CBHS Corporate Health Privacy Policy

1 Scope

1.1 Who we are and what we do

CBHS Corporate Health Pty Ltd ABN 85 609 980 896 (CBHS Corporate) is an open-access private health insurer and provides insurance policies or products to persons who are eligible to become members of CBHS Corporate.

1.2 Purpose of this document

This document is CBHS Corporate’s privacy policy (Policy). It provides information on how CBHS Corporate collects Information that is necessary for its functions and activities. 

The term “Information” is defined in section 2 (Definitions) below.

The Policy is based on relevant requirements in:

  1. CBHS Corporate’s “Customer First” values;
  2. The Privacy Act and its APPs;
  3. The privacy legislation of Australian States and Territories; and
  4. The GDPR

The terms “APPs”, “GDPR” and “Privacy Act” are defined in section 2 (Definitions) below.

1.3 When rights under the GDPR apply

The relevant requirements in the GDPR apply to a Person whose Information We Collect while the Person is resident in a EU Country.

The terms “Collect”, “EU Country”, “GDPR”, “Person” and “Information” are defined in section 2 (Definitions) below.

The Policy is set out under the following headings:

  1. Scope
  2. Definitions
  3. Individuals whose information we collect
  4. Types of information we collect
  5. Purposes for which we collect information
  6. When and how we collect information
  7. Dealing with us anonymously or using a pseudonym
  8. Who we disclose information to
  9. Disclosing information outside Australia
  10. Direct marketing
  11. Information we collect when you use our website
  12. How we hold and protect information
  13. Accessing and requesting correction of your information
  14. Complaints about your privacy
  15. Contacting us about this policy
  16. Your consent
  17. Changing and notifying changes to this Policy

2 Definitions

The words in bold in this section have the following meanings in this Policy:

  1. APPs means the Australian Privacy Principles in the Privacy Act.
  2. Collect includes use, disclose, disclosure, holding and Processing of Personal Information. “Collects”, “collecting”, “collected” or “collection” has a corresponding meaning. The terms “Processing” and “Personal Information” are defined below.
  3. Correct includes “rectification” of inaccurate personal data as described in Article 16 of the GDPR. “Correction” or “corrected” has a corresponding meaning.The term “GDPR” is defined below.
  4. De-identify means removing or altering information that identifies a Person or is reasonably likely to identify a Person and includes the meaning of “pseudonymisation” given in Article 4 (5) of the GDPR. The term “Person” is defined below.
  5. Destroy includes “erasure” of personal data as described in Article 17 (1) of the GDPR. “Destroyed” or “destruction” has a corresponding meaning.
  6. EU Country means a current Member State of the European Union.
  7. GDPR means the General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and of the Council.
  8. Health Hub means a CBHS Corporate interactive health and wellness assessment centre set up at various locations in Australia, which provides an assessment of a user’s health status. “Health Hubs” has a corresponding meaning.
  9. Information means Personal Information, as defined below, unless the context indicates otherwise.
  10. Insurance Policy means private health insurance policy, Overseas Visitor Health Cover or Overseas Student Health Cover taken with CBHS Corporate. “Insurance policies” has a corresponding meaning.
  11. Person means a natural person and includes a “data subject” as described in Article 4 (1) of the GDPR. “Persons” has a corresponding meaning.
  12. Personal Information means information or a statement or opinion about an identified Person (as defined above), or from which a Person is reasonably identifiable. Personal Information includes Sensitive Information (as defined below) and “personal data” as defined in Article 4 (1) of the GDPR.
  13. Policy means this document, unless the context indicates otherwise.
  14. Privacy Act means the Privacy Act 1988 of the Commonwealth Government of Australia.
  15. Processing has the meaning given in Article 4 (2) of the GDPR unless the context indicates otherwise. “Process” or “processed” has a corresponding meaning.
  16. Sensitive Information means Personal Information (as defined above), that is health, wellbeing, biometric, genetic, sexual orientation or practices information or biometric templates. Sensitive Information includes information of a similar nature mentioned in Article 9 (1) of the GDPR.
  17. Supervisory Authority has the meaning given in Article 4 (21) of the GDPR.
  18. You or Your means any Person (as defined above) whose information We (defined below) Collect.
  19. We, Us or Our means “CBHS Corporate” as identified in section 1.1 (Who we are and what we do).

3 Individuals whose information we collect

We Collect Information from or about the following types of persons:

4 Types of information we collect

Depending upon Your needs or circumstances or the relationship You have with Us, We will Collect the following types of Information:

4.1 General

4.2 Sensitive information

CBHS Corporate Collects Sensitive Information (as defined in section 2 (Definitions) above) in various circumstances including when You:

Whenever practicable, We will require Your express consent to Collect Your Sensitive Information.

4.3 Visitors to our website

CBHS Corporate Collects information that is not Personal Information of visitors to Our website; see section 11 (Information we collect when you use our website) below. Such Information is Collected regardless of whether You complete a form from Our website.

5 Purposes for which we collect information

5.1 Products and services

CBHS Corporate Collects Information for the purposes of providing, administering and marketing its products and services. These purposes include: 

5.2 Compliance with laws

We also Collect Information to meet Our compliance and reporting obligations in Australian Commonwealth Government laws including the:

5.3 Specialised health and wellbeing programs

We develop specialised health and wellbeing programs and initiatives to assist members with day to day health and wellbeing issues such as diet and exercise as well as chronic disease management. 

We Collect Sensitive Information, as defined in section 2 (Definitions) above, to identify and communicate with members who can be enrolled in these programs. Participation in the programs is not mandatory. You may choose to or not to participate in them. If You join a program, You can withdraw from it at any time.

5.4 Consequences if information we ask for is not provided

CBHS Corporate has assessed Information it will Collect as reasonably necessary for the purposes set out above. Your needs or circumstances determine the set of Information CBHS Corporate will Collect from or about You.

We cannot compel You to provide any Information We ask for. However, in most cases, We will be unable to provide or continue to provide You with Our products or services if You fail or refuse to provide Information We ask for. Also, if You later withdraw Your consent for Your Information to be handled in accordance with all or some requirements of this Policy, We may not be able to provide or continue to provide You with Our products or services.

6 When and how we collect information

CBHS Corporate Collects Information in the following ways or circumstances.

6.1 Collecting information directly from you

Where practicable, We will Collect Information directly from You, including when You: 

6.2 Collecting information from someone else

Sometimes We Collect Information from another Person or organisation including in the following circumstances.

If You wish to deal with any Person or organisation we have engaged to act on Our behalf, We strongly advise You to first read their Privacy Policy before providing them Your Information.

7 Dealing with us anonymously or using a pseudonym

When You are dealing with Us, and it is lawful and practicable to do so, You can remain anonymous (that is, without providing Information that identifies You), or use a pseudonym (that is, use a name, term or descriptor that is different to Your actual name).

Examples of when You can remain anonymous or use a pseudonym are when You:

However, there are many circumstances in which it will not be lawful or practicable for Us to deal with anonymously or for You to use a pseudonym. Examples of such circumstances are when You wish to:

If You wish to remain anonymous or use a pseudonym when dealing with Us, tell Us at the time and We can confirm with You whether You can do so in the circumstances.

8 Who we disclose information to

The types of Persons or organisations CBHS Corporate usually discloses Information to are:

AHSA’s privacy policy and contact details can be accessed from the following link

https://www.ahsa.com.au/web/ahsa/privacy_policy.

You can make a complaint to the AHSA if You consider they have breached Your privacy. Also, You can ask them for access to the Information they hold about You or request the Information to be corrected.

9 Disclosing information outside Australia

If business needs require Us to disclose Your Information to an overseas recipient, We will take all reasonable steps to ensure the overseas recipient will not breach the Australian Privacy Principles, the Privacy Act or the GDPR in relation to the Information.

Other circumstances in which We will disclose Your Information to an overseas recipient are:

  1. If the disclosure is authorised under an Australian law or by court order; or
  2. If You request Us to disclose Your Information to an overseas recipient.

9.1 Managing requests for overseas disclosure

If You request Us to disclose Your Information to an overseas recipient, We will provide You a clear statement explaining the potential consequences of disclosing the Information to the overseas recipient.

10 Direct marketing

We or organisations acting on Our behalf may contact Our members individually or directly about Our products and services. We call this “direct marketing”. Direct marketing may be via regular mail, email, telephone, SMS or social media.

10.1 Request not to be sent direct marketing

You may request Us at any time not to send You direct marketing communication:

 We include in all direct marketing communications, information on how You can request us not to send You such communication in the future. A request will be updated as soon as reasonably practicable after receiving it.

Note that while You cannot opt out of receiving information or notices We are required by law to send to You, You can tell Us how You would like Us to send such information or notices to You.

11 Information we collect when you use our website

Our website uses “cookies”. A “cookie” is a packet of information that allows the website server to identify and interact more effectively with Your computer. 

When You use the website, We send a cookie that gives each computer a unique identification number. Cookies do not identify individuals, although they do enable Us to identify Your browser type and internet service provider. Your browser may be configured to accept all cookies, reject all cookies or notify the user when a cookie is sent. If You reject all cookies, You may not be able to use Our website or the Member Service Centre. 

We use third-party service providers such as Google to undertake demographic analysis of visitors to Our website (“Google Analytics”). We Collect and use information from cookies and Google Analytics to:

By using Our website, You consent to the Collection of information about the use of Your computer by Google in the manner described in Google's Privacy Policy and for the purposes set out above. You can opt out of Google Analytics if You disable or refuse the cookie, disable JavaScript, or use the Google opt out feature at: https://tools.google.com/dlpage/gaoptout

Also, Our website uses interfaces with social media sites such as Facebook. If You choose to "like" or “share" information from Our website through such sites, You should read the privacy policy of the social media site. The interfaces Our website uses may allow the social media site to connect Your visits to Our website with the information the social media site holds about You.

12 How we hold and protect information

We primarily store Information on Our premises in electronic form in Our information technology systems.

To meet legislative, regulatory and business continuity requirements, We store copies of some documents containing Information in a remote, secure location in Australia.

If We convert paper-based documents to electronic form, We Destroy the originals securely. Paper-based documents We hold on temporary basis are held securely at Our premises or by third-party document management or mail processing service providers in Australia. 

We maintain physical and operational security over Our paper and electronic data stores. We also maintain computer and network security for Our information technology systems. For example, We use firewalls and other security systems, such as user identifiers and passwords, to control access to Our information technology systems. 

12.1 Information we no longer need

If We no longer need Information, and We are not required by law to retain it, We will take reasonable and practical steps to destroy or De-identify the Information securely in accordance with Our document retention policy.

The criteria We use to determine the period for which We keep Information include:

12.2 Dealing with unsolicited information

If We receive Information We did not ask for and We determine it is not required for any of Our functions or activities, We will attempt to return it to the sender if it is contained in a document. If We cannot return the document to the sender, or the Information is contained in a voice recording, We will destroy the Information or document securely as soon as reasonably practicable.

13 Accessing and requesting correction of your information

13.1 Reasons for seeking access

You can request access to Your Information at any time by using the contact details set out in section 15 (Contacting us about this policy ) below. Your reason for seeking access could be simply to know what information We hold about You, to request a copy the Information, to request its correction or to exercise any right You have under the GDPR, including the rights to request correction, destruction or restriction of Processing of the Information (see section 1.3 (When rights under the GDPR apply) above).

13.2 Request for access to information

When You request access to Your Information, We will first identify You to ensure You are the right Person to be given access to the Information.

Requests for access are actioned as soon as practicable, and in any case within 30 days of receiving the request.

If We refuse to give access to Information, We will give You a written notice setting out Our reasons, Your right to make a complaint about Our refusal and any matter We are required by law to notify You about.

13.3 Fee for providing access

While requests for access to Information are free of charge, administrative fees may be charged for retrieving some types of Information and providing it in the form You have requested. If the circumstances apply in Your case, We will inform You and request payment of the fee before giving You access to the Information.

13.4 Requesting correction of information

If You believe Information We hold about You is inaccurate, out-of-date, incomplete, irrelevant or misleading, You can request Us to Correct it at any time by using the contact details set out in section 15 (Contacting us about this policy) below.

13.5 Responding to requests to correct information

We will respond to the request as soon as practicable, in any case within 30 days of Us receiving the request.

If We refuse to Correct Your Information as requested, We will give You a written notice setting out Our reasons (unless it is unreasonable to do so), Your right to make a complaint about Our decision and any matter We are required by law to notify You about.

13.6 Associating a statement if we refuse to correct information

If We refuse to Correct Your Information, You can ask Us to associate a statement with the Information that You believe the Information is inaccurate, out-of-date, incomplete, irrelevant or misleading. We will respond to the request as soon as practicable, in any case within 30 days of Us receiving the request.

13.7 Notifying others about correction of your information

You may ask as to notify another Person We previously disclosed Your Information to that We have corrected it. We will action Your request as soon as reasonably practicable.

If the GDPR applies to your Information (see section 1.3 (When rights under the GDPR apply) above), We will notify any such Person as soon as practicable unless this proves impossible or involves disproportionate effort.

14 Complaints about your privacy

CBHS Corporate has a Complaint Handling and Dispute Resolution Policy for member complaints including privacy complaints. A copy of this policy is available at: https://www.cbhscorporatehealth.com.au/about-us/contact/disputes-complaints

You may make a complaint about a breach of Your privacy by contacting Our Privacy Officer whose contact details are set out in section 15.1 (Privacy Officer’s contact details) below. The complaint should first be made in writing.

Our Privacy Officer will first determine if, on the information available, We have breached Your privacy, and if so, take steps to resolve the complaint within 3 days of receiving the complaint.

If Your complaint requires more detailed consideration or investigation, the Privacy Officer may ask You to provide further information. In such a case, the Privacy Officer will endeavour to respond to the complaint as soon as reasonably practicable and, in any case, within 30 days.

If You are not satisfied with Our response to Your complaint, You may take the complaint to either the Private Health Insurance Ombudsman (PHIO) or to the Office of the Australian Information Commissioner (OAIC) whose contact details are below.

14.1 PHIO’s contact details:

Telephone: 1300 362 072 (option 4 for private health insurance)

Online complaint form:

https://forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=oco-complaint-form

Email: phio.info@ombudsman.gov.au
Address:
The Private Health Insurance Ombudsman
Office of the Commonwealth Ombudsman
GPO Box 442
Canberra ACT 2601
Fax: (02) 6276 0123 
Website: www.ombudsman.gov.au
Additional information:
http://www.ombudsman.gov.au/making-a-complaint/complaints-overview

14.2 OAIC contact details

Email: enquiries@oaic.gov.au
Address:
The Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001 

Additional information

 http://www.oaic.gov.au/privacy/making-a-privacy-complaint

14.3 Information regulated by GDPR

If Your complaint is based on Information regulated by the GDPR (see section 1.3 (When rights under the GDPR apply) above), You may make a complaint directly to the Supervisory Authority in the relevant EU Country or make the complaint to Our Privacy Officer whose contact details are set out in section 15.1 (Privacy Officer’s contact details) below.

15 Contacting us about this policy

You may contact CBHS Corporate for any reason, including to:

15.1 Privacy Officer’s contact details

Email: privacy@cbhscorp.com.au
Address: 
Privacy Officer
CBHS Corporate Health Pty Ltd
Locked Bag 5098
Parramatta NSW 2124

15.2 Other contact details

Telephone: 1300 586 462
Fax: (02) 8604 3576
General enquiries Emailhelp@cbhscorp.com.au
Complaints Email - complaints@cbhscorp.com.au

16 Your consent

16.1 Consent required

Whenever practicable, CBHS will obtain Your express consent for Your Information to be collected in accordance with the requirements of this Policy.

16.2 Withdrawal of consent

You may withdraw Your consent to the collection of Your information at any time after giving it in the following circumstances:

16.3 Consequences if you withdraw consent

In some cases, We may not be able to provide You or continue to provide You Our products or services after You have withdrawn Your consent.

Also, if we are required by law or an internal policy to retain Your Information for a period (see section 12.1 (Information we no longer need) above), we will retain the Information for that period after You have withdrawn Your Consent.

16.4 If we refuse your request to withdraw consent

If We refuse to allow You to withdraw Your consent in accordance with section 16.2 (Withdrawal of consent) above, We will provide You our written reasons for the refusal and include information on Your right to make a complaint about Our refusal and any matter We are required by law to inform You about.

17 Changing and notifying changes to this Policy

CBHS Corporate may review this Policy at any time and publish a revised version on its website at: 
https://www.cbhscorporatehealth.com.au/policies/privacy-policy.

You can request a copy of this Policy free of charge by contacting Us: see section 15.1 (Privacy Officer’s contact details); or section 15.2 (Other contact details) above. If it is practicable to do so, We will provide a copy of the Policy in the form You have requested it.

Public document - Last updated September 2019