Healthdirect — your trusted source of quality health information and advice
Healthdirect’s mission is to help Australians actively manage and improve their health by providing trusted information and virtual services anywhere and anytime. We work together to make a daily difference in the lives of others.
To achieve our mission, we collect and handle personal information about health consumers and others. We are committed to being transparent about the data we collect about you, how it is used and with whom it is shared.
On this page
- Collecting personal information
- Collecting personal information for health services
- Call monitoring and recording
- Dealing with us anonymously
- Collecting personal information for digital services — websites and mobile applications
- Using services and tools on our website
- Using services and tools on our mobile application
- Healthdirect user account for web browser and mobile application
- Accessing the My Health Record system from your mobile user account
- Pregnancy, Birth and Baby
- Third-party websites and social media
- Collecting personal information in our corporate functions
- Using and disclosing personal information
- How to make a complaint
- How to contact us
Effective 31 March 2023
In this policy, we describe what kinds of personal and sensitive information we collect, why we collect this information, and how we use, disclose and protect the information that we hold in the following areas:
- when we deliver health services and information to members of the public via helplines, video call solutions, websites, symptom checkers (and our other digital health service tools), service finders, mobile applications and social media networks
- (the policy covers all services in, our portfolio, except My Aged Care, and the National Health Services Directory (NHSD) which are governed by their own privacy policies)
- in our corporate functions, such as when we engage with contractors, representatives of service providers and stakeholders, job applicants and other people
In this Policy, when we use 'you' or ‘your' we are referring to the individual reader of this Policy, and/or the consumer of the services and information that has been described above.
‘Personal information’ refers to information or an opinion about an identified individual or an individual who is reasonably identifiable. ‘Sensitive information’ is a subset of personal information. The most common types of sensitive information that we collect about you, may include:
- racial or ethnic origin
- sexual orientation
- health information
- details relating to your pregnancy or child (such as your estimated due date or child’s birthdate)
- genetic information
We must comply with Commonwealth privacy laws and for some services, State and/or Territory privacy laws as well. We also endeavour to adopt careful and ethical data practices and to embed privacy considerations in the design of our services.
If you have any concerns about how we manage your privacy, please feel free to contact us at the details set out below.
Collecting personal information
We may collect your personal information through your interactions with us, including:
- when you contact us, through telephone, video call solutions or through our websites to utilise any of our services or information
- when you deal with us as part of managing our day-to-day business activities
- as part of us procuring goods and services from you, or your provision of such services on our behalf
- when you are a current, former, or potential employee or contractor; or
- when you make an enquiry or complaint to us
Wherever possible, we will collect personal information directly from you. Where it is impracticable or unreasonable to do so we may collect your personal information from a third party with your consent or where authorised under an Australian law. For example, there are times when it is necessary to collect personal information from another person, such as where a patient permits or has authorised another person to conduct their affairs (such as a spouse or guardian), is unconscious, is incapacitated or is a minor.
Within a Healthdirect user account (which is available via the website) people can add family members, and tag, and add their health events into the app. This means that we may collect personal information about people from their family members in user accounts. We have designed user accounts to encourage nicknames to be used to limit the collection of identifiable information. More information about our user accounts is provided below.
Collecting personal information for health services
If you use our health services, we may collect:
- your name
- date of birth
- contact details (such as your address, email address and phone number)
With your consent, we may also collect sensitive information about your illnesses, symptoms you have experienced, any existing disabilities, or other health services you are receiving or are to be provided in the future. If it is clinically relevant, we may also request your consent to collect sensitive information about your ethnic background, sexual practices, or details relating to your pregnancy (such as your estimated due date or child’s birthdate). You always have the choice not to provide this consent to collect this information, but if you choose not to provide your consent, we may not be able to provide you with our services.
When you access some of our services, such as healthdirect and After Hours GP, you will be offered a copy of your care advice, which is a summary of the advice received. To send this to you, we need your mobile phone number.
If someone calls Healthdirect on another’s behalf, we may collect their name and contact details as well.
Call monitoring and recording
We monitor (including real-time listening), and make and store audio and video recordings of our services for records management, auditing, training and quality assurance purposes. Call recordings are considered part of the health record collected when you use our service and may contain the personal information described above.
If you do not want your call recorded, please advise the call operator assisting you. If you want further information about call monitoring or recording, please contact our Privacy Officer.
Dealing with us anonymously
Healthdirect recognises that the choice of how much information you provide to us is yours. Where possible, Healthdirect provides the option of interacting with us anonymously, for example, by using the Symptom Checker application on our website.
However, if you choose to withhold some or all of your personal or sensitive information, there may be some limitations to the services that we are able to provide to you.
Some of our telephony services require us to collect a minimum amount of personal or sensitive information about you.
For some services, you will be able to use a pseudonym, that is, a nickname, alias or descriptor which is not your real name. If you do not wish to disclose your identity, please advise the nurse answering your call.
After Hours GP is a call-back service, therefore we need to identify you to provide the service. You will not be able to receive this service if you choose to remain anonymous or provide a pseudonym.
If you provide your personal information (or use a pseudonym), Healthdirect can send you a secure link to a summary of your call via SMS, and on request we can give you a contact record reference number which allows you, and other authorised persons, to retrieve information about that call later. A summary of your call is not available currently for our Pregnancy, Birth and Baby service.
Collecting personal information for digital services — websites and mobile applications
We have a range of digital offerings, including services and tools on our website and mobile application.
Using services and tools on our website
Most services and tools on our website can be used without having to give us any personal information. These include:
Whenever you use these services and tools, you can do so anonymously.
However, if you ask for your results to be sent to you, we will collect your name and/or email address which may identify you.
We make no attempt to identify anonymous users or to link the activities of people browsing or using services on our website unless we are required or authorised by law to do so.
Using services and tools on our mobile application
Many of our digital offerings are accessible on the Healthdirect mobile application.
While you may use many of these services and tools without creating a user account (see information about user accounts below), the Healthdirect mobile application collects the following information from you, when you install and run the mobile application:
- location data
This information is collected to help us optimise the services and tools that we offer, including, for example using location data to recommend health services that are close to you. We also process your data so we can drive improvements to the app and to allow bug reporting and analysis.
The Healthdirect mobile application does not request nor seek access to any other information stored on your mobile phone, and the location data collected is not shared with any third parties.
Healthdirect user account for web browser and mobile application
You can set up a Healthdirect user account via the web browser and mobile application. This will enable you to create a profile, save your interactions, set information and notification preferences, and return to your information at any time.
You can choose not to receive some communications or messages from us. This includes general communications material or information sent by us
There are some notifications or messages that you cannot opt-out of. For example, where it relates to your privacy or the security of your personal information.
If you set up a user account, we will collect the following personal information from you:
- your name
- sex at birth
- date of birth, and
- contact details (phone number and email address).
We will also collect health information about you, such as your symptoms when you use Symptom Checker or our other digital services and tools while signed into your user account.
You can choose to set up your user account with a pseudonym if you choose, such as a nickname. No attempt will be made to identify users unless we are required or authorised by law to do so.
Accessing the My Health Record system from your mobile user account
One of the benefits of establishing a user account for mobile is that it will enable you or your authorised representatives to connect to and view your My Health Record (MHR) in the My Health Record system through the Healthdirect app.
If you or your authorised representatives choose to use your Healthdirect user account to access your MHR, you will be taken to the MHR log in page where you will be prompted to enter sign-in information (which may include personal information).
Where you or your authorised representatives have chosen to link to your MHR with the Healthdirect app, we do not store any personal or health information from your MHR. The personal and health information made available to you (including your COVID 19 vaccination status), is from your MHR and once you close the Healthdirect app, the MHR information displayed is not stored on the app.
Pregnancy, Birth and Baby
Our Pregnancy, Birth and Baby (PBB) service is also available via our website. PBB enables you to subscribe and have newsletters sent to you which relate to your pregnancy and your baby.
When you use PBB, we will collect details relating to your pregnancy or your baby (such as your estimated due date or your child’s birthdate).
Third-party websites and social media
Our digital services may have links to other websites that are not controlled or owned by us. Similarly, you may access our services or products via social media platforms (e.g., Facebook, Messenger, Twitter etc).
In these situations, any personal information you provide on these platforms will be handled under the privacy policies of those platform providers. We encourage you to check those privacy policies prior to use. For more information please see our Social Media Acceptable Use Policy.
Collecting personal information in our corporate functions
We rely on and engage with people every day to operate and deliver our services. In doing so, we collect personal information about people including contractors, representatives of service providers and stakeholder organisations, job applicants and others.
The personal information we collect may include:
- job title, and
- contact details (phone number, email address and office address).
We collect this information primarily to communicate with you or your organisation.
If you have applied for a job with Healthdirect, we may also collect information included in your cover letter and resume and/or provided through background checks. This may include opinions from referees and criminal background checks which are obtained with consent. Some of this information may be sensitive information.
Using and disclosing personal information
These are the main ways in which we use and disclose personal information (including health information and other types of sensitive information you provide):
- To provide healthcare services.
- To send a recipient of healthcare services information about the services they have received or topics they may be interested in or have requested.
- To seek feedback on a person’s satisfaction with the services they have received.
- To improve our services. For example, we may use audio recordings of telehealth consultations for audit and training purposes to help ensure that it meets the highest standards of safety and quality in health care. Healthdirect also uses ‘in-app’ feedback to identify where improvements can be made in our digital services.
- To consult, with consent, with a person’s health service provider (this usually occurs in a health session while the person is still on the line).
- To engage with a person’s representative, for example, where a patient permits or has authorised another person to conduct their affairs (such as a spouse or guardian), is unconscious, incapacitated or a minor. We will deal with the person responsible for their welfare and this will include disclosing personal information about the patient to that person. This also applies where a user account holder has set up a profile for a family member.
- To receive IT support from IT service providers in Australia and overseas for the purpose of providing health services. Healthdirect uses IT service providers in Australia and in the United States (we ensure that your personal information is in secured storage which conforms to Australian privacy requirements).
- For health research purposes, including data linkage projects.
- In dealing with individuals (including employees and contractors) as part of the day to day running of Healthdirect, including where we may be dealing with current, former, and future employees.
- In dealing with people who supply goods and services to us, or to you on our behalf.
- To deal with complaints and enquiries made about our services or information.
At times, Healthdirect discloses personal information to Commonwealth, State or Territory health services to assist them in providing health services to an individual or to address issues you may raise with them.
Healthdirect may also use and disclose your personal information to third parties and services providers that are partnering with us to deliver our services and information, including to also ensure standards of safety and quality of our services. Where information is disclosed to any third party, we ensure that your personal information is in secured storage which conforms to Australian privacy requirements.
Healthdirect may also use and disclose personal information (but not sensitive information such as health information) where:
- it is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety and it is unreasonable or impracticable to obtain the individual’s consent to the use or disclosure. For example, Healthdirect may share relevant personal information with health services and/or Government bodies in the event of a national, State or Territory health disaster so that an appropriate health response can be provided.
- we have reason to suspect that unlawful activity, or misconduct of a serious nature, relating to our functions or activities has been, is being or may be engaged in and the use or disclosure is necessary for us to take appropriate action in relation to the matter
- we believe that use or disclosure is reasonably necessary to assist with locating a missing person
- it is necessary for the establishment, exercise or defence of a legal or equitable claim
- it is necessary for the purposes of a confidential alternative dispute resolution process
- we transition our services to another provider, in which case personal information may be transferred to them for continuity.
Reporting using de-identified information
Healthdirect is publicly funded and therefore, it is required to share service delivery data with its funders, to demonstrate value and accountability and to drive improvements in the healthcare system. We may also share de-identified information with other organisations for research and statistical purposes.
When we share or report this data, it is de-identified, which means we have taken steps to remove personal information so that it does not reveal information about any one individual.
Protecting your personal information
We have a range of security controls in place designed to protect your personal information from unauthorised use and disclosure.
These physical, technical and procedural safeguards include:
- data encryption: all data, including data that is personally identifiable, is always encrypted at rest and in transit.
- continuous monitoring: our website and app are subject to penetration testing and ongoing security monitoring and vulnerability testing.
- data storage: we store your personal information in secured storage which conforms to Australian privacy requirements.
- username and password: where you set up a user account on the website, you will set a username and password.
Storing your personal information — our record keeping obligations
Depending on which State or Territory the service was delivered to you in, we are obliged under health records legislation to retain records of your health or digital service delivery for up to 15 years from the last occasion on which health services were provided to you.
In the case of patients under the age of 18, your records must be kept until you are at least 25 years of age, and in some States or Territories, 28 years of age.
We retain records of non-clinical advice and services we provide for shorter periods, of time, depending on the service type.
After these periods, if the information is no longer required by us for any purpose for which it was collected and is no longer required by law to be retained by us, we will securely destroy or de-identify it.
How to access or correct your personal information
You have a right to request access to and/or seek correction of the personal information that we hold about you.
Before we give you access, or change your personal information, we may need to confirm your identity.
We will not charge you for making an access request, but we may ask you to pay a reasonable fee for the work involved in providing you with this information and for associated costs such as photocopying. You will be notified of any costs before your request is processed.
If we refuse to provide you with access to your record or to update your record in the way you request, we will provide you with written reasons.
If we refuse to correct or update your information, we will make a note on your record of your request for correction.
Click here to access the Healthdirect Personal Records Access or Change Request Form.
How to make a complaint
If you have a privacy complaint or concern relating to the way that we have handled your personal information, please contact Healthdirect. We will investigate your complaint or concern and endeavour to respond to you within 10 working days.
If you feel we have not adequately resolved your complaint or concern, you may contact the Australian Information Commissioner at www.oaic.gov.au.
How to contact us
PO Box K411
Haymarket, NSW 1240
Last reviewed: March 2023