How medicalcentre-au.org/ Handles Personal Information — Privacy Act 1988 (Cth), Australian Privacy Principles
This Privacy Policy explains what personal information we collect, why, how long we keep it, who we share it with, and your rights under the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the My Health Records Act 2012 (Cth), and the state Health Records Acts. It is written in plain English and is intended to satisfy our transparency obligations under APP 1 (open and transparent management of personal information).
medicalcentre-au.org/ is a directory and editorial publisher. We do not hold, process, or store any patient health record. Patient records are held by your GP clinic (or your private provider) and, where you have one, your My Health Record managed by Services Australia. For access to your own Australian health record, use myGov linked to My Health Record, or request access from your practice under APP 12. We do not need, want, or collect your medical history.
What is on this page
1. Scope and APP Entity
This policy applies to medicalcentre-au.org/. The APP entity for the limited personal information we process is medicalcentre-au.org/ Editorial, contactable at info@medicalcentre-au.org.
This policy does not apply to Australian GP clinics, the Department of Health and Aged Care, Services Australia, AHPRA, the Medical Board of Australia, the TGA, ACSQHC, the NHMRC, RACGP, AGPAL, GPA Accreditation Plus, any Primary Health Network, any state or territory health department, the OAIC, or any other third party we link to. Each of those bodies is its own APP entity (where the Privacy Act applies) or operates under specific Commonwealth or state legislation, with its own privacy notice and lawful bases.
2. Information We Collect
| Category | Examples | Source |
|---|---|---|
| Identifiers | IP address, device ID, browser user agent | Automatic when you visit |
| Usage data | Pages viewed, time on page, referrer, internal search queries (non-clinical) | Automatic |
| Contact information | Email address, name (if provided), message content | You — only if you email us |
| Cookies and similar | See Cookie Policy | Automatic; managed via banner and settings |
| Approximate location | City / state inferred from IP | Automatic |
We do not collect your name, Medicare number, Individual Healthcare Identifier (IHI), Department of Veterans’ Affairs number, date of birth, address, telephone, GP details, medical history, symptoms, diagnoses, prescriptions, pathology results, mental health information, sexual health information, or any other category of “sensitive information” as defined in section 6 of the Privacy Act 1988. Health information is sensitive information under section 6FA. We do not collect, hold, use, or disclose sensitive information through normal site operation. If you accidentally include health information in an email to us, we delete it on receipt and ask you to take any clinical question to your GP, healthdirect, or in an emergency 000.
3. Why We Collect It
- To operate the site — load pages, remember your cookie preferences, protect against form-submission abuse
- To understand which directory pages are useful — aggregated, anonymised analytics
- To respond to you — when you email us a correction, accessibility issue, privacy-rights request, or other enquiry
- To display non-personalised or personalised advertising — depending on your consent
- To detect and prevent abuse — fraud, scraping, attacks
- To comply with Australian law — for example, retaining contact records for response to lawful requests from the OAIC, law enforcement, or the courts
4. Australian Privacy Principles Framework
We handle personal information in accordance with the 13 Australian Privacy Principles set out in Schedule 1 to the Privacy Act 1988. The most directly relevant to our operation:
| APP | What it covers |
|---|---|
| APP 1 | Open and transparent management of personal information — this Privacy Policy is one of our APP 1 obligations |
| APP 3 | Collection of solicited personal information — we only collect what we need |
| APP 5 | Notification of collection — this policy and the cookie banner |
| APP 6 | Use or disclosure for the primary purpose, or a directly related secondary purpose you would reasonably expect |
| APP 8 | Cross-border disclosure of personal information — see Section 6 |
| APP 10 | Quality of personal information — we take reasonable steps to keep it accurate |
| APP 11 | Security of personal information — see Section 11 |
| APP 12 | Access to personal information — on request, generally within 30 days |
| APP 13 | Correction of personal information — we will correct inaccurate, out-of-date, incomplete, irrelevant, or misleading information about you |
We do not collect or handle sensitive information through normal site operation, so the heightened restrictions on sensitive information in APP 3 do not arise.
6. Cross-Border Disclosure (APP 8)
Some of our service providers (Cloudflare, Google) process information outside Australia, including in the United States, the European Union, and Singapore. APP 8 requires us to take reasonable steps to ensure overseas recipients comply with the APPs, except in specific circumstances. We rely on:
- Contractual protections with overseas processors that bind them to substantially the same standards as the APPs
- The OAIC’s guidance on overseas data flows for what “reasonable steps” means in each circumstance
- Limited categories of overseas disclosure — technical service-provider relationships rather than substantive sharing
7. How Long We Keep Information
| Category | Retention |
|---|---|
| Web server and security logs | 30 days |
| Aggregated GA4 analytics | 14 months |
| Email correspondence | 24 months from last interaction |
| Cookie-consent records | 12 months from the choice |
| Privacy-rights request audit trail | 3 years |
8. Your Rights Under the APPs
- APP 12 — right to access your personal information that we hold
- APP 13 — right to correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading information
- Right to anonymity / pseudonymity under APP 2 where lawful and practicable
- Right to opt out of direct marketing under APP 7
- Right to complain to the OAIC — see Section 12
Note that the Privacy Act framework is currently being modernised. The Privacy and Other Legislation Amendment Act 2024 introduced a range of changes including a new statutory tort for serious invasions of privacy (taking effect on a delayed schedule) and other reforms. We update this policy as the reforms commence.
9. How to Exercise Your Rights
Email info@medicalcentre-au.org with subject line “Privacy rights request.” Include the right you are exercising (APP 12 access or APP 13 correction) and enough information to identify you in our limited records (typically the email address you previously used). We will respond within a reasonable period (generally within 30 days as OAIC guidance suggests).
If we deny your request, we will tell you why in writing. You may then complain to the OAIC.
10. Children
The site is not directed at children. We do not knowingly collect personal information from children. If you are a parent or guardian and believe a child has provided personal information to us, contact us with subject line “Child information request” and we will delete it.
The OAIC publishes guidance on handling children’s personal information. We follow that guidance.
11. Security and the Notifiable Data Breaches Scheme
We use technical and organisational measures appropriate to the limited categories of personal information we process — HTTPS in transit, encryption at rest where applicable, access controls, vendor due diligence, and breach response procedures. No security measure is perfect; we cannot guarantee that personal information will never be exposed by a security incident.
Australia’s Notifiable Data Breaches (NDB) scheme, established in 2018 under Part IIIC of the Privacy Act 1988, requires APP entities to notify the OAIC and affected individuals of “eligible data breaches” (a data breach likely to result in serious harm). If we have an eligible data breach, we will comply with the NDB scheme.
12. Complaints to the Office of the Australian Information Commissioner
If you are not satisfied with how we have handled your personal information or a privacy-rights request, you have the right to complain to the Office of the Australian Information Commissioner (OAIC), the Australian privacy regulator:
- Online: oaic.gov.au
- Telephone: 1300 363 992
- Post: Office of the Australian Information Commissioner, GPO Box 5288, Sydney NSW 2001
13. State Health Records Acts
In addition to the Commonwealth Privacy Act, several states and territories have specific Health Records legislation that may apply where the information concerns an individual’s health:
- Victoria — Health Records Act 2001 (Vic); complaints to the Health Complaints Commissioner
- NSW — Health Records and Information Privacy Act 2002 (NSW); complaints to the NSW Privacy Commissioner
- ACT — Health Records (Privacy and Access) Act 1997 (ACT); complaints to the ACT Human Rights Commission
- Other states — Tasmania, Queensland, South Australia, Western Australia, and the Northern Territory have variant frameworks; some operate through Commonwealth Privacy Act + state Health Complaints Commissioner arrangements
We do not hold health information about you, so these state Health Records Acts do not directly apply to our handling of your personal information. They do apply to your GP clinic.
14. Changes to This Policy
We update this policy when our practices change or when Australian privacy law changes (the Privacy Act is currently undergoing substantial reform). The “Last reviewed” date at the top reflects the current version. Material changes are flagged on the site for 30 days.
15. Contact
For any privacy question or APP rights request, email info@medicalcentre-au.org.
Exercise a Privacy Right
Email us with subject line “Privacy rights request” — we respond within 30 days as OAIC guidance suggests.
📧 info@medicalcentre-au.org