We are bound by the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs). This policy explains how and why we collect, use, hold and disclose your personal information.
”We”, “us” and “our” means St John Ambulance Western Australia Ltd (ACN 165 969 406) of 209 Great Eastern Highway, Belmont, Western Australia and its related bodies corporate.
“You” and “your” refers to any person whose personal information we collect, except employee records. You consent to us collecting, holding, using and disclosing your personal information in accordance with this policy.
1. Our functions and activities
1.1 We will only collect and maintain a record of personal information if it is reasonably necessary to pursue at least one of our functions and activities in the course of fulfilling our role as a provider of ambulance, patient transport, health and medical services, and first aid services and training.
1.2 Our functions and activities include, but are not limited to:
(a) providing emergency and non-emergency ambulance and patient transport services;
(b) running the State Operations Centre which fields Triple Zero calls;
(c) delivering first aid training and services;
(d) providing medical services at public events;
(e) providing industrial health services;
(f) providing dental and urgent care health services;
(g) providing general practice medical, medical specialist, pathology and allied health services; and
(h) providing general health services.
2. What is personal information?
2.1 Personal information is any information or an opinion about an identified individual or an individual who can be reasonably identified from the information or opinion. Information or an opinion, may be personal information, regardless of whether it is true.
3. What personal information do we collect?
3.1 We collect information about you and your interactions with us, for example, when you use any of our products or services, call us, visit our website, or otherwise interact with us. The information we collect from you may include:
(a) your identity (name, age, date of birth, nationality, etc) and contact details (mailing or street address, email address, telephone number etc);
(b) identity documents (driver’s licence, passport details, birth certificate details, etc);
(c) health and medical related information (e.g. medications and medical history);
(d) CV, resume or application related information (e.g. employment history and training details, etc);
(e) financial details (e.g. credit card, tax, superannuation and financial institution details);
(f) academic record, qualifications, licences and memberships;
(g) personal interests and hobbies; and
(h) health insurance information (including Medicare details).
3.2 We may collect information about how you access and interact with our website. We do this using a range of tools, including but not limited to, Swoop, Media Mind, ThemePunch, BrowseHappy. This information may include:
(a) the location from which you have come to the site and the pages you have visited; and
(b) technical data (e.g. your IP or server address, date and time of your visit to our website, your operating system, your website browser version and the previous internet address from which you were referred to our website).
4. Sensitive Information
4.1 From time to time, we may collect sensitive information about you. Sensitive information is afforded a higher degree of privacy protection and is subject to additional standards under the Privacy Act in relation to its handling. We may collect sensitive information about you only in circumstances where you consent, we collect by lawful and fair means, and where the information is reasonably necessary for our activities of providing health services to you.
4.2 The APPs list a number of circumstances that permit the collection of sensitive information about an individual without their consent. We only collect sensitive information without an individual’s consent if one or more of those circumstances applies. For example, we may collect sensitive information without your consent where your life is at risk and you are unable to respond and we need your personal information in order to provide emergency treatment.
5. How do we collect personal information about you?
5.1 We may collect personal information either from you, or from third parties. We may collect this information when you:
(a) use our services (e.g. ambulance transports, patient transports, dialling Triple Zero, attend our medical centres, urgent care health clinics and dental clinics);
(b) purchase or access our goods or services;
(c) undertake training services (e.g. first aid training);
(d) provide volunteering services to us;
(e) communicate with us through correspondence, telephone conversations, email, or when you share information with us from other social applications, services or websites;
(f) access our website or our social media pages;
(g) donate to our organisation or undertake fundraising activities for us;
(h) attend events organised or held by us or our related bodies corporate; or
(i) otherwise deal or interact generally with our organisation.
5.2 In order to provide our services we may collect personal information from third parties, including health, medical and support service providers, allied health professionals, health insurance funds, government agencies, event organisers/partners and your family and friends.
5.3 We will only collect personal information from third parties if:
(a) we are required or authorised by or under an Australian law, or a court/tribunal order, to collect the information from someone other than you; or
(b) it is unreasonable or impracticable to collect the information directly from you; or
(c) it is provided to us in the course of us providing at least one of our functions and activities.
6. Why do we collect, use and disclose personal information?
6.1 We will only collect and hold personal information if it is reasonably necessary to pursue at least one of our functions or activities or its collection and storage is required or authorised by or under an Australian law, or a court/tribunal order.
6.2 We may collect, hold, use and disclose your personal information for the following purposes:
(a) to provide you with appropriate and safe healthcare services and treatment;
(b) to enable you to access and use our website, goods or services;
(c) to operate, protect, improve and optimise our provision of healthcare services, including ambulance/patient transfer services and first aid training and services;
(d) to assess and process the release of patient records;
(e) to investigate complaints and manage insurance claims;
(f) to send you messages, reminders, notices, updates, security alerts, and information requested by you;
(g) to send you marketing and promotional messages and other information that may be of interest to you, including information sent by, or on behalf of, our related organisations that we think you may find interesting;
(h) to consider your employment or volunteering application;
(i) billing purposes, including compliance with Medicare and health insurance fund requirements;
(j) to process donations;
(k) to assist with fundraising activities;
(l) for research or statistical activities relevant to public health or for the management, funding or monitoring of a health service;
(m) to advocate or promote our objects and purposes in relation to the activities we undertake;
(n) for governance and compliance purposes (including managing any quality, conduct or risk management issues and meeting regulatory obligations); and
(o) to comply with our legal obligations, assist government and law enforcement agencies or regulators, resolve any disputes that we may have with any of our website users, and enforce our agreements with third parties.
6.3 Generally, we will only use or disclose personal information for the purpose for which it was collected (the primary purpose), including the purposes set out above.
6.4 However, we may use or disclose personal information for secondary purposes if we receive your consent to do so, or without your consent if you would reasonably expect us to use your information for the secondary purpose, or otherwise when the APPs permit us to do so.
7. Notification of collection
7.1 At or before the time we collect personal information about an individual (or, if that is not practicable, as soon as practicable after), we will take such steps as are reasonable in the circumstances to notify the individual of the following information (Collection Information):
(a) our identity and contact details;
(b) that we have collected the personal information;
(c) if the collection of the personal information is required or authorised by or under an Australian law or a court/tribunal order – the fact that the collection is so required or authorised;
(d) the purpose for collecting the personal information;
(e) the main consequences (if any) for the individual if we do not collect all or some of the personal information;
(f) the organisations, or types of organisations, to which we usually disclose personal information of that kind;
(I) whether we are likely to disclose the personal information to overseas recipients, and if so, the countries in which such recipients are likely to be located (if practicable to do so).
7.2 Circumstances may arise where it would be reasonable for us not to provide you with notice of all or some of the Collection Information. This will often be the case when we are providing emergency ambulance services or similar.
8. Do we use your personal information for direct marketing?
8.1 We are a not-for-profit organisation that performs services for the benefit of the community and we may, from time to time, use or disclose personal information for the purpose of direct marketing. The products and services may be offered by us or our related bodies corporate.
8.2 We may send you direct marketing communications and information about our services and products. This may take the form of emails, SMS, mail or other forms of communication, in accordance with the Spam Act 2003 (Cth) and the Do Not Call Register Act 2006 (Cth).
8.3 We may use or disclose personal information (other than sensitive information) for direct marketing if:
(a) we collected the information directly from you;
(b) you have consented to, or would reasonably expect us to, use or disclose the information for that purpose; and
(c) you have not opted-out in receiving marketing communications from us by following the opt-out instructions provided in the communication.
8.4 If personal information is sensitive, we will not use or disclose the information for direct marketing without your consent.
9. To whom do we disclose your personal information?
(a) our volunteers, employees and related bodies corporate;
(b) third party suppliers and service providers (including providers in connection with providing our products and services to you);
(c) professional advisers, and agents (which includes our insurers);
(d) payment system operators;
(e) our existing or potential agents, business partners or partners;
(f) anyone to whom our assets or divisions (or any part of them) are transferred;
(g) government agencies;
(h) event organisers and venue holders;
(i) specific third parties authorised by you to receive information held by us;
(j) other persons, including regulatory bodies, healthcare providers and law enforcement agencies, or as required, authorised or permitted by law; and/or
(k) organisations who conduct medical research, public health or clinical data linkage organisations as part of an ethics committee-approved research project in compliance with the National Health and Medical Council guidelines, legislation, government agency or regulatory, directions and guidelines.
9.2 If ownership or control of all or part of our business changes, we may transfer your personal information to the new owner.
10. Receipt of unsolicited personal information
10.1 If we receive personal information that we did not solicit, we will, within a reasonable period of receiving the information, determine whether we would have been permitted to collect the information pursuant to the APPs.
10.2 If we determine that we have received personal information that we would not have been permitted to collect pursuant to the APPs (and the information is not contained in a Commonwealth record), we will as soon as practicable and where it is lawful and reasonable to do so, destroy the information or ensure that it is de-identified.
10.3 If we determine that we would have been permitted to collect the personal information pursuant to the APPs, we will ensure that the information is dealt with in a manner that complies with the APPs.
11. Disclosure to overseas recipients
11.1 From time to time, circumstances may arise where there may be a need for us to disclose personal information to an overseas recipient. This may occur in a range of circumstances, for example where data is being stored and accessed by way of cloud computing or where we correspond with the Order of St John’s international offices in London, United Kingdom.
11.2 Before disclosing personal information to an overseas recipient, we will take such steps as are reasonable in the circumstances to ensure that the overseas recipient also complies with the APPs in relation to that information, unless the APPs do not require us to do so.
11.3 We will not be required to take the steps described in clause 11.2 if:
(a) we reasonably believe that:
(i) the recipient of the information is subject to a law or a binding scheme that has the effect of protecting the information in a way that, overall, is at least substantially similar to the way in which the APPs protect the information; and
(ii) there are mechanisms that could be taken to enforce the law or binding scheme; or
(b) both of the following apply:
(i) we expressly inform the individual about whom the information relates that if they consent to the disclosure of the information, we will not be required to take the steps described in clause 11.2 above; and
(ii) after being so informed, the individual consents to the disclosure; or
(c) the disclosure of the information is required or authorised pursuant to an Australian law or a court/tribunal order; or
(d) the APPs otherwise allow us to refrain from taking the steps described in clause 11.2.
12. Our website and cookies
12.1 We may collect personal information about you when you use and access our website.
12.2 While we do not use browsing information to identify you personally, we may record certain information about your use of our website, such as which pages you visit, the time and date of your visit and the internet protocol address assigned to your computer.
12.3 We may also use 'cookies' or other similar tracking technologies on our website that help us track your website usage and remember your preferences. Cookies are small files that store information on your computer, TV, mobile phone or other device. They enable the entity that put the cookie on your device to recognise you across different websites, services, devices and/or browsing sessions. You can disable cookies through your internet browser but our websites may not work as intended for you if you do so.
13. External sites
14.1 We may hold your personal information in either electronic or hard copy form. We take reasonable steps to protect your personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure and we use a number of physical, administrative, personnel and technical measures to protect your personal information.
14.2 We will ensure that your personal information is safeguarded to ensure its confidentiality, integrity, and availability by applying safeguards so that only authorised people we our processes and systems will include:
(a) the use of identity and access management technologies to control access to systems on which information is processed and stored;
(b) requiring all employees and volunteers to comply with internal information security policies and keep information secure;
(c) requiring all employees and volunteers to complete training about information security; and
(d) monitoring and regularly reviewing our practice against our own policies and against industry best practice.
14.3 If we hold personal information about you which we no longer require, we will take reasonable steps to destroy the information or ensure that it is de-identified (unless our compliance with the APPs or a law requires us to avoid taking such steps).
14.4 We may need to maintain records of patient information in order to assist in providing relevant health services. Therefore, we may need to hold health information for longer periods of time than other kinds of personal information in order to carry out some of our functions and activities.
15. Anonymity and pseudonymity
15.1 When interacting with us, you may choose to remain anonymous or to use a pseudonym. However, we may elect not to deal with you anonymously or pseudonymously if:
(a) we are required or authorised by or under an Australian law, or a court/tribunal order, to deal with you in accordance with your identity; or
(b) it is impracticable for us to deal with you in this way.
15.2 In some circumstances, it may not be possible for us to properly provide a service without the knowledge of your identity. This will often be the case where we are providing healthcare services.
16. Quality of personal information
16.1 We will endeavour to take reasonable steps to ensure that the personal information that we collect is accurate, up-to-date and complete.
16.2 The reasonable steps that we may undertake include:
(a) ensuring that updated and new personal information is promptly added to relevant existing records;
(b) reminding individuals to update their personal information when we engage with them; and
(c) with respect to personal information in the form of an opinion, we may take the following steps to verify the accuracy of the opinion:
(i) checking that the opinion is from a reliable source;
(ii) providing the opinion to individuals before we use or disclose it;
(iii) clearly indicating on our record that the information is an opinion and identifying the individual who formed that opinion.
16.3 If you think that the personal information we hold about you might be out of date and needs to be corrected, please contact us using the details located at clause 22.
17. Accessing your personal information
17.1 You can access the personal information we hold about you by contacting us. Requests for access to personal information should be made in writing and addressed to the Privacy Officer whose contact details are located at clause 22 below.
17.2 Upon request of personal information, we will within a reasonable period of the request being made, give access to the information in the manner requested (if it is reasonable and practicable to do so), subject to exceptions set out in the APPs.
17.3 The APPs provide a list of situations in which we may deny individuals access to their personal information. These situations include where:
(a) we believe giving access would pose a serious threat to the life, health or safety of an individual, or to public health or public safety;
(b) granting access would have an unreasonable impact on the privacy of others;
(c) the request is frivolous or vexatious;
(d) the information relates to existing or anticipated legal proceedings between the individual about who the information relates and ourselves, and would not be accessible by the process of discovery in those proceedings;
(e) access would reveal our intentions in relation to negotiations with the individual in such a way as to prejudice those negotiations;
(f) granting access would be unlawful;
(g) denying access is required or authorised by or under an Australian law or a court/tribunal order;
(h) giving access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; and
(i) denying access would be likely to prejudice the taking of appropriate action in relation to the matter.
17.4 If we refuse to give access to the personal information in accordance with the APPs, or if we refuse to give access in the manner requested, we will take such steps (if any) that are reasonable in the circumstances to give access in a way that meets our needs and the needs of the individual.
17.5 If we refuse to give access to personal information in accordance with the APPs, we will provide a written notice setting out:
the reasons for denying access to personal information (except where it would be unreasonable to provide the reasons);
(a) the mechanisms available to complain about the refusal; and
(b) any other matters prescribed by the regulations.
17.6 We may charge reasonable fees to cover our costs to respond to your request for personal information, including third party costs such as postage costs. The fees will be determined on a case by case basis and we will inform you of the likely fees before they are incurred.
18. Correction of personal information
18.1 Requests for correction of personal information should be made in writing and addressed to the contact person listed under clause 22.
18.2 If, with regard to the purpose for which it is held, we are satisfied that personal information we hold is inaccurate, out-of-date, incomplete, irrelevant or misleading, or if the individual about whom the information relates makes a request, we will take reasonable steps to correct the information. However, as a matter of practice, when we receive personal information we will hold the information for a period of time before we consider whether it is inaccurate, out-of-date, incomplete, irrelevant or misleading (unless we are informed otherwise).
18.3 If we correct personal information, we will take reasonable steps to notify any third party to whom we had previously disclosed the information, if the individual about whom the information relates requests as such and it is not unlawful or impracticable for us to do so.
18.4 If we refuse to correct personal information in accordance with the APPs, we will provide a written notice setting out:
(a) the reasons for the refusal (except where it would be unreasonable to provide the reasons);
(b) the mechanisms available to complain about the refusal; and
(c) any other matter prescribed by the regulations.
18.5 If we refuse to correct personal information in accordance with the APPs, the individual may request that we associate the information with a statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. Where such a request is made, we will take reasonable steps to associate the statement so that it is apparent to the users of the personal information.
18.6 We will aim to respond to any request regarding the correction of personal information within 30 days of the request being made.
18.7 We will not charge fees for requests for the correction of personal information or for associating the statement with the personal information.
19. Making a complaint
19.1 If you have a complaint about the way in which we have handled any privacy issue, including your request for access or correction of your personal information, you should contact us using the details set out in clause 22.
19.2 Please include your name, email address and/or telephone number and clearly describe your complaint. We will acknowledge your complaint and respond to you regarding your complaint within a reasonable period of time.
19.3 We will consider your complaint and determine whether it requires further investigation. We will notify you of the outcome of this investigation.
19.4 If you remain unsatisfied with the way we have handled a privacy issue, you may approach an independent advisor or contact the Office of the Australian Information Commissioner (www.oaic.gov.au) for guidance on alternative courses of action which may be available.
20. Changes to this policy
20.2 You may obtain a copy of our current policy from our website or by contacting us at the contact details below in clause 22.
21. Your rights under the EU GDPR
21.1 Under the European Union (EU) General Data Protection Regulation (GDPR), as a data subject you have the right to:
(a) access your data;
(b) have your data deleted or corrected where it is inaccurate;
(c) object to your data being processed and to restrict processing;
(d) withdraw consent to having your data processed;
(e) have your data provided in a standard format so that it can be transferred elsewhere; and
(f) not be subject to a decision based solely on automated processing.
21.2 We have processes in place to deal with data subject rights requests. Our actions and responsibilities will depend on whether we are the controller or processer of the personal data at issue. Depending on our role as either a controller or processor, the process for enabling data subject rights may differ, and are always subject to applicable law.
21.3 Please refer to clause 22 if you have a specific need for assistance with a data subject rights request.
22. Contact us
St John Ambulance Western Australia Ltd
209 Great Eastern Highway
BELMONT WA 6104
Telephone: (08) 9334 1222
23. Meaning of key terms
Personal information, including sensitive information, will be ‘collected’ if it is included in a record or a generally available publication.
You can give consent either:
• expressly – express consent is given openly and obviously either in writing or verbally; or
• impliedly – your consent will be implied where your consent can be inferred from your conduct and our conduct.
“data subject rights”
As specified in Chapter 3 of the European Parliament and Council of European Union (2016) Regulation (EU) 2016/679.
Means any personal information about your health or disability. It includes information or opinion about your illness, injury or disability. Some examples of health information include:
• notes of your symptoms or diagnosis
• information about a health service you’ve had or will receive
• specialist reports and test results
• prescriptions and other pharmaceutical purchases
• dental records
• your genetic information
• your wishes about future health services
• your wishes about potential organ donation
• appointment and billing details
“related bodies corporate”
Means that term as defined in section 9 of the Corporations Act 2001 (Cth).
Sensitive information is personal information that includes information or an opinion about an individual’s:
• race or ethnic origin
• political opinions or associations
• religious or philosophical beliefs;
• trade union membership or associations;
• sexual orientation or practices
• criminal record
• health or genetic information
• some aspects of biometric information (including photographs and voice or video recordings of you)
• your next of kin or designated emergency contacts.