1. Our Commitment
We protect personal information through strong governance, secure technology, transparent practices, and compliance with applicable privacy and health information laws.
2. Regulatory Framework
We comply with applicable laws including the Privacy Act 1988 (Cth), Australian Privacy Principles, Health Records and Information Privacy Act 2002 (NSW), Notifiable Data Breaches Scheme, GDPR (EU), UK GDPR, New Zealand Privacy Act 2020, HIPAA principles (where applicable), and emerging AI and digital health frameworks. Where multiple laws apply, we adopt the higher standard. For individuals in the EU and UK, His Medical Clinic generally acts as the data controller for patient-facing services. Where required, we appoint an EU and/or UK representative and publish their contact details on our website or provide them upon request.
3. Lawful Bases for Processing
We process personal information under contract performance, legal obligations, legitimate interests, explicit consent (where required), vital interests, and public interest in healthcare. Health information is processed in accordance with Article 9(2)(h) GDPR and equivalent provisions. Where we rely on legitimate interests, we consider your rights and reasonable expectations. You may object as described in ‘Your Rights’.
4. Information We Collect
We collect information reasonably necessary for delivering our services and meeting legal obligations, including identity and contact information, health and clinical information, financial and billing information, technical and device information, and communications and telehealth metadata. Where clinically appropriate and permitted by law, we may record consultations for governance, safety, training, or dispute resolution and will inform you where recording occurs.
5. How We Collect Information
Information is collected via telehealth consultations, digital assessments, secure messaging, identity verification processes, payment providers, pharmacies, laboratories, government systems, and cookies/analytics technologies.
6. Use of Personal Information
We use information for clinical care, operations, regulatory compliance, security, research (using de-identified data), and opt-in marketing. You may unsubscribe at any time using the unsubscribe function or by contacting us.
7. AI and Automated Decision Support Governance
AI systems support but do not replace clinicians, operate under human oversight, and do not make autonomous clinical decisions. We do not make decisions producing legal or similarly significant effects solely by automated processing without human review unless permitted by law with safeguards.
8. Disclosure of Information
We may disclose information to clinicians, allied providers, pharmacies, pathology providers, government agencies, payment processors, cloud vendors, insurers (with authorisation), and emergency services. We do not sell personal information. Third parties processing data on our behalf are contractually required to implement appropriate confidentiality and security protections.
8A. Allied and Non-Medical Service Providers
Where Allied Providers deliver services within a program coordinated by His Medical Clinic, we share only information reasonably necessary. Allied Providers are independent contractors and must comply with privacy obligations. If you continue engaging an Allied Provider outside the program, services are under a separate private arrangement and governed by that provider’s privacy practices.
9. International Data Transfers
Personal information may be stored or processed in Australia, the United States, the United Kingdom, the European Union, Singapore, and New Zealand. Safeguards may include Data Processing Agreements, Standard Contractual Clauses, UK Transfer Addendums, Transfer Impact Assessments, encryption, access controls, vendor due diligence, and oversight of sub-processors.
10. Data Retention
We retain information only as long as reasonably necessary unless longer retention is required by law. Clinical records are retained for at least 7 years or longer depending on jurisdiction and context. Billing and taxation records are retained in accordance with financial laws. Regulatory records are retained in line with statutory obligations. We may refuse deletion where retention is legally required or necessary for legal claims. Information no longer required is securely deleted or de-identified.
11. Data Security
We implement encryption, multi-factor authentication, role-based access controls, secure development lifecycle practices, penetration testing, and continuous monitoring.
12. Data Breach Management
We will contain, assess, notify affected individuals and regulators where required, and implement remediation measures in accordance with statutory obligations.
13. Children’s Privacy
We do not provide services to individuals under 18 in Australia or under the applicable age of digital consent in other jurisdictions.
14. Your Rights
You may access, correct, delete (where permissible), withdraw consent, request portability, and object to processing. We may verify your identity before processing a request and aim to respond within statutory timeframes. You may lodge a complaint with the OAIC, ICO, or your local EU authority.
15. Updates
We may update this Privacy Policy from time to time. Continued use of services constitutes acceptance of the updated version.
16. Contact
Privacy Officer
care@hismedicalclinic.com
1300 177 171
Level 9, 66 Goulburn Street
Sydney NSW 2000 Australia