Our practice policy prevents sharing patient before and afters online.    Indicative before and after photos can be viewed during your consultation.   

Our practice is committed to best practice in relation to the management of information we collect. This practice has developed a policy to protect patient privacy in compliance with the Privacy Act 1988 (Cth) (‘the Privacy Act’). Our policy is to inform you of:

• the kinds of information that we collect and hold, which, as a medical practice, is likely to be ‘health information’ for the purposes of the Privacy Act;
• how we collect, hold and access personal information;
• the purposes for which we collect, hold, use and disclose personal information;
• how you may access your personal information and seek the correction of that information;
• how you may complain about a breach of the Australian Privacy Principles and how we will deal with such a complaint;
• whether we are likely to disclose personal information to overseas recipients;

What kinds of personal information do we collect?

The type of information we may collect and hold includes:

• Your name, address, date of birth, email and contact details
• Medicare number , DVA number and other government identifiers, although we will not use these for the purposes of identifying you in our practice
• Other health information about you, including:
  • notes of your symptoms or diagnosis and the treatment given to you
  • your medical history
  • your specialist reports and test results
  • your appointment and billing details
  • your prescriptions and other pharmaceutical purchases
  • your healthcare identifier
  • other health providers involved in your care
  • your BMI for safe surgery guidelines
  • standardised psychological screening information as required by Plastic and Cosmetic Surgery Regulations (July 23)

How do we collect and hold personal information?

We will generally collect personal information:

• from you directly when you provide your details to us. This might be via a face to face discussion, telephone conversation, registration form or online form
• from a person responsible for you
• from third parties where the Privacy Act or other law allows it - this may include, but is not limited to: other members of your treating team, diagnostic centres, specialists, hospitals, the My Health Record system, electronic prescription services, Medicare, your health insurer, the Pharmaceutical Benefits Scheme

Why do we collect, hold, use and disclose personal information?

In general, we collect, hold, use and disclose your personal information for the following purposes:

• to provide health services to you
• to communicate with you in relation to the health service being provided to you, or you may receive a practice newsletter from time to time. Please advise if you do not wish to be involved in this system. 
• to comply with our legal obligations, including, but not limited to, mandatory notification of communicable diseases or mandatory reporting under applicable child protection legislation.
• to help us manage our accounts and administrative services, including billing, arrangements with health funds, pursuing unpaid accounts, management of our ITC systems
• for consultations with other doctors and allied health professional involved in your healthcare;
• to obtain, analyse and discuss test results from diagnostic and pathology laboratories
• for identification and insurance claiming
• If you have a My Health Record, to upload your personal information to, and download your personal information from, the My Health Record system.
• Information can also be disclosed through an electronic transfer of prescriptions service.
• To liaise with government and regulatory bodies such as Medicare, the Department of Veteran's Affairs and the Office of the Australian Information Commissioner (OAIC) (if you make a privacy complaint to the OAIC), as necessary.

How can you access and correct your personal information?

You have a right to seek access to, and correction of the personal information which we hold about you.  An administrative fee of $20 is payable for copies of records.   

For details on how to access and correct your health record, please contact our practice as noted below.   We will normally respond to your request within 7 days.Y

How do we hold your personal information?

Our staff are trained and required to respect and protect your privacy and have signed confidentiality statements to this effect.   We take reasonable steps to protect information held from misuse and loss and from unauthorised access, modification or disclosure including multi-factor access and strong passwords to our systems.    

Your medical records are held in our medical record management system.   For security reasons we have not provided the name of our system here.   

The following information applies to our record management system: 

An Australian-based cloud provider, whose infrastructure is designed to adhere to security best practices. Your data is protected by multiple layers of defence including physical, network, and encryption.

Privacy related questions and complaints

If you have any questions about privacy-related issues or wish to complain about a breach of the Australian Privacy Principles or the handling of your personal information by us, you may lodge your complaint in writing to (see below for details). We will normally respond to your request within 30 days.

If you are dissatisfied with our response, you may refer the matter to the OAIC:

Phone: 1300 363 992

Email: enquiries@oaic.gov.au

Fax: +61 2 9284 9666

Post: GPO Box 5218 
Sydney NSW 2001

Anonymity and pseudonyms

The Privacy Act provides that individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with our practice, except in certain circumstances, such as where it is impracticable for us to deal with you if you have not identified yourself.    Please note the provision of medical services will be impacted and is likely to be impracticable.     

Overseas Disclosure

Web traffic information is disclosed to Analytics when you visit our website. Analytic services store information across multiple countries.    When you communicate with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.

Updates to this Policy

This Policy will be reviewed from time to time to take account of new laws and technology, changes to our operations and other necessary developments. Updates will be in this location website.

Website and Social Media

Website analytics and cookies

The website primarily uses Analytics to help us continually improve the user experience.

Analytics are hosted by a third party to collect data about your interaction with our website. The type of data that we may collect includes:

• your device’s IP address,
• type of device,
• browser used to visit the website,
• geographic location,
• search terms
• pages visited, and
• date and time when website pages were accessed.

Analytics collects information using cookies. Cookies are small data files transferred onto computers or devices by websites. We use cookies on our website for record-keeping purposes and to enhance the website’s functionalities.

Most browsers allow you to choose whether or not to accept cookies. You can find further information on how to manage or disable cookies in common browsers below:

• Google Chrome
• Internet Explorer
• Firefox
• Safari

If you disable all cookies in your browser, you may find that certain sections of our website may not work.

Our Subscriber Services

• Newsletter  We send out our newsletter to subscribers. You can subscribe to this service by providing a name and email address.  You may choose to provide a pseudonym or first name rather than your own full name.  Email addresses will be used to deliver our newsletter to you, and from time to time other information related to our Services that we think you may find interesting.   You may unsubscribe at any time. 
• Blog  You may subscribe to our Blog by providing your email address.  If you choose to participate in the Blog you are also required to provide a name. You may choose to provide a pseudonym or first name rather than your own full name. Using the email address you provide we may deliver to you from time to time other information related to our Services that we think you may find interesting.   You may unsubscribe at any time.
• e-Books: You may download e-Books from our website, but to do so you are required to provide some personal information, including your name and email address.   Using the email address you provide we may deliver to you from time to time other information related to our Services that we think you may find interesting.   You may unsubscribe at any time.
  
  

Our Subscriber Services are managed for us.   How this is handled is governed by Australian Law and our agreement which prohibits the service from using your personal information except to provide our Subscriber Services.    By giving us your personal information to receive Subscriber Services, you consent to our disclosure of this information to that service to help us provide the Subscriber Services.

Third Party Websites

In addition to our websites, which we control directly, we also use and provide links to websites that are controlled by third parties, including:

Google maps, Facebook, Instagram

Royal Australian College of Surgeons

Plastic Research University of Louisville

Royal College of Surgeons of Edinburgh

PACES Plastic Surgery Atlanta USA

Australian Medical Association

Australian Society of Aesthetic Plastic Surgeons

National Medical Board of Australia

American Society of Plastic Surgeons

Australian Society of Plastic Surgeons

If you use or follow a link to any of these third party websites, please be aware that these websites have their own privacy policies and that we do not accept any responsibility for how they use information obtained about you from your use of their website.  It is your responsibility to read and understand the privacy policies of these entities.

Contact details for privacy related issues

Practice Manager

02 9387 2110

info@naveensomia.com.au

JULY 23 VERSION

We all have a right to a workplace free from bullying, harassment and discrimination. We also have a responsibility to ensure that our own behaviour contributes to a respectful environment for everyone.

To build and maintain a respectful workplace, both staff and patients are responsible for always:

• treating each other with respect and consideration
• being inclusive, valuing others and accepting their differences
• recognising the efforts and achievements of others
• considering our impact on others
• calling out and addressing behaviour that can lead to bullying, harassment and discrimination

In addition, managers or principals are responsible for setting clear expectations of respectful behaviour and responding to ideas, concerns, complaints and feedback with empathy, fairness, dignity and respect.

This policy explains how the Australian Digital Health Agency (the Agency), as System Operator under the My Health Records Act 2012 (Cth), collects, uses, and discloses personal information to operate and manage the My Health Record system.

This information is handled subject to the My Health Records Act, Healthcare Identifiers Act 2010 (Cth), and Privacy Act 1988 (Cth). This policy is published in accordance with Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act.

When we refer to 'System Operator', 'our', 'we' or, 'us' in this policy, this may include our delegates in the Department of Health or the Chief Executive Medicare and contractors who assist us to carry out our functions.

When we refer to 'you' or 'your' in this policy, we may be referring to you as a healthcare recipient with a My Health Record, or to another person who is a representative authorised to manage your My Health Record under the My Health Records Act. We may also be referring to a healthcare provider or other authorised staff of a registered healthcare provider organisation.

References to personal information in this policy may also include health information or culturally and linguistically diverse (CALD) information. Health information is a type of personal information that is about your health or disability. Health information is considered sensitive information and generally has a higher level of privacy protection than other types of personal information.

CALD information is also considered sensitive information and includes information or opinion about an individual’s race or ethnicity. This includes the individual’s preferred language and country of birth.

Technical terms, such as 'System Operator', are explained in our glossary. If you have any questions about the terms used in this policy, please contact us using the contact details at the end of this policy.

If you would like to access this policy in an alternative format or language, for example if you have a disability or are from a non-English speaking background, please contact us using the contact details at the end of this page. We will take reasonable steps to provide you with alternative access.

We only collect, use, and disclose personal information where this is permitted by the My Health Records Act, Healthcare Identifiers Act, and the Privacy Act to fulfil our functions as the System Operator.

Specific information about the personal information we collect, use, and disclose to carry out specific activities is outlined below.

What is 'personal information'?

Personal information is information or an opinion about an identified individual or an individual who is reasonably identifiable from that information.

Collection of your personal information

To register and create a My Health Record for yourself or someone else, we need to collect your personal information. This includes:

• your and/or the other person’s name,
• sex,
• Medicare number,
• Department of Veterans’ Affairs (DVA) number, and
• date of birth.

We also collect evidence of identity information or documentation from you as part of this process.

We collect this personal information directly from you. We may also collect this information from:

• a registered healthcare provider organisation
• the National Repositories Service (NRS)
• a participating registered repository operator
• your authorised or nominated representative

If you are registering for a My Health Record on behalf of someone else as their authorised representative, we also need to collect evidence of your authority to act on their behalf.

We also collect health information or culturally and linguistically diverse (CALD) information when you register and create a My Health Record for yourself or another person.

Collecting sensitive information

We may need to collect sensitive information about you. This might include information about your health, racial or ethnic origin, political opinions, association memberships, religious beliefs, sexual orientation, criminal history, genetic or biometric information.

We may collect sensitive information from you only where the collection of the information is reasonably necessary for, and directly related to, our functions and activities and with your consent. However, there are exceptions to this principle. We may collect sensitive information about you without your consent if we reasonably believe it is necessary. These exceptions are:

• Collecting sensitive information as required or authorised by an Australian law or to comply with a court or tribunal order
• Collecting sensitive information where a permitted general situation exists. This includes:
•  Lessening or preventing a serious threat to life, health, or safety
• Taking appropriate action in relation to suspected unlawful activity or serious misconduct
• Locating a person reported as missing
• Reasonably necessary for establishing, exercising, or defending a legal or equitable claim
• Reasonably necessary for a confidential alternative dispute resolution process

If we do collect, use, or disclose your personal information in this way we will explain why we have done so.

Anonymity/Pseudonymity

You may be eligible to have a My Health Record under a pseudonym. For information, including to see if you are eligible, please contact us.

If you contact us with a general question, we will not ask for your name unless we need it to adequately handle your question.

In other limited circumstances, we will allow you to interact with us anonymously or using a pseudonym. However, we usually need your name, contact information and enough information about your matter to enable us to handle your enquiry, request or complaint fairly and efficiently.

Collecting through our website

We will collect your personal information if you provide it when using the Agency website. We will use and disclose this information for the purpose for which you provided it. Your first name and the content of your email, and any additional information you choose to provide, may also be used for reporting and feedback purposes.

Website analytics and cookies

The Agency website primarily uses Google Analytics to help us continually improve the user experience.

Google Analytics is hosted by a third party. We use Google Analytics to collect data about your interaction with our website. The type of data that we may collect includes:

• your device’s IP address,
• type of device,
• browser used to visit the website,
• geographic location,
• search terms
• pages visited, and
• date and time when website pages were accessed.

Google Analytics collects information using cookies. Cookies are small data files transferred onto computers or devices by websites. We use cookies on our website for record-keeping purposes and to enhance the website’s functionalities. The Agency collects other information about user interaction through cookies associated with:

• Google Fonts,
• New Relic and
• SolarWinds Pingdom.

We use cookie data to improve your experience when using our website.

Most browsers allow you to choose whether or not to accept cookies. You can find further information on how to manage or disable cookies in common browsers below:

• Google Chrome
• Internet Explorer
• Firefox
• Safari

If you disable all cookies in your browser, you may find that certain sections of our website may not work.

Disclosure of personal information overseas

Web traffic information is disclosed to Google Analytics when you visit our websites. Google stores information across multiple countries.

When you communicate with us through a social network service such as Facebook or Twitter, the social network provider and its partners may collect and hold your personal information overseas.

Social Networking

We use social networking services such as Twitter, Facebook, LinkedIn, and YouTube to communicate with the public about our work. When you communicate with us using these services we may collect your personal information, but we only use it to help us to communicate with you and the public. The social networking service will also handle your personal information for its own purposes. These services have their own privacy policies. You can access the privacy policies for Twitter, Facebook, LinkedIn, and YouTube (a Google company) on their websites.

Disclosure

We may disclose personal information included in a My Health Record if it is required or authorised under the My Health Records Act. This does not include your personal health notes. The limited circumstances where your personal information may be required or authorised to be disclosed include when it is:

• to you (including your authorised representatives and nominated representatives)
• to provide healthcare, in accordance with any access controls set by you
• with your consent
• for the management or operation of the My Health Record system – if you would reasonably expect this to occur. For example, it may be to resolve any technical or other issues that may have an impact upon the accuracy, security, or privacy of information in your My Health Record
• for emergency access purposes. For example, if you are injured or unable to communicate to those caring for you or providing a health service to you
• authorised by the Auditor-General Act 1997 (Cth) or the Ombudsman Act 1976 (Cth)
• under any other law to the extent where it requires the handling of the health information so that the Australian Information Commissioner can perform its functions
• for a purpose relating to the provision of indemnity cover for a healthcare provider, or
• if we suspect unlawful activity relating to our functions has occurred or may be occurring.

Should this occur, we will handle health information if we reasonably believe that it is necessary to investigate the matter or report our concerns to the relevant person or authority. However, we are only authorised to disclose the minimal amount of personal information necessary for the relevant person or authority to identify the matter sufficiently, to consider it and to apply a judicial order in relation to the matter.

• to courts and tribunals under an order or direction (and only where the order or direction relates to a limited type of proceedings)
• under a coroner’s direction or order, or
• to limited Commonwealth, state or territory authorities who are not courts, tribunals, or coroners, who have particular powers specified in the My Health Records Act, and only where they have obtained an order from a judicial officer.

Some authorisations listed above do not include handling your personal health notes.

My Health Record data used for research and other purposes

Part 7 of the My Health Records Act established the role of the Data Governance Board (the Board). The Board oversees the operation of the secondary use governance framework as outlined in the Framework to guide the Secondary Use of My Health Record system data.

The Board’s role also includes guiding and directing us to prepare and provide de-identified data for research or public health purposes and, with the consent of the healthcare recipient, health information for the same purposes.

We may also use and disclose de-identified aggregated My Health Record information to educate healthcare provider organisations and the public about the use and performance of the My Health Record system.

Quality of personal information

To ensure that the personal information we collect is accurate, up-to-date, and complete we:

• record information in a consistent format
• where necessary, confirm the accuracy of information we collect from a third party or a public source
• promptly add updated or new personal information to existing Record
• regularly audit our contact lists to check their accuracy.

We also review the quality of personal information before we use or disclose it.

Storage and security of personal information

The protection of your personal information is something we take very seriously, and we are committed to keeping it secure. We take significant precautions to protect personal information from misuse and loss, and from unauthorised access, modification, or disclosure.

A range of measures are in place to protect information in the My Health Record system, including:

• robust multi-tiered technical security controls, which protect the integrity, confidentiality, and availability of health information
• comprehensive monitoring of access to the My Health Record system, to identify and investigate suspicious or inappropriate behaviour
• strong authentication processes to provide access to authorised users only
• use of encryption protocols and algorithms that comply with standards set by the Australian Signals Directorate, to ensure that all data is encrypted in transit and at rest
• certification and accreditation of the My Health Record system to the Protected level, under the Australian Government Information Security Manual
• regular detailed security assessments, undertaken under the Australian Government InfoSec Registered Assessors Program (IRAP), to maintain accreditation of the system
• rigorous security assurance processes, including penetration testing, regular threat and risk assessments, and pre-release testing prior to implementation of new system functionality
• educating our employees, contractors and delegates on their obligations when handling personal information, including compliance with security clearance and authentication requirements
• a requirement that participants in the My Health Record system such as registered healthcare providers, registered contracted service providers, registered portal operators and registered repository operators must comply with security obligations outlined in the My Health Records Act and the My Health Record Rule 2016 to maintain eligibility for registration
• provision of an access history in each individual My Health Record, to enable you to monitor access to your record
• in cases where we are satisfied that an individual or participant may compromise the security or integrity of the My Health Record system, we may refuse to register that individual or participant in the My Health Record system or suspend or cancel their registration.

A mandatory data breach reporting framework under s 75 of the My Health Records Act which:

• requires participants in the My Health Record system to report actual or potential contraventions of the My Health Records Act that have or may have involved them. It also includes occurrences or circumstances that may compromise the security or integrity of the My Health Record system. This includes any unauthorised collection, use or disclosure of health information in a My Health Record, and
• requires participants in the My Health Record system with these reporting obligations to contain the actual or potential contravention, event, or circumstances. This includes evaluating the risks arising from them as soon as practicable after becoming aware of the relevant contravention, event, or circumstance.

Accessing and correcting your personal information

Under the Privacy Act, you have a right to access the personal information we hold about you. If you cannot find the personal information you are looking for directly through your My Health Record, please contact us for assistance.

You can also view which healthcare provider organisations and nominated, or authorised, representatives have accessed or updated your My Health Record at any time through your access history. If you are concerned about something in your access history, or a notification that you have received, please contact us. We investigate all issues reported to us.

If you consider the personal information we hold that is about you is not accurate, complete, or up to date, please contact us as soon as possible for assistance.

How to make a complaint

If you wish to complain to us about how we have handled your personal information you should first complain to us in writing by sending your enquiry or complaint to our postal address (see below) or by email to privacy@digitalhealth.gov.au. Please address your correspondence to ‘The Privacy Officer’. If you need help lodging a complaint, you can contact us - see ‘How to contact us’ below.

If we receive a complaint from you about how we have handled your personal information we will determine what, if any, action we should take to resolve the complaint.

If we decide that a complaint should be investigated further, the complaint will usually be handled by a more senior officer than the officer whose actions you are complaining about.

We will assess and handle complaints about the conduct of Agency staff using the APS Values and Code of Conduct and the guidelines issued by the Australian Public Service Commission.

We will tell you promptly that we have received your complaint and then respond to the complaint within 30 days.

If you are dissatisfied with the outcome of the complaint or the way in which the complaint was handled, you may contact the Office of the Australian Information Commissioner for advice about your complaint.

CONTACT US

You can contact us by:

Website: See our online contact form

Telephone: 1300 901 001, 8am - 5pm (AEST/AEDT), Monday - Friday

Email: help@digitalhealth.gov.au

Assisted contact: 

• If you need an interpreter, call TIS National on 131 450
• For hearing or speech assistance, contact the National Relay Service or call 1300 555 727.
• myGov Helpdesk: 132 307 (option 1), available 7am - 10pm, Monday - Friday and 10am - 5pm, Saturday - Sunday in local Australian time zones.
• Medicare: 132 011, available 24 hours a day, 7 days a week.

This policy was last reviewed on 17 June 2022.