We respect your privacy and recognise the importance of keeping your personal information confidential, as bound by the Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (as amended).
1. Purpose of Policy
2. Context and Background
The Policy aligns with the Australian Privacy Principles (‘APPs’) contained within the Privacy Act 1988 (Cth) (‘Privacy Act’). The APPs provide a regulatory framework for the collection, use and disclosure, quality, security, access and correction of personal information.
The Policy is a core component of HIF’s Compliance Management Framework (‘CMF’) and applies to all:
- current, new and past members of HIF; and
- contractors, suppliers and any individual or third party organisation that HIF may engage in the course of conducting business.
3.1 Personal Information
According to the Privacy Act, personal information is defined as: “Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not”.
Some examples of personal information are name, date of birth and contact information.
3.2 Sensitive Information
According to the Privacy Act, sensitive information is defined as: “Information or opinion (that is also personal information) about an individual’s:
- racial or ethnic origin;
- religious beliefs or affiliations;
- philosophical beliefs;
- sexual orientation or practices;
- criminal record; and
- health information about an individual, including:
- genetic information (that is not otherwise health information); and
- biometric information.”
Sensitive information is a subset of personal information. Unless otherwise stated, any reference to personal information in the Policy includes sensitive information.
4.1 Collection of personal information
HIF will collect personal information about members and third parties in a fair, lawful, reasonable, and unintrusive manner.
HIF may collect personal information under the following circumstances:
- directly from a member upon engaging with HIF distribution channels including: the website and web chat, email, telephone calls, or face-to-face interactions. The information will be collected with consent and only if the information is reasonably necessary to inform for one or more of HIF’s functions, or where it is required by law and in compliance with the APPs;
- from another member on the same health insurance policy, or a person authorised to provide personal information on behalf of an individual;
- from third parties, including travel and pet insurance partners and outsourced partners;
- from health service providers and hospitals; and
- from a previous insurer, when a transfer has been requested to move private health insurance arrangements from that fund to HIF.
By becoming or remaining a member of HIF, or by otherwise providing personal information to HIF, members confirm that they have consented to HIF collecting, using and disclosing personal information in accordance with the Policy. This extends to all individuals covered under a health insurance policy.
4.2 Collection and use of personal information online
All personal information collected via the HIF website is done so with explicit and immediate consent. Individuals are not required to provide HIF with personal information when visiting our website, unless completing a formal application for membership.
Online Member Centre
4.3 Types of personal information collected and held
The types of personal information HIF may collect and hold include:
- contact information (such as name, email address and phone numbers);
- government identifiers (such as Medicare details);
- financial information (such as credit card and bank account details, income tier for the purposes of rebate); and
- previous health information (such as your past health insurance claims).
HIF may also collect and hold sensitive information, including information about an individual’s health and medical history, where this directly relates to our primary purpose of managing private health insurance policies or paying claims.
HIF will only collect, utilise or disclose government identifiers, such as Medicare numbers, in a way that is consistent with its original purpose. HIF will not adopt, as its own identifier, an identifier of an individual that has been assigned to an individual by the Commonwealth Government or any of its service provider agencies.
4.4 What happens in the event that personal information is not provided
Individuals have the right not to identify themselves, or may use a pseudonymous identity when contacting HIF for general information. However, under these circumstances, it may not be practical for HIF to provide relevant information pertaining to its products and services, nor carry out functions such as process claims, pay benefits, confirm lifetime health cover loading or apply the Australian Federal Government Rebate on private health insurance.
4.5 Use of personal information
The personal information HIF collects may be used to:
- process health insurance policy applications and manage health insurance policies on an ongoing basis;
- identify individuals and manage requests for information about a product or service;
- process and audit payments and claims;
- pay benefits on claims;
- perform business related activities and functions such as management and development of products, services and business processes and systems;
- contact members about other insurance products (including health insurance);
- conduct marketing and social media activities, including competitions and promotions (when a member has opted in for such an activity);
- train and coach employees and representatives, unless otherwise advised not to;
- assist with legal, clinical or commercial complaints or issues;
- investigate and manage potentially fraudulent activities; and
- comply with legal obligations.
Members are able to nominate a preferred method of communication when engaging with HIF. Nominating communication preferences can be facilitated via the OMC or phone or email.
4.6 Using personal information for direct marketing purposes
HIF collects and uses personal information for direct marketing purposes in order to promote and offer insurance products and services, including any competitions and promotions. In relation to competitions and promotions, HIF may contact members by mail, email, SMS, via the HIF App, or through targeted marketing on social media platforms.
Members are able to discontinue, or opt out of, receiving any marketing or promotional material they may not wish to receive.
Members will receive service-related communications despite having opted out of direct marketing activities. Service-related communications are essential communications in relation to HIF’s products and services and include important information, including detrimental changes to products and services, premium change letters and policy details. Members cannot opt out of service-related communications as this is essential for HIF to fulfil legal obligations.
4.7 Disclosing personal information in Australia
To provide products and services and to maintain relationships with members, HIF may disclose personal information to persons or organisations, including:
- persons covered by a policy, in the course of administering the policy and paying benefits;
- a nominated agent, adviser, broker, representative or other persons authorised by, or responsible for, the member;
- to others, including HIF agents, consultants, contractors and service providers, and those that act as data processors and auditors;
- health service providers;
- facilitators of HIF arrangements with providers;
- government agencies;
- payment system operators and financial institutions;
- service providers engaged by HIF, or acting on our behalf, to deliver services and technologies relevant to the delivery of member services;
- third party insurers HIF is authorised to represent if a member purchases other insurance products from HIF;
- third party operators of websites, social networking and messaging applications to facilitate online advertising, surveys and analytics;
- an employer, if a member is covered under a corporate agreement, in order to administer related discounts, payment arrangements and any other benefits available under that agreement;
- to others, including health funds, service providers, other related third parties who assist in the detection and investigation of fraud;
- regulatory bodies and government agencies; and
- other parties HIF is authorised, or required by law, to disclose information to.
4.8 Disclosing personal information overseas
HIF may transfer personal information to an overseas recipient, expressly nominated by a member, for the purposes of providing a transfer certificate or claims history. In such instances, HIF may not be able to ensure adequate protection of information in relation to such overseas recipients.
HIF may use service providers who either host or store personal information overseas, which means that personal information may be transferred between countries to those service providers, for the purposes outlined in the Policy. Under these circumstances, HIF will take reasonable steps to ensure that the service provider does not breach the APPs in relation to the personal information being transferred.
4.9 Family and couples’ policies
For family and couples’ health insurance policies, HIF will collect information about dependants (partner and children) from the member who sets up the policy (also known as the primary member). If a primary member provides HIF with information about a partner or a dependant who is 16 years of age or over, the primary member acknowledges that they are creating, or have created, the health insurance policy on behalf of the co-insureds and agrees:
- the primary member has authority to agree to the relevant terms;
- the primary member has made relevant dependants aware of the information set out in the Policy and informed the dependants of how they can obtain access to the Policy; and
- the primary member has consent to provide personal information to HIF, for HIF to use that personal information for the purposes set out in the Policy, and as otherwise permitted by Australian law.
If the primary member lodges a claim on behalf of a dependant, HIF will act in reliance on the above warranties given by the primary member, and accordingly assume consent has been provided to the primary member to share information necessary for HIF to process the claim.
All claims payments and general policy information will be sent to the primary member.
If the primary member and their partner become divorced or separated, HIF strongly recommends the members take out separate policies to protect private information, as it might not be practicable for HIF to keep personal information separate. If the primary member and the dependant decide to stay on a couples or family policy post-divorce or separation, the members acknowledge that personal information may be disclosed to their ex-partner in the course of the maintenance and administration of the health insurance policy.
4.10 Quality and security of personal information
HIF takes reasonable steps to ensure that personal information collected, used or disclosed is accurate, up to date, complete and relevant.
HIF also takes reasonable steps to protect personal information from misuse, interference and loss, unauthorised access, modification or disclosure, and to destroy or de-identify personal information that is no longer needed, or that is no longer required to be retained by or under an Australian law, or a court / tribunal order.
HIF will only hold personal information for the length of its relationship with members, or as otherwise required for business or regulatory alignment.
4.11 Access to personal information
HIF will, upon request by a member, give the member access to their personal information within a reasonable period after the request is made, and in the manner requested by the member, if it is reasonable and practicable to do so.
If a member contacts HIF for such a request, verification and identify checks will be completed prior to granting access to personal information.
Under certain circumstances, and in accordance with the Privacy Act, HIF is not required to give a member access to personal information to the extent that:
- providing access would pose a serious threat to the life, health or safety of other individuals; or
- providing access would have an unreasonable impact on the privacy of another individual; or
- the request for access is frivolous or vexatious; or
- the information relates to existing or anticipated legal proceedings, and would not be accessible by the process of discovery in those proceedings; or
- providing access would reveal the intentions of HIF in relation to negotiations with the individual in such a way as to prejudice those negotiations; or
- providing access would be unlawful; or
- denying access is required or authorised by or under an Australian law or a court / tribunal order; or
- HIF has reason to suspect that unlawful activity, or misconduct of a serious nature, has been, is being or may be engaged in, and giving access would be likely to prejudice the taking of appropriate action in relation to the matter; or
- providing access would be likely to prejudice one or more enforcement related activities conducted by, or on behalf of, an enforcement body; or
- providing access would reveal evaluative information in connection with a commercially sensitive decision making process.
If HIF refuses to provide a member with access to their personal information, or cannot provide access in the manner requested, the reasons for the refusal will be provided to the member in writing, except to the extent that it would be unreasonable to do so.
4.12 Correction of personal information
HIF will take reasonable steps to ensure that the personal information it holds about its members is accurate, up to date, complete, relevant and not misleading, if:
- HIF is satisfied that the personal information it holds is inaccurate, out of date, incomplete, irrelevant or misleading; or
- A member requests HIF to correct their personal information.
Upon request by a member to correct their personal information, HIF will respond to the request within a reasonable period after the request is made.
If HIF corrects the personal information about a member that it previously disclosed to another organisation governed by the Privacy Act and that member requests HIF to notify the said organisation of the correction, HIF will take reasonable steps to give that notification unless it is impracticable or unlawful to do so.
If HIF refuses to correct personal information as requested by a member, the reasons for the refusal will be provided to the member in writing, except to the extent that it would be unreasonable to do so.
4.13 Contacting HIF to enquire or complain about privacy related matters
If a member has concerns or queries about the manner in which personal information has been handled by HIF, or wishes to make a formal complaint, such concerns, queries or complaints must be provided in writing to the HIF Privacy Officer, as per the details below:
The Privacy Officer
GPO Box X2221
PERTH WA 6847
Website: https://www.hif.com.au/legal stuff
If HIF does not respond within a reasonable time, or if the complaint is not resolved to the member’s satisfaction, members are entitled to make a complaint to the Office of the Australian Information Commissioner. Please visit their website for more details on how to contact them, or make a complaint at https://www.oaic.gov.au/about-us/contact-us/.
HIF & data breaches: all you need to know.
Maintaining the privacy of health information has always been central to the relationship of trust and confidence between HIF and our Members.
In addition, there can be significant penalties for a breach, as well as the possibility of negative publicity and damage to a Member’s reputation. Even a single breach of Member privacy has the potential to cause serious harm and may be notifiable.
We have put in place stringent controls to protect Members’ personal data, including an action plan in the unlikely event that a Member's details had accidentally been disclosed to an unauthorised person.
We would have to respond if, for example, we discovered Member details had accidentally been disclosed; your medical history had been sent to the wrong person; or a staff member had inappropriately accessed Member records.