Privacy Policy

Privacy is very important for CBHS Corporate Health. See below to find out your privacy rights and how CBHS Corporate Health ensures compliance with its privacy obligations.

 

 

1 Scope

CBHS Corporate Health Pty Ltd ABN 85 609 980 896 (CBHS Corporate) is an open-access private health insurer and provides insurance policies or products to persons who are eligible for these policies or products.

This document is CBHS Corporate’s privacy policy. It provides information on how CBHS Corporate Collects Personal Information that is necessary for its functions and activities.  It is based on relevant requirements in:

a)              CBHS Corporate’s “Customer First” values;

b)             The Australian federal government’s Privacy Act 1988 (Privacy Act) and the Australian Privacy Principles implemented by the Privacy Act;

c)              The privacy legislation of Australian States and Territories; and

d)             The European Union’s General Data Protection Regulation (GDPR).

The relevant requirements in the GDRP apply to personal data We Collect from or about a Person who is resident in a EU Country at or during the time the personal data is Collected or processed. The terms “Personal Information”, “Collect”, “Person” and “EU Country” are defined in section 2 (Definitions) below.

The Policy is set out under the following headings:

1              Scope

2              Definitions

3              Individuals whose information we collect

4              Types of information we collect

5              Purposes for which we collect information

6              When and how we collect information

7              Dealing with us anonymously or using a pseudonym

8              Who we disclose information to

9              Before we disclose information overseas

10           Direct marketing

11           Information we collect when you use our website

12           How we hold and protect information

13           Accessing and requesting correction of your information

14           Complaints about your privacy

15           Contacting us about this policy

16           Changing and notifying changes to this policy

17           Your consent

2 Definitions

In this document:

Collect includes use, disclose, hold and “Processing” of “Personal Information”. “Collects”, “collecting”, “collected” or “collection” has a corresponding meaning.

Correct includes “rectification” of personal data in Article 16 of the GDPR. “Correction” or “corrected” has a corresponding meaning.

De-identify includes “pseudonymisation” in Article 4 of the GDPR.

“Destroy” includes “erasure” under Article 17 of the GDPR. “Destroyed” or “destruction” has a corresponding meaning.

EU Country means a current Member State of the European Union.

GDPR means General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and of the Council.

Information means “Personal Information” as defined below, unless the context indicates otherwise.

Insurance Policy means private health insurance policy, Overseas Visitor Health Cover or Overseas Student Health Cover taken with CBHS Corporate. “Insurance policies” has a corresponding meaning.

Person means a natural person. Person includes “data subject” in Article 4 of the GDPR. “Persons” has a corresponding meaning.

 Personal Information means information or a statement or opinion about an identified Person or from which a Person is reasonably identifiable.  Personal Information includes Sensitive Information (defined below) and “personal data” in Article 4 of the GDPR.

Policy means this document, unless the context indicates otherwise.

Processing has the meaning given in Article 4 of the GDPR, unless the context indicates otherwise.

Sensitive Information means Personal Information that is health, wellbeing, biometric, genetic, sexual orientation or practices information or biometric templates. Sensitive Information includes similar information mentioned in Article 9 of the GDPR.

Supervisory Authority means an independent public authority in a EU Country established under Article 51 of the GDPR.

You or Your means a Person whose Information We Collect.

We, Us or Our means CBHS Corporate.

3 Individuals whose information we collect

CBHS Corporate Collects Information of the following types of persons:

  • Members of CBHS Corporate (current, prospective and former members) and their family members insured under the same Insurance Policy.
  • Applicants for employment or business opportunity with CBHS Corporate.
  • Referees who are persons notified to CBHS Corporate by applicants for employment or a business opportunity with CBHS Corporate.
  • Contractors of, or service providers to, CBHS Corporate who are persons.
  • Health care professionals or health care service providers who are persons.
  • Visitors to CBHS Corporate’ premises.
  • Directors or officers of contractors of, or service providers to, CBHS Corporate.

4 Types of information we collect

Depending upon Your needs or circumstances or the relationship You have with Us, We will Collect the following types of Information:

4.1 General

  • Personal details such as name, address, other contact Information, date of birth, gender, marital status, photograph and signature.
  • Information necessary to manage payment of Your insurance premiums or contributions and to pay claims and other moneys due to You.
  • Medicare number.
  • Household or family income information (to assess eligibility for government rebates and incentives for private health insurance).
  • Information to assess eligibility for benefits from the Department of Veterans Affairs
  • Sensitive Information.
  • Passport Number (if you apply for Overseas Visitor Health Cover or Overseas Student Health Cover).
  • Previous health fund/s membership and cover information.
  • Educational and technical qualifications, work history and professional associations or relationships (applicants for employment or business opportunities only).

4.2 Sensitive information

CBHS Corporate Collects Sensitive Information (as defined in section 2 (Definitions) above in various circumstances including when You:

  • Apply for some types of insurance policies.
  • Access treatments or health services covered by Your Insurance Policy.
  • Make a claim for treatments or services covered by Your Insurance Policy.
  • Join a specialised health program (see section 5.3 (Specialised health and wellbeing programs) below).

Whenever practicable, We will require Your express consent for Your Sensitive Information to be Collected in accordance with the requirements of this Policy.

4.3 Visitors to our website

CBHS Corporate Collects Information that is not Personal Information of visitors to Our website; see, section 11 (Information We Collect when You use the CBHS Corporate website) below. Such Information is Collected regardless of whether You complete a form from Our website. 

5 Purposes for which we collect information

5.1 Products and services

CBHS Corporate Collects Information for the purposes of providing, administering and marketing its products and services. These purposes include: 

  • Determining Your eligibility for membership with CBHS Corporate.
  • Matching products and services to Your individual needs and circumstances.
  • Processing or managing Insurance Policy contributions and premiums.
  • Assessing and communicating to You the coverage and benefits of the products and services provided to You.
  • Communicating with You from time to time.
  • Communicating with hospitals and other health care service providers about Your cover and benefits.
  • Verifying Your identity from time to time.
  • Administering and processing health insurance claims and payments.
  • Managing, evaluating, developing and improving CBHS Corporate's products or services.
  • Conducting quality assurance activities.
  • Enrolling You in specialised health and wellbeing programs (see section 5.3 below).
  • Conducting member surveys, research, analysis and providing online member services.
  • Resolving any legal and/or commercial complaints or issues.
  • Undertaking direct marketing activities and related communications with You.

5.2 Compliance with laws

CBHS Corporate also Collects Information to meet its compliance and reporting obligations in various laws. The key ones are the:

  • Corporations Act.
  • Private Health Insurance Act.
  • Private Health Insurance (Risk Equalisation Policy) Rules.
  • Private Health Insurance (Risk Equalisation Administration) Rules.
  • Private Health Insurance (Data Provision) Rules.
  • Private Health Insurance (Incentives) Rules.
  • Private Health Insurance (Lifetime Health Cover) Rules.

5.3 Specialised health and wellbeing programs

CBHS Corporate develops specialised health and wellbeing programs and initiatives to assist members with day to day health and wellbeing issues such as diet and exercise as well as chronic disease management. 

We Collect Sensitive Information, as defined in Section 2 (Definitions) above, to identify and communicate with members who can be enrolled in these programs. Participation in the programs is not mandatory. You may choose to or not to participate in them. If You join a program, You can withdraw from it at any time.

5.4 Consequences if information we ask for is not provided

CBHS Corporate has assessed Information it will Collect as reasonably necessary for the purposes set out above. Your needs or circumstances determine the set of Information CBHS Corporate will Collect from or about You.

We cannot compel You to provide any Information We ask for. However, in most cases, We will be unable to provide or continue to provide You with Our products or services if You fail or refuse to provide Information We ask for. 

6 When and how we collect information

CBHS Corporate Collects Information in the following ways and circumstances.

6.1 Collecting information directly from you

Where practicable, We will Collect Information directly from You, including when You: 

  • Visit CBHS Corporate office or place of business.
  • Contact Us by telephone, email or regular mail.
  • Complete a CBHS Corporate-issued paper form.
  • Complete a form on the CBHS Corporate website.
  • Interact with Us via a mobile app.
  • Visit any of our health hubs and provide Information.
  • Complete a government-issued form We have made available to You.
  • Apply to Us for employment or business opportunity.
  • Enter a contract for services with Us or are an officer, employee or agent of a business or organisation which has entered a contract for services with Us.

6.2 Collecting information from someone else

Sometimes We Collect Information from another Person or organisation including in the following circumstances.

  • Policies insuring more than one Person - We may Collect Your Information from the main member or from a Person authorised to provide the Information on Your behalf. Any main member or prospective member who provides Information about another Person covered by the same policy is deemed to have obtained the other persons’ consent to do so.
  • Health services You received or when You make a claim – We may Collect Information about those services directly from the health service provider (e.g. a hospital, medical or allied health provider);
  • Health and wellbeing partners – We may Collect Your Information from a Person or organisation We have engaged to provide a specialised health and wellbeing or chronic disease management program (see section 5.3, above) to Our members.
  • Relevant government departments – We may Collect Your Information from government departments We deal with including the Department of Health, the Department of Home Affairs, the Private Health Insurance Ombudsman and the Office of the Australian Information Commissioner.
  • Other private health insurers – We may Collect Your Information from Your previous private health insurer (for example, Information on Your transfer certificate);
  • Basic contact Information from referrers – We may obtain this Information from Our business associates, business partners or existing members to inform You about Our products or services, if We consider You may be eligible to join CBHS Corporate, or to inform You about an employment or business opportunity with Us.
  • Referees of job or business opportunity applicants – We may Collect Your Information from recruitment agencies or referees You have notified to Us. In any such case, both the applicant and the referee are deemed to have given their consent for their Information to be Collected for the purposes of the employment or business opportunity application.
  • Publicly available Information – We may Collect Your Information from publicly available sources including from public registers, telephone or business directories, social media platforms and the internet.
  • Call centres - We may collect Your Information from call centres acting on Our behalf.

7 Dealing with us anonymously or using a pseudonym

When You are dealing with Us, and it is lawful and practicable to do so, You can remain anonymous (that is, without providing Information that identifies You), or use a pseudonym (that is, use a name, term or descriptor that is different to Your actual name).

Examples of when You can remain anonymous or use a pseudonym are when You:

  • Are making general enquiries only about Us or about Our products or services.
  • Are participating in a product or service survey or research We are doing.
  • Wish to make a report of wrongdoing on the part of any of Our officers or employees, unless Your identity is required to investigate the wrongdoing properly.
  • Consider identifying Yourself may pose a serious risk of harm to You or some other Person.

However, there are many circumstances in which it will not be lawful or practicable for You to remain anonymous or use a pseudonym. Examples of such circumstances are when You wish to:

  • Join CBHS Corporate or take an Insurance Policy.
  • Claim a government rebate or incentive through CBHS Corporate.
  • Join any of Our specialised health and wellbeing program.
  • Make a complaint under Our internal complaints handling procedure.
  • Access and/or request correction or update of Information We hold about You or any Person on the same Insurance Policy.
  • Lodge a claim under Your Insurance Policy.

If You wish to remain anonymous or use a pseudonym when dealing with Us, tell Us at the time and We can confirm with You whether You can do so in the circumstances.

8 Who we disclose information to

The types of Persons or organisations CBHS Corporate usually discloses Information to are:

  • Hospitals or health care service providers from whom You have received, or from whom You intend to seek, treatments.
  • Providers of specialised health and wellbeing and chronic disease management programs; see section 5.3 (Specialised health and wellbeing programs) above.
  • Persons or organisations who provide contracted mail, mailing or messaging services on CBHS Corporate’s behalf.
  • Australian government departments or agencies (such as the Australian Taxation Office, Medicare Australia, the Australian Prudential Regulation Authority, the Australian Securities and Investments Commission, the Private Health Insurance Ombudsman, the Department of Health and the Department of Home Affairs.
  • Other private health insurers, when You transfer to or from another private health insurer;
  • Organisations providing marketing services on Our behalf;
  • Third-party advisers (such as auditors, actuaries, consultants and legal advisers);
  • Social media platforms including Facebook and Google to communicate with You on Our behalf about Our products and services.; and
  • The Australian Health Service Alliance (AHSA) who assists Us to assess and pay claims for members’ who have received treatments and services in hospitals and other health care facilities and to meet Our statutory reporting obligations.
  • Organisations providing call centre services on Our behalf.

AHSA’s privacy policy and contact details can be accessed from the following link

https://www.ahsa.com.au/web/ahsa/privacy_policy

You can make a complaint to the AHSA if You consider they have breached Your privacy. Also, You can ask them for access to the Information they hold about You or request the Information to be corrected.

9 Before we disclose information overseas

If business needs require Us to disclose Your Information to an overseas recipient, We will take all reasonable steps to ensure the overseas recipient will not breach the Australian Privacy Principles or the Privacy Act in relation to the Information.

Other circumstances in which We will disclose Your Information to an overseas recipient are:

a)              If the disclosure is authorised under an Australian law or by court order; or

b)             If You request Us to disclose Your Information to an overseas recipient.

9.1 Managing requests for overseas disclosure

If You request Us to disclose Your Information to an overseas recipient, We will provide You a clear statement explaining the potential consequences of disclosing the Information to the overseas recipient.

10 Direct marketing

We or organisations acting on Our behalf may contact Our members individually or directly about Our products and services. We call this “direct marketing”. Direct marketing may be via regular mail, email, telephone, SMS or social media.

10.1 Request not to be sent direct marketing

You may request Us at any time not to send You direct marketing communication by:

a)              Logging into Your Member Centre account (if one is set up for You) and changing Your preferences;

b)             Sending an email to Us at help@cbhscorp.com.au; or

c)              Calling Us on 1300 586 462 (Monday to Friday 7am-7pm AEDT).

Also, You can use any of the above means to request Us to only send direct marketing communication to You via Your preferred channel of communication, such as, regular mail, email, telephone or SMS.

We include in all direct marketing, Information on how You can opt out of being sent such communication in the future.

Requests You make under this section will be actioned as soon as reasonably practicable.

Please note that You cannot opt out of receiving information or notices We are required by law to send to You.

11 Information we collect when you use our website

Our website uses “cookies”. A “cookie” is a packet of information that allows the website server to identify and interact more effectively with Your computer. 

When You use the website, We send a cookie that gives each computer a unique identification number. Cookies do not identify individuals, although they do enable Us to identify Your browser type and internet service provider. Your browser may be configured to accept all cookies, reject all cookies or notify the user when a cookie is sent. If You reject all cookies, You may not be able to use Our website or the Member Service Centre. 

We use third-party service providers such as Google to undertake demographic analysis of visitors to Our website (“Google Analytics”). We Collect and use information from cookies and Google Analytics to:

  • Better understand how visitors use Our website.
  • Link with social networks.
  • Communicate relevant advertisements that may be of interest.
  • Measure the time spent on the website.
  • Determine the effectiveness of the navigation options.
  • Record information provided during the visit to streamline subsequent visits.

By using Our website, You consent to the Collection information about the use of Your computer by Google in the manner described in Google's Privacy Policy and for the purposes set out above. You can opt out of Google Analytics if You disable or refuse the cookie, disable JavaScript, or use the opt-out service provided by Google

Also, Our website uses interfaces with social media sites such as Facebook. If You choose to "like" or “share" information from Our website through such sites, You should read the privacy policy of the social media site.  The interfaces Our website uses may allow the social media site to connect Your visits to Our website with the information the social media site holds about You.

12 How we hold and protect information

We primarily store Information on Our premises in electronic form in Our information technology systems.

To meet legislative, regulatory and business continuity requirements, We store copies of some documents containing Information in a remote, secure location in Australia.

If We convert paper-based documents to electronic form, We Destroy the originals securely. Paper-based documents We hold on temporary basis are held securely at Our premises or by third-party document management or mail processing service providers in Australia. 

We maintain physical and operational security over Our paper and electronic data stores. We also maintain computer and network security for Our information technology systems. For example, We use firewalls and other security systems, such as user identifiers and passwords, to control access to Our information technology systems. 

12.1 Information we no longer need

If We no longer need Information, and We are not required by law to retain it, We will take reasonable and practical steps to destroy or De-identify the Information securely in accordance with Our document retention policy.

The criteria We use to determine the period for which We keep Information include:

  • The period We are required by law, a Regulator or court order to keep the Information.
  • The period We consider is necessary to keep the Information to resolve a complaint in relation to the Information.
  • The period We consider is necessary to keep the Information to defend or take legal action in relation to the Information.
  • The period We take to come to a reasonable conclusion that the Person whose Information We have Collected does not wish to take a product or service with Us or does not wish to pursue an application for employment or business opportunity with Us.

12.2 Dealing with unsolicited information

If We receive Information We did not ask for or do not require, We will attempt to return it to the sender if it is contained in a document. If We cannot return the document to the sender, or the Information is contained in a voice recording, We will Destroy it securely as soon as practicable.

13 Accessing and requesting correction of your information

13.1 Reasons for seeking access

You can request access to Your Information at any time by using the contact details set out in section 15 (Contacting us about this Policy). Your reason for seeking access could be simply to know what information We hold about You, to request a copy of Your Information, to request correction of the Information or to exercise any right You have under the GDPR including the rights to request correction, destruction or restriction of Processing of the Information.

13.2 Managing request for access

When You request access to Your Information, We will first identify You to ensure You are the right Person to be given access to the Information.

Requests for access are actioned as soon as practicable, and in any case within 30 days of receiving the request.

If We refuse to give access to Information, We will give You a written notice setting out Our reasons, Your right to make a complaint about Our refusal and any matter required by law.

13.3 Fee for providing access

While requests for access to Information are free of charge, administrative fees may be charged for retrieving some types of Information and providing it in the form You have requested. If the circumstances apply in Your case, We will inform You and request payment of the fee before giving You access to the Information.

13.4 Requests for correction of information

If You believe Your Information is inaccurate, out-of-date, incomplete, irrelevant or misleading, You can request Us to Correct it at any time by using the contact details set out in section 15 (Contacting Us about this Policy) below.

13.5 Responding to requests for correction of information

We will respond to the request as soon as practicable, in any case within 30 days of Us receiving the request.

If We refuse to Correct Your Information, We will give You a written notice setting out Our reasons, Your right to make a complaint about Our refusal and any matter required by law.

13.6 Associating a statement

If We refuse to Correct Your Information, You can ask Us to associate a statement with the Information that You believe the Information is inaccurate, out-of-date, incomplete, irrelevant or misleading. We will respond to the request as soon as practicable, in any case within 30 days of Us receiving the request.

13.7 Notifying others about corrected information

You may ask as to notify another Person We previously disclosed Your Information to that We have corrected it. We will action Your request as soon as reasonably practicable.

If the Information is regulated under the GDPR, We will notify any such Person as soon as practicable unless this proves impossible or involves disproportionate effort.

14 Complaints about your privacy

CBHS Corporate has a Complaint Handling and Dispute Resolution Policy for member complaints including privacy complaints. A copy of this policy is available at: https://www.cbhscorporatehealth.com.au/about-us/corporate/disputes-complaints

You may make a complaint about a breach of Your privacy by contacting Our Privacy Officer whose contact details are set out in section 15.3 (Privacy Officer’s contact details) below. The complaint should first be made in writing.

Our Privacy Officer will first determine if, on the information available whether We have breached Your privacy, and if so, take steps to resolve the complaint within 3 days of receiving the complaint.

If Your complaint requires more detailed consideration or investigation, the Privacy Officer may ask You to provide further information and consider it together with other information obtained from relevant employees. In such a case, the Privacy Officer will endeavour to respond to the complaint as soon as reasonably practicable and, in any case, within 30 days.

If You are not satisfied with Our response to Your complaint, You may take the complaint to either the Private Health Insurance Ombudsman (“PHIO”) or to the Office of the Australian Information Commissioner (“OAIC”) whose contact details are below.

14.1 PHIO’s contact details:

Telephone: 1300 362 072 (option 4 for private health insurance)

Online complaint form:  

https://forms.business.gov.au/smartforms/servlet/SmartForm.html?formCode=oco-complaint-form

Email: phio.info@ombudsman.gov.au
Address:
The Private Health Insurance Ombudsman

Office of the Commonwealth Ombudsman

GPO Box 442

Canberra ACT 2601

Fax: (02) 6276 0123 

Website: www.ombudsman.gov.au

Additional information:

http://www.ombudsman.gov.au/making-a-complaint/complaints-overview

14.2 OAIC contact details

Email: enquiries@oaic.gov.au
Address:       
The Office of the Australian Information Commissioner

GPO Box 5218

Sydney NSW 2001 

Additional information

 http://www.oaic.gov.au/privacy/making-a-privacy-complaint

14.3 Information regulated by GDRP

If Your complaint is based on Information regulated by the GDRP (see section 1 (Scope) above), You may make a complaint directly to the Supervisory Authority in the relevant EU Country or make the complaint to Our Privacy Officer whose contact details are set out in section 15.3 (Privacy Officer’s contact details).

15 Contacting us about this policy

You may contact CBHS Corporate for any reason including:

  • Obtain a copy of this Policy or seek further Information about the Policy.
  • Request access to Your Information.
  • Request correction, destruction or de-identification of Your Information.
  • Request Us to associate a statement with Your Information if We refuse to Correct the Information.
  • Request Us to inform a Person We previously disclosed Your Information that We have corrected the Information;
  • Request Us not to send You direct marketing material in the future or change Your preferred means of being sent such material including, by regular mail, email or SMS.
  • Make a complaint about a breach of Your privacy or how this Policy was applied to You.
  • Withdraw Your consent to Collecting Your Information generally or in any respect.
  • Exercise any right You have under the GDPR.

15.1 Privacy Officer’s contact details

Email: privacy@cbhscorp.com.au

Address:            
Privacy Officer

CBHS Corporate Health Pty Ltd

Locked Bag 5098

Parramatta NSW 2124

15.2 Other contact details

Telephone: 1300 586 462

Fax: (02) 8604 3576

General enquiries Emailhelp@cbhscorp.com.au

Complaints Email -  complaints@cbhscorp.com.au

16 Changing and notifying changes to this policy

CBHS Corporate may review this Policy at any time and publish a revised version on its website at: https://www.cbhscorporatehealth.com.au/policies/privacy-policy.

You can request a copy of the Policy free of charge from Us; see section 15 above (Contacting us about this policy).  If it is practicable to do so, We will provide the copy in the form You have requested.

17 Your consent

Whenever practicable, CBHS Corporate will obtain Your express consent for Your Information to be collected in accordance with the requirements of this Policy.

You may withdraw Your consent at any time after giving it. You may withdraw Your consent to the collection of Your Information generally or to the Processing of the Information in any respect.

However, note that in some cases, We may not be able to provide You or continue to provide You with Our products or services after You have withdrawn Your consent.

If We refuse to allow You to withdraw Your consent in accordance with this section, We will give you Our reasons in writing and include information on Your right to make a complaint about Our refusal and any matter the law requires Us to inform You about.

 

Public document - Last updated June 2018