This privacy policy explains why we collect your personal information and what we do with it, along with your rights to access and correct your personal information, and make a privacy complaint.
We are bound by laws governing how we collect and use your personal information including the Privacy Act 1988 (Cth) and other State and Territory laws such as the Health Records Act 2001 (Vic), Health Records (Privacy and Access) Act 1997 (ACT), the Health Records and Information Privacy Act 2002 (NSW), and the Health Information Privacy Code 1994 in New Zealand (Privacy Laws).
We aim to be as transparent as possible in this privacy policy about what we do with your personal information. Consequently, we review this privacy policy annually and update it. The most up-to-date version of our privacy policy can always be found on our website medibank.com.au. Where we make a material change to our privacy policy, we will notify you in writing. If you have a health insurance policy with us, after receiving any such formal notification, your next claim under your policy will be deemed to be your acceptance of and consent to any notified material changes.
In this privacy policy you will see the terms ‘personal information’ and ‘sensitive information’ used. These terms have the following definitions:
In this privacy policy, and unless otherwise stated, all references to ‘personal information’ include ‘sensitive information’.
We are Medibank Private Limited ABN 47 080 890 259 (Medibank) and its subsidiaries including – • Australian Health Management Group Pty Ltd ABN 96 003 683 298 (ahm) • The MHS Group (MHS), the members of which are listed at the end of this policy • References to ‘us’, ‘we’ or ‘our’ include Medibank, ahm, MHS and, where the context requires, other Medibank subsidiaries (collectively Medibank Group Companies).
This privacy policy applies to:
The types of personal information we may collect depends on our relationship with you, and may include:
You generally have the right not to identify yourself when dealing with us and to use a pseudonym, where it is lawful and practicable for us to allow it. However, in many instances we will need your identity details. For example, we will need your name and date of birth, if you want to have private health insurance coverage with us that receives the applicable government rebate.
If you do not provide or authorise the provision of personal information we request, we may be unable to provide you with some or all of our products and services or the products and services of our partners. If you ask us, we will tell you what personal information we must have in order to provide you with a particular product or service, and what requested personal information is optional for that product or service.
Subject to the applicable Privacy Laws, by becoming or remaining a member of one of our policies or by otherwise providing personal information to us, you confirm that you have consented to us collecting, using and disclosing your personal information, however collected by us, in accordance with this privacy policy (as amended and notified to you from time to time).
We will only collect personal information about you by lawful and fair means.
We may collect personal information from you at various times, including:
We may collect your personal information from you, from another person covered by your policy, from a person authorised to provide us with your personal information on your behalf, or from an agency or organisation on whose behalf we are providing you with services or products (as agent for a principal).
We may also collect information about you from other sources, such as:
We also obtain information from other sources where:
Where we engage with you multiple times over a short period in relation to the same matter, we may not provide you with a separate notice about privacy each time we engage with you.
We aim to store your information securely and have a range of security controls in place (including physical, technical and procedural safeguards) designed to protect your personal information. Our employees and contractors regularly receive targeted privacy training. We take reasonable steps to make sure that the personal information about you – that we collect, use and disclose – is accurate, complete, up to date and relevant.
We seek to keep your personal information for only as long as it is required in order to provide you with products and services or to legitimately comply with our business and legal obligations and requirements. When it is no longer needed for these purposes, we may destroy or permanently de-identify this personal information. Consequently, if you request access to your old personal information, we may not be able to provide you with your records where they have been destroyed or de-identified.
You can ask us for access to the information we hold about you at any time. We will endeavour to respond in a reasonable time, being within 30 days and as soon as is reasonably possible.
We will generally not charge a fee for accessing your personal information. We will only charge a fee to access information in exceptional circumstances, and where your request is particularly onerous. We will let you know in advance of levying any fee to confirm that you still wish to proceed with your request.
When you contact us to seek access to your personal information, we will need to be reasonably satisfied it is you, and not an unauthorised person.
We may require you to substantiate your identity to protect you from fraud and privacy breaches perpetrated by third parties pretending to be you.
We may also use a third party and secure service to confirm your identity (such as two factor authentication), and your IMEI or IP address in some circumstances, to reduce the risk to you of identity theft and reduce fraud risk to us.
We may not always give you access to certain information you have requested, such as where: • we no longer hold or use the information and have destroyed or de-identified it • providing access would be unlawful • we are required or authorised by law to deny access • providing access would unreasonably impact on the privacy of others • we cannot be satisfied that you are who you say you are (we cannot adequately identify you).
It would assist us to ensure we properly understand your request, and allow us to respond more promptly, if requests are made in writing and include as much detail as possible.
If you have a private health insurance policy with us, we encourage you to add a unique personal identification number (PIN) to your membership – to give you additional privacy protection.
Please protect your PIN by: • keeping your PIN confidential, • not writing it down or keeping a record of it with your membership card or policy documents, • not choosing an easy to guess PIN (such as your date of birth), and • not disclosing your PIN to other people covered by your policy or authorised to transact on your policy (as they need to have their own PINs). If you think that your PIN has been compromised please let us know and change your PIN as soon as possible.
We may be able to offer additional privacy protections if you are a family violence victim or identity theft victim
If you are a victim of family violence, stalking or identity theft, or believe your identity may have been compromised and/or have personal safety concerns, we encourage you to let us know to discuss further privacy protections that we may be able to provide you.
We collect your personal information to enable Medibank Group Companies and our third party suppliers and partners to provide you with products and services, including insurance, health-related services, partner offerings and information on other products and services (collectively Insurance and Health Products). We may also be required by law to collect some personal information. Where you provide personal information to the Medibank Group Companies as a service provider, contractor or prospective employee, we collect your personal information to enable us to fulfil the purpose and related purposes for which you provided the information.
We may use your personal information for these purposes, including to:
We will use your personal information, including call recordings for training, coaching and development purposes unless you ask us not to.
Where both possible and in our view – appropriate, where using your personal information, we will seek to de-identify it, so that your identity is not readily ascertainable from the de-identified information or from triangulating your de-identified information with other sources of information.
In pursuing the purposes for which we may collect and use your personal information, we may disclose your personal information to persons or organisations in Australia and overseas including:
Where you have subscribed to one of our health and well-being applications (app) and consented by agreeing to the terms and conditions of the app, then in addition to the general purposes of use and disclosure of your information set out in this privacy policy:
If you link any of our lifestyle apps to your wearable fitness devices:
If we become aware that we have inappropriately used or disclosed your personal information, or that the security of your personal information has been compromised (a data breach), and we are unable to rectify the data breach without any potential adverse effect on your privacy, we may contact you to inform you, and to work with you to minimise or mitigate the consequences of the data breach. Pursuant to the Notifiable Data Breaches scheme (under Part IIIC of the Privacy Act 1988), we may be required to notify you of a data breach as soon as we practicably can if we consider you are reasonably likely to be at risk of serious harm (including financially or to your mental or physical wellbeing). Where reasonably practicable we will give you details of the data breach and, where possible, steps you could take to lower the risk of harm to you. We may make a public notification for a data breach affecting a large number of customers, before we contact you directly or in place of direct contact.
From time to time, we may collect and use your personal information so that we can promote and market Insurance and Health Products to you and keep you informed of special offers from Medibank Group Companies and third parties. We may contact you in relation to these promotions and offers by direct mail, SMS and MMS messages, targeted marketing on social media platforms, in app and push notification, by phone and email.
You can opt out of marketing by contacting us. However, if you opt out of marketing you will still receive service related communications from us. If you opt out of marketing, please be aware that your details may still be shared with our marketing partners and/or mailhouses for the purposes of ensuring that they do not market to you. For example, we may partner with a provider to market our products to their customers using their customer lists, but will provide a list of our ‘opted out’ customers to wash against their customer list securely, so as to ensure that customers who have opted out of our marketing, do not receive marketing. If you have signed up to receive marketing from us or from our marketing partners and/or mailhouses via different email addresses, you may still receive marketing at any email addresses for which you have not opted out, as the above process will only identify where opted out email addresses are identical. Therefore, please tell us all email addresses you wish to opt out of receiving marketing to – in order to stop receiving marketing from us or on our behalf to those email addresses.
If you want to change your communications preferences, please let us know. Please be aware that if you are an ahm customer, we require you to have an email address registered with us for service communications.
To opt out of marketing or change your communications preferences please contact us as set out below. Please note that if you opt out of marketing from Medibank, this will not opt you out of in-app marketing in or related to our lifestyle and wellbeing apps, and vice versa. If you wish to opt out of marketing in our lifestyle and wellbeing apps you will need to do so in the privacy settings of the relevant app (set out below).
To keep you informed quicker, where you provide us with an email address, we send most service-related communications to you by email. Service-related communications are the essential things you need to know about your cover, like annual tax statements, changes to premiums and account notices. In some circumstances and for some products, including some ahm products, we require an email address to communicate with you as a term and condition of the product. You can otherwise choose how we communicate with you by contacting us as follows:
If you have a couples or family health insurance policy with us, we will collect information about dependants (partner and children) from the policy holder who sets up the policy, with the policy holder’s consent.
If you are a policy holder and provide us with information about your partner or a dependant who is 16 years or over, you need to:
If you are a policy holder and provide us with information about your partner or a dependant who is 16 years or over, by providing that information you acknowledge that you are creating or that you have created the policy on behalf of your co-insureds, and you warrant that:
If a policy holder lodges a claim on your behalf, we act in reliance on the above warranties given by the policy holder, and accordingly assume you have given your consent to the policy holder to provide all the information we need to process your claim.
If you are a policy holder’s partner or dependant 16 years or older, we will not disclose information about your health insurance claims (except claims payments) without your consent unless required by law to do so (such as on a transfer certificate if you move to another health insurer).
All claims payments and general policy information will be sent to the policy holder.
The policy holder can:
The policy holder can authorise their partner or dependant (16 years of age or over), to operate the policy. If the policy holder gives such authority, the authorised person will have the same level of access as the policy holder and so will be able to receive and view all personal information in connection with the policy that the policy holder can see, including in respect of claims made by the policy holder and co-insureds (where that information was available to the policy holder).
However (with the exception of Overseas Visitors Cover products) the authorised person cannot:
The policy holder may grant this authority. The authority will remain in place until the policy holder contacts us to revoke it.
If the policy holder and their partner become divorced or separated, we require that the partner be removed from the policy and take out a separate policy under our fund rules, and to prevent privacy breaches. Please inform us promptly if this occurs so that we can take steps to enforce these processes.
If your child is insured or not-insured under the policy of your ex-partner, we cannot confirm this with you, or provide details about your ex-partner’s policy to you.
You may opt to pay for another person’s policy, but absent them giving you authority, this does not permit us to otherwise disclose information about the policy to you. You can however, contact us to cease your payments, but need to be aware that if you do this, we will contact the policy holder to advise them that their policy will be or is un-financial due to a cancelled payment or failed debit.
This section of our Privacy Policy applies to health-related services provided to our private health insurance members by a member of MHS.
MHS may provide such services to our private health insurance members including telephonic services, chronic disease and health management programs and online health-related services.
In addition to the general purposes of use and disclosure set out in this privacy policy (except where specifically qualified or disclaimed below), MHS may collect and use your personal information to provide these services to you including to:
MHS may collect your personal information from another Medibank Group Company, from you or from a person authorised by or responsible for you.
If you use health-related services, MHS may disclose your personal information to Medibank or ahm in order for us to ensure that you have appropriate cover, are eligible for services and that our records for you are accurate.
In order to perform the above functions, companies in MHS may disclose your personal information to each other and to third parties such as their agents, service providers and professional advisors, health service providers, persons authorised by or responsible for you, and to other parties to whom they are authorised or required by law to disclose information including government agencies, and these parties may collect that information.
Medibank Group Companies may also use and disclose your personal information to each other:
You may withdraw your consent to the sharing of your sensitive information between Medibank Group Companies, or to being contacted in relation to our health-related services by contacting us:
Medibank: Access the Manage My Preferences page within the Medibank Online Member Services facility, call us on 132 331 or visit one of our stores.
Medibank apps: Delete your account within the Health & Wellbeing apps. MHS: Contact the Privacy Officer at privacy@medibank.com.au
MHS does not share your personal information within the Medibank Group:
Medibank is an Authorised Representative for some general insurance companies. Where you seek a general insurance product from us as an Authorised representative, we will disclose your application information to the relevant general insurer. However we will not disclose information about your private health insurance policy (except the fact that you or a co-policy holder are a member of Medibank) and claims history to the general insurer, nor in acting as an Authorised Representative will we refer to your other personal information held by us such as your membership or claims information.
Medibank Private Limited ABN 47 080 890 259 (MPL) is an Authorised Representative, AR 286089, of Travel Insurance Partners Pty Limited ABN 73 144 049 230 AFSL 360138. MPL issues the insurance on behalf of the insurer. The insurer is Zurich Australian Insurance Limited ABN 13 000 296 640 (Zurich). MPL collects your personal information including name, date of birth, payment details and travel details. MPL assesses your application. If your application is approved, MPL provides your personal information to Covermore Insurance Group, a subsidiary of Zurich which is responsible for the administration of your travel insurance policy.
Medibank pet insurance issued by the insurer The Hollard Insurance Company Pty Ltd ACN 090 584 473 AFSL 241436 (Hollard), is promoted by Medibank Private Limited (ACN 080 890 259 AR 286089) (MPL) and administered by PetSure (Australia) Pty Ltd (ACN 075 949 923 AFSL 420183) (PetSure). MPL acts as an authorised representative of PetSure. MPL collects your personal information including your name, address, date of birth, whether you are an MPL member and your name if you are a co-policy holder. Petsure processes and approves your application for pet insurance. Petsure also administers your pet insurance policy
Medibank life insurance products are issued by the insurer, Swiss Re Life & Health Australia Limited ABN 74 000 218 306 AFSL 324908 (Swiss Re). Medibank life insurance products are distributed by Greenstone Financial Services Pty Ltd ABN 53 126 692 884 AFSL 343079 (Greenstone) and promoted by its Authorised Representative Medibank Private Limited ABN 47 080 890 259 AR 286089 (MPL). Medibank Private Limited is also authorised by Greenstone to distribute Medibank Starter Life insurance. MPL collects your personal information and refers your personal information to Greenstone to assess your application. MPL retains your personal information for future marketing purposes.
We may need to disclose your personal information to organisations located outside of Australia from time to time in the ordinary course of our business. Most of these overseas organisations are services providers or related entities which provide support and assistance to us in delivering our products and services to you. You consent to the collection, use, storage, and processing of your personal information outside of Australia as set out in this privacy policy.
On occasion, we may also disclose your personal information to overseas organisations where you instruct us or expressly consent to us doing so. In such cases, we may not be able to ensure adequate protection in relation to those organisations’ management of your information.
If you have a corporate health insurance product, there may be occasions where we are instructed by your employer to disclose your information to an overseas organisation in order to administer your policy.
Please see below in this policy a list of countries to which your personal information may be disclosed, although your personal information may be disclosed to other countries outside of that list where our service providers or other relevant third parties, or their (or our) computer systems may be located from time to time.
If you are a member of a religious order and covered by a corporate health insurance policy for your religious order, pursuant to the authority you have provided, we will share your personal information with the person responsible for administering that policy for your religious order, for the purposes of processing your policy application and managing your policy. This includes:
To enable us to provide the best services to you, it is important the information we hold about you is up to date. Please contact us when your details change. If you believe any information we hold about you is inaccurate, incomplete or out of date, please let us know. We will take reasonable steps to amend any personal information about you which is inaccurate or out of date.
You can get in touch with us at Medibank and ahm to request the above any time you wish to do so.
In some circumstances, we may refuse to correct your personal information. Where this happens, we will provide you with reasons for this decision (except to the extent that it would be unreasonable to do so), seek alternatives and take any further legally required steps.
If you have any concerns or queries about the manner in which your personal information has been handled, please contact our Privacy Officer whose contact details are provided below.
If you wish to make a formal complaint, please provide your complaint in writing to our Privacy Officer, and detail information relevant to your complaint. Please note that we will receive and action your request faster if you email it to us using the details below.
Medibank, ahm or MHS: Group Privacy Officer, Medibank Private Limited, post – GPO Box 9999 (Your Capital City) or e-mail – privacy@medibank.com.au We will consider your complaint promptly and contact you to seek to resolve the matter.
Generally, we will contact you to acknowledge receipt of your complaint and let you know who is managing your query within 5 business days of receiving it. We will attend promptly to your complaint and will aim to respond to your concerns or otherwise keep you informed of our progress within 30 days.
If we have not responded to you within a reasonable time or if your complaint is not resolved to your satisfaction, you are entitled under the Privacy Act to make a complaint to the Office of the Australian Information Commissioner and can find more information on the Commission’s website www.privacy.gov.au.
Listed below are the countries to which we may disclose personal information about you in the course of our functions and activities. This list does not include countries where you may have specifically instructed us to send your information or expressly consented to us sending your information. We may also disclose personal information about you to recipients in other countries from time to time that are not on this list, where our service providers or relevant third parties, or their (or our) computer systems and/or IT services may be located.
This list is updated from time to time. You can visit our website at any time to view the latest version (listed in the most up to date version of this Privacy Policy.
For the purposes of the definition of “MHS Group” used in this Privacy Policy, the members of the MHS Group include: