MRE is committed to treating the personal information we collect in accordance with the Australian Privacy Principles (“APPs”) in the Privacy Act 1988 (Cth) (Privacy Act).
Personal information we collect
For the purpose of this Policy, “personal information” is information or opinion that identifies an individual or information or an opinion which could reasonably identify an individual, regardless of whether the information or opinion is in a material form or not.
MRE may collect a range of personal information, including the individual’s name, address, telephone number, email address, age and date of birth.
MRE may also collect sensitive information about an individual. However, MRE only collects that information with the consent of the individual, in accordance with the Privacy Act. For the purpose of this Policy, “sensitive information” includes information or an opinion about an individual’s health, such as information or an opinion about:
- an individual’s illness, disability or injury;
- an individual’s expressed wishes about the future provision of health services to the individual; or
- a health service provided to, or about to be provided to, the individual, that is also personal information.
How we collect personal information
MRE generally collects personal information about an individual directly from that individual, unless it is unreasonable or impracticable to do so. Generally, MRE collects information only when it specifically requests that information.
Notwithstanding the foregoing, MRE collects personal information from applicant/claimants Drs, health professionals or from a relevant third party (government agency). This is done in a number of ways, including by email, fax with communication also carried out by phone.
MRE will not collect health information without the express consent (written or digitally provided) of the applicant/claimant provided to us by or on behalf of the applicant/claimant. For example, the consent of the individual may be provided to MRE by the insurer on behalf of the individual.
MRE may also collect personal information (including sensitive information) about an individual from a variety of sources using a variety of means, including:
- information disclosed to MRE by the insurance company of an applicant for insurance or by the insurance company of a claimant under an insurance policy;
- a form (either physical or online), declaration, consent form or other document that is used in a contract or transaction in which MRE is involved that concerns or is the benefit for the individual;
- a telephone, email or in-person inquiry or discussion about MRE and/or the services that MRE provides;
- mail correspondence, email or communication to MRE by other means (including by accessing MRE’s website and the use of the “contact us” facility on MRE’s website);
- through posts submitted to social media channels MRE offers or monitors;
- from publicly available sources of information;
- from job applicants and staff members;
- direct contact in the course of MRE providing its products and services (including the administration of accounts established with MRE); and
- from current and prospective suppliers of goods and/or services to MRE.
While MRE generally only collects personal information when it specifically requests that information, from time to time, MRE may receive personal information about an individual on an unsolicited basis. In accordance with its statutory obligations, MRE will determine whether or not MRE could have collected that information lawfully. If MRE determines that it could not have collected the information lawfully, then MRE will promptly destroy or de-identify such information.
In accordance with the APPs, individuals do not need to provide MRE with their personal information and they may interact with MRE on an anonymous or pseudonymous basis. However, where it is impracticable for MRE to deal with individuals who have not identified themselves or who have used a pseudonym, then individuals do not have the option of not identifying themselves or of using a pseudonym when dealing with MRE.
Further, MRE reserves the right to verify an individual’s identity as part of its response to a request to access and/or correct personal information held about an individual, or as part of its complaints-handling process. If MRE is unable to verify an individual’s identity, or the individual continues to engage with MRE in an anonymous or pseudonymous manner, MRE may be unable to satisfy the individual’s request or to complete its complaints-handling process.
Use of personal information
As a general principle, and in accordance with its statutory obligations, MRE only uses or discloses personal information for the primary purpose for which the information was collected or a secondary purpose that is related to the primary purpose for which you would expect MRE to use or disclose the collected information, or as otherwise required or permitted by law (including the APPs).
In the case of sensitive information, MRE only uses or discloses the sensitive information it collects for the primary purpose for which the information was collected or a secondary purpose that is directly related to the primary purpose for which you would expect MRE to use or disclose the collected information, or as otherwise permitted by law (including the APPs).
MRE collects personal information for the purposes of:
- Facilitating an applicants insurance application
- Facilitating a claimants insurance claim
- Processing transactions and administering customer accounts;
- Completing its obligations owed under an agreement with a health insurer;
- Carrying on business as a service provider focusing on the exchange of medical records from health practitioners to health insurers;
- Addressing queries and resolving complaints; and
- Improving MRE’s services.
MRE will not use your personal information for the purpose of marketing its services or for any other company.
Disclosure of personal information
Generally, MRE does not disclose personal information unless it is required to facilitate MRE’s fulfilment of one or more of the purposes for which the information was collected (or any secondary purpose related to the primary purpose for which MRE may be permitted to disclose such information by law).
MRE may disclose personal information to the following:
- health insurers who have requested MRE to obtain information on behalf of the applicant for insurance or the claimant under an insurance policy;
- MRE’s agents and contractors (including, for example but without limitation, its agents and contractors in order to enable them to provide goods or perform services on behalf of MRE, such as sending correspondence and processing payments);
- MRE’s professional advisers; and
- related entities of MRE.
MRE may also disclose personal information about an individual when required by law or court order, or other governmental order or process. MRE may disclose personal information where MRE believes (in good faith) that the law compels MRE to disclose the information or where MRE is required to do so as a result of any obligations owed to an individual under any contract.
Personal information may be disclosed if MRE considers it reasonably necessary to do so in order to identify, contact or bring legal action against any third party whom MRE suspects or knows is causing harm to, or interference with the services MRE performs, its information technology systems and equipment, or MRE’s property.
Personal information about individuals MRE has collected may be disclosed to third parties in the event its business and/or assets are sold or offered for sale, at or before the time of a merger, acquisition or sale.
Where MRE engages third parties to provide products and/or services to us, such third parties may have access to personal information MRE holds about individuals. MRE does not authorise those third parties to use any personal information disclosed to or accessed by the third party for any purpose other than to facilitate the completion of its obligations owed to MRE.
Without limiting the foregoing, MRE may disclose individuals’ personal information to its business partners and advisors (such as auditors, financial services or insurance companies) or to its professional advisers (such as its legal and accounting advisers) for them to complete their obligations owed to MRE under agreements that MRE has entered into for the purpose of undertaking or furthering its business operations and activities.
Transfer of personal information overseas
We may store, process or back-up your personal information on servers (including through third party service providers) Note: data stored on servers including third party servers remains within Australia.
Applicants / claimants personal medical information will not be sent outside of Australia with the sole exception being to facilitate the retrieval of the request from a medical practitioner outside of Australia.
Where it becomes necessary for MRE to disclose personal information to a recipient located outside Australia, MRE will comply with its statutory obligations in relation to such disclosure. In particular, wherever it is reasonably practicable, MRE will first seek the consent of the relevant individual to such cross-border disclosure. Where the individual consents to the disclosure, then MRE will be exempt from the requirements of the Privacy Act in relation to the individual’s personal information that is disclosed to an overseas recipient.
You have the right to inform MRE that you do not wish for MRE to send information to you other than for the primary purpose for which the information was collected. MRE will always attempt to ensure that its disclosure of personal information to other organisations is carried out in a manner which does not personally identify individuals, to the extent that it is practicable and lawful to do so.
Security and retention of personal information
MRE takes the security of all personal information in its possession seriously.
MRE takes reasonable steps to protect any personal information that we hold from misuse, interference and loss. MRE also takes reasonable steps to protect it from unauthorised access, modification and disclosure.
The security measures MRE takes include physical security measures (including security passes to enter our offices and storage of files in lockable cabinets), technology security measures (including restriction of access, firewalls, the use of encryption, passwords and digital certificates) and MRE’s staff, contractors and partners are required to undertake privacy and data protection training, as part of their general obligation to respect the confidentiality and privacy of any personal information (including sensitive information) MRE holds.
MRE regularly reviews and updates its physical and data security measures in light of current technologies.
The personal information you provide to MRE will be retained only for as long as reasonably necessary to fulfil the purposes for which the information was collected, as required by law or in accordance with MRE’s documentation retention policies.
Without limiting the foregoing, MRE will only hold sensitive information (including health information) for the minimum period required by law and by its agreements with various health insurers. As soon as practicable following the completion of MRE’s obligations with respect to the disclosure of the sensitive information to the insurers, MRE will take all reasonable steps to destroy or de-identify such information.
Privacy on our websites
MREs website is a secure encrypted website.
MREs website may contain links to third parties' websites, including sites maintained by other parts of the Medical One Group. Those other websites are not subject to MRE’s privacy policies and procedures. You will need to review those websites directly to view a copy of their privacy policies.
MRE does not endorse, approve or recommend the services or products provided on those third party websites.
Quality of the personal information we hold
MRE takes reasonable steps to ensure that the personal information it collects, uses and discloses is accurate, complete and up-to-date. However, the accuracy of the information MRE holds largely depends on the accuracy of the information supplied to MRE or which MRE collects. If at any time you discover that any information MRE holds about you is inaccurate, out-of-date, incomplete, irrelevant or misleading, please contact MRE to correct the information.
Gaining access to personal information we hold
MRE transfers information to its insurance clients as it is received by MRE on a daily basis. A request to access this information would need to be sent to the relevant insurer directly as MRE does not own or control the information beyond retrieving and sending the information from the Medical Practitioner to the Insurer.
Except for such information transferred to MRE’s insurance clients, the individual is entitled at any time (upon request) to access the personal information MRE holds about that individual.
Where MRE receives a request to access the personal information held about an individual, MRE will respond within a reasonable period of time. Unless it is unlawful or impracticable for MRE to do so, MRE will generally provide access to the requested information in the manner requested.
Please note that MRE is entitled, under the APPs, to charge a reasonable administrative fee to cover its costs incurred in providing access to the personal information held about an individual.
Additionally, MRE reserves the right to request information from the individual making the access request in order to verify the identify of the individual making the request, to ensure that MRE is not inadvertently disclosing personal information to an individual not entitled to access such information.
Further, MRE reserves the right to redact the information made available in response to an access request, to protect the privacy of other individuals.
From time to time, MRE may refuse to provide access to the information held about an individual, in accordance with the APPs and the Privacy Act generally. Where MRE refuses access, MRE will explain the reasons for refusal in writing and provide details in relation to the relevant complaint process.
Lodging a complaint and how to contact us
If you wish to make a complaint to MRE about an alleged interference with the privacy of your personal information, the complaint should be made in writing to MRE and addressed to the attention of its privacy officer (details of whom are set out below).
MRE will promptly acknowledge receipt and will endeavour to deal with it and to provide you with a response within a reasonable period of time following receipt (generally within 30 days of receipt).
Where the complaint requires a more detailed investigation, it may take longer to resolve. If this is the case, then MRE will endeavour to provide you with progress reports.
MRE reserves the right to verify your identity and to seek (where appropriate or reasonable) further information from you about the circumstances of your complaint.
Where required by law, MRE will provide its determination on your complaint to you in writing.
MRE reserves the right to refuse to investigate or to otherwise deal with a complaint if MRE considers the complaint to be vexatious or frivolous.
If you are not satisfied with the outcome of the complaint, then you may write to MRE seeking an internal review of its decision. Such internal review will be completed by an officer not previously involved in the complaint.
If you still remain dissatisfied following the outcome of MRE’s internal review, then you may escalate the complaint to the Office of the Australian Information Commissioner.
Medical Record Exchange (MRE)
GPO Box 2061, Melbourne Vic 3000
Phone: 1300 933 833
Fax: +61 3 9682 8114