australia for medical or administrative review or support or related activities.
g) Expanded Communications
We may use your Personal Information in order to provide you with educational, clinical trials, resources, events and/or activities that we consider may be relevant or of interest to you. We do not sell your Personal Information to any marketing or other third party.
For Patients in the PRC: Icon may use the automated decision-making technology to provide you with customized information and communications. If you wish Icon not to provide such information and communications via automated decision-making technology, you may contact us via the contact details set out in Section 11 hereof.
“Automated decision-making” refers to the activities of automatically analyzing and evaluating an individual’s behavior habits, hobbies or economic, health or credit status through computer programs and making decisions accordingly.
h) Other common uses and disclosures
Icon may also use and disclose Personal Information in an identified format:
- for invoicing, billing and account management;
- for health funds, or other such organisations to verify treatment provided and the financial level of cover;
- for the purposes of complying with any applicable laws, responding to a subpoena or compulsory reporting to State or Federal authorities (e.g. law enforcement or public health and safety circumstances);
- when communicating with medical defence organisations, insurers, medical experts or lawyers for anticipated or existing legal proceedings;
- if it is necessary information for the purposes of protecting a child from the risk of physical or psychological harm;
- in order to prevent or lessen a serious and imminent threat to life, health or property or a person;
- if matters are disclosed relating to serious criminal activity that have, or are likely to occur;
- to third-party service providers who manage some of the services we offer; all of whom are obligated to comply with the PDPA and the Privacy Act 1988 (Cth);
For Patients in the PRC: Such third-party service providers and also other third parties (e.g. IT infrastructure supplier or data handling supplier) entrusted by Icon to handle your Personal Information will enter into an agreement or be bound by clauses to ensure they will handle your Personal Information under the instruction of Icon and in compliance with this Privacy Policy, PIPL, and other PRC data protection laws.
- to undertake quality assurance for the purpose of monitoring service delivery standards; and
- for the purposes of sending standard reminders (e.g. appointments or treatment reminders via text message, email, voice mail, or post to addresses disclosed to Icon).
- For research purposes (with an informed consent form (ICF) signed by patients, whether the Personal Information will be used in an identified or de-identified format; and only in limited scenarios where it is necessary for the research purpose described in the ICF and agreed by patients expressly on a freely-given basis will Icon use and disclose such Personal Information in an identified format)
In limited circumstances, we may disclose your Personal Information overseas. Where information is required to be disclosed overseas Icon will takes reasonable steps to ensure that the international third party uses your Personal Information in accordance with our Privacy Policy, the PDPA and the Privacy Act 1988 (Cth).
For Patients in the PRC: If any cross-border sharing/disclosing of Personal Information occurs from China to regions outside China, such activities of sharing/disclosing Personal Information overseas will be done with appropriate safeguard measures in place legally required (e.g. passing the security assessment conducted by the supervisory authority or signing a standard contract for cross-border transfer of Personal Information). Where applicable, separate consent of relevant patients will be obtained and kept on file. Besides the above, Icon will also take reasonable steps to ensure that the international third party uses your Personal Information in accordance with the PIPL and other data protection laws, regulations, and national standards in the PRC.
If you request or authorise Icon to transfer your Personal Information, including your Health Information, to another health service provider, Icon will provide a copy or a written summary of such to that other health service provider as soon as practicable.
6. Access and Correction of Personal Information
In order to assist us in keeping your Personal Information accurate, complete and up to date, you are requested to promptly notify us of changes or updates to your Personal Information. You may request access to Personal Information we hold about you by making a written request to our Data Protection Officer, whose details are below. We will respond to your requests within a reasonable period.
If upon receiving access to your Personal Information, or at any other time, you believe the Personal Information we hold about you is inaccurate, incomplete or out of date, please notify us immediately. We take reasonable steps to correct your Personal Information so that it is accurate, complete and up to date.
For Patients in the PRC: In addition to the right of access and correction of Personal Information, you also have the right to be informed of, decide, and restrict how your Personal Information is processed, the right to reject the handling of Personal Information, the right to copy and delete Personal Information, the right to portability, and the right to restrict the automated decision-making.
7. Security of Personal Information
Icon stores your Personal Information in both paper and electronic forms. The security of your Personal Information is important to us. We take reasonable measures to ensure that your Personal Information is stored safely to protect it from misuse, loss, unauthorised access, modification, interference, or disclosure, and take electronic and physical security measures such as:
- Locked storage of paper records;
- Use of document shredding and security bins;
- Authentication and password controls for electronic records;
- Use of our managed devices and services (e.g. iPads, laptops, email) for transfer of Personal Information.
For Patients in the PRC: The Personal Information generated and collected within the territory of the PRC will be stored the hosting facility in Tianjin and at the individual facilities
Icon will destroy or permanently de-identify any of your information which is in its possession or control and which is no longer needed for the purpose for which it was collected, unless otherwise required by law to be retained.
For Patients in the PRC: If you receive medical services at any Icon Cancer Centre, Icon will store your Personal Information according to the local law requirements, e.g. Icon will store the inpatient medical record for at least thirty (30) years. As de-identified Personal Information, e.g. your medical record with your name and ID number being removed, will still be regarded and protected as Personal Information, when it is no longer needed for the purpose for which it was collected, Icon will destroy or anonymize (i.e. the process that makes Personal Information cannot identify a specific individual anymore and cannot be restored to its original state) your Personal Information.
Periodic audit and risk assessments are conducted to ensure the appropriate availability, integrity and confidentiality of Personal Information managed through our systems.
In the event of a data breach, Icon will take immediate action to mitigate the breach and will comply with the mandatory data breach requirements of the Privacy Act 1988 (Cth). Icon will assess whether there is a likely risk of any serious harm to affected individuals and if so, will immediately notify such individuals with a description of the the data breach, the kinds of information concerned and recommendations about the steps that you should take in response to the data breach.
8. Privacy Policy Changes
Icon may amend the Privacy Policy from time to time in accordance with changes in laws and technology and Icon’s operations and practices.
9. Do Not Call Register
The PDPA provides for the establishment of a national Do Not Call (DNC) Registry.
The DNC Registry allows individuals to register their telephone numbers to opt out of receiving marketing phone calls, mobile text messages such as SMS or MMS, and faxes from organisations.
If you have registered on (i) the No Fax Message Register; (ii) the No Text Message Register; and/or (iii) the No Voice Call Register, then Icon will not send you marketing messages of the relevant kind.
For Patients in the PRC: As China adopts an opt-in scheme, Icon will not do marketing phone calls, mobile test messages or faxes without your consent, unless there are other legal bases that Icon can rely upon.
10. Enquiries and Complaints
If you have an enquiry or complaint about the way Icon handles your Personal Information then please contact our Data Protection Officer, whose contact details are in the section below. We will respond to your enquiry or complaint as soon as reasonably practicable. Making a complaint will not affect the care you receive from us, and someone else can make the complaint on your behalf.
If you are not satisfied with the result of your complaint to us, you may contact the Office of the Australian Information Commissioner, whose contact details are as follows:
Email: [email protected]
Facsimile: +61 2 9284 9666
Web: http://www.oaic.gov.au/privacy/making-a-privacy-complaint
11. Contact Details
If you wish to contact us in relation to your Personal Information or any matter in this Privacy Policy, then please write to our Privacy Officer, whose contact details are as follows:
Privacy Officer
Icon Group
PO Box 3787
South Brisbane, QLD, 4101, Australia
Switchboard: 07 3737 4500
Fax: 07 3737 4501
Email: [email protected]
A translated copy of this Privacy Policy is available if required and upon request.
For Patients in the PRC: Please contact us via the contact details as follows:
China Privacy Officer
Registered Address: 903, Building B, Gateway, No. 18 Xiaguangli, Chaoyang District, Beijing, China 中国北京市朝阳区霞光里18号佳程广场B座903
Email: [email protected]
Website Terms and Conditions
Welcome to our website. In accessing and using this website, you acknowledge that you have read, understood and agree to be bound by the following terms and conditions
Disclaimer
While care has been taken to ensure that information contained in this website is true and correct at the time of publication, changes in circumstances after the time of publication may impact on the accuracy of this information. Icon Group gives no warranty or assurance, and makes no representation as to the accuracy of any information or advice contained, or that it is suitable for your intended use. Icon Group disclaims all responsibility and all liability (including without limitation, liability in negligence) for all expenses, losses, damages and costs you might incur as a result of the information being inaccurate or incomplete in any way, and for any reason.
Each user waives and releases Icon Group and its agents, employees and service providers to the full extent permitted by law from any and all claims relating to the usage of material or information made available through this website. Subject to any terms implied by law, which cannot be excluded, in no event shall Icon Group be liable for any losses or damages, including incidental or consequential damages, resulting from use of the material. This website provides links to external internet sites. These external websites are outside our control. It is the responsibility of users to make their own decisions about the accuracy, reliability and correctness of information found. Although care is taken to provide links to suitable material, the nature of the internet prevents the guaranteeing of suitability, completeness or accuracy of any material that this site may be linked to. Icon Group is not endorsing any provider of products or services by facilitating access to information about these providers from its website, nor does it accept responsibility for the quality of goods and services provided by third parties accessed through this site.
Privacy Statement
Collection of Personal Information
We are committed to the protection of personal information. We understand that visitors and users of this website are concerned about their privacy, and the confidentiality and security of any information that is provided. Some information is automatically collected whenever anybody accesses this website. Additional information may be voluntarily supplied through on-line forms and e-mail for specific service delivery purposes. Icon Group will only use such information collected for the purpose for which it was supplied and such information will not be disclosed to any third party unless required by law. When you visit this website our internet Service Provider’s standard web logs record anonymous information for statistical purposes only, including: date and time of your visit to the site, pages you accessed, type of browser you are using, referring site and internet address of the server accessing our site.
Security
This website does not provide facilities for securely transmitting information across the internet. We take reasonable steps to ensure the security of all information that we collect, however no data transmission over the internet or information stored on servers accessible through the internet can be guaranteed to be fully secure. These activities are undertaken at your risk.
Changes to this Privacy Statement
This privacy policy may change from time to time particularly as new rules, regulations and industry codes are introduced.
Contact
If you have any queries about our privacy and security practices, please use the contact details found on this website.
Copyright
Materials published on the internet are protected by copyright law. Apart from fair dealing for the purposes of private study, research, criticism or review, as permitted under the Copyright Act 1968, no part may be reproduced or reused for any commercial purposes whatsoever.