On this page

• About this Privacy Policy
• What personal and sensitive information do we collect?
• Why do we collect and use your personal and sensitive information?
• How do we collect your personal and sensitive information?
• How do we use or disclose your personal and sensitive information?
• How long do we retain your personal and sensitive information?
• How do we protect your personal and sensitive information?
• How to manage your personal or sensitive information
• How to contact us
• Scope of and updates to this Privacy Policy

You can also visit our privacy hub or read these frequently asked questions (FAQs).

---

About this Privacy Policy

Effective as of 7 May 2024

This is the Privacy Policy of Healthdirect Australia Ltd (ABN 28 118 291 044) (Healthdirect) (also variously described as us, we or our throughout this Policy). The Policy covers the following services in our portfolio, except My Aged Care and Head to Health, which are governed by their own Privacy Policies:

• Helpline services
  • healthdirect helpline (also known as NURSE-ON-CALL in Victoria)
  • healthdirect GP helpline
  • Pregnancy, Birth and Baby
  • health alert lines
• Digital services
  • healthdirect website
  • healthdirect mobile app
  • Pregnancy, Birth and Baby website
• Digital products (available in some of our digital services)
  • User account
  • Symptom Checker
  • Service Finder
  • Risk Checker
  • Question Builder
  • BMI calculator
• National digital infrastructure
  • National Health Services Directory (NHSD)

In this Policy, we describe the kinds of personal and sensitive information (including health information and other types of sensitive information that you provide) we collect, why we collect this information, and how we use, disclose, and protect the information that we hold.

When we use 'you' or ‘your' in this policy, we are referring to the individual reader of this Policy. You may be a member of the public who has used our health services, a health practitioner or integrator, or someone who has engaged with our corporate functions.

For other privacy-related definitions, please see our privacy FAQs.

Healthdirect complies with Commonwealth privacy laws (including the Privacy Act 1988 (Cth)) and for some services, State and/or Territory privacy laws (where appropriate). We also adopt careful and ethical data practices, and embed privacy considerations into the design of our services.

This part of our Privacy Policy applies when you use our services as a member of the public, including when you call our helplines to consult with a call agent (for example, a nurse or doctor), use the digital products and service tools on our website, such as the Symptom Checker or Service Finder, or use our mobile applications and social media networks.

If you are a health practitioner, please go here.

If you are an employee, a job applicant, a contractor or a stakeholder, such as a representative of a service provider, consultant, shareholder or director of our organisation, please go here.

Please see below for information about how we manage your personal and sensitive information, or read these frequently asked questions (FAQs).

BACK TO TOP

---

What personal and sensitive information do we collect?

Generally, Healthdirect collects the following personal and sensitive information about you, with your consent, depending on the service that you interact with:

• identifying information, such as your name and date of birth;
• demographic information, such as your age and sex, and postcode;
• contact details, such as your address, email address and phone number, including instances when you use a service or tool on our website and choose to have your results emailed to you;
• sensitive information about your illnesses, symptoms you have experienced, any disabilities, or other health services you are receiving or are to be provided in the future, or any medications that you may be taking;
• where clinically relevant, sensitive information about your ethnic background, sexual practices, or details relating to your pregnancy or child (such as your estimated due date, information about your ovulation cycle, child’s name and birthdate);
• name and contact details (such as phone number) of your authorised representative if they interact or engage with us on your behalf; and
• recordings of your audio and video interactions (where this capability is enabled) with us.

BACK TO TOP

---

Why do we collect and use your personal and sensitive information?

Healthdirect collects your personal and sensitive information to facilitate the provision of health services to you, including for the purposes of:

• providing you with health information and advice, including the sending of information to you, where you have requested it;
• facilitating your access to healthcare, for example through the healthdirect GP helpline, or by disclosing your information to another health practitioner or health service who may be involved in your care, as required;
• consulting with your authorised representative, for example, where you have authorised another person to conduct your affairs (such as a spouse or guardian) or you are unconscious, incapacitated or a minor; and
• quality assurance, training and service improvement, including:
  • seeking feedback on your satisfaction with the services received. For example, Healthdirect uses ‘in-app’ feedback to identify where improvements can be made in our digital services and products, or a survey link may be sent to you, with your consent, by a contracted third party;
  • using audio recordings of telehealth consultations for quality audit and training purposes for authorised personnel to help ensure that our service meets the highest standards of safety and quality.

In meeting these above purposes, Healthdirect may also use and disclose your personal and sensitive information for a secondary or related purpose. We will only do this where either:

• you have been provided with an additional notice of collection and you have provided your consent for Healthdirect to use this information for a secondary or related purpose; or
• where you would reasonably expect that this information would be used for a secondary or related purpose; or
• where such use or disclosure to other agencies or organisations is permitted by law.

Some of the secondary or related purposes for which Healthdirect collects, uses and/or discloses your personal and sensitive information, include:

• dealing with complaints, incidents and enquiries about our services, systems or information, including clinical issues, or when we require specific support from other service providers in Australia or overseas in the delivery of health services;
  • for example, Healthdirect uses IT service providers in Australia and in the United States (we ensure that your personal and sensitive information is in secured storage which conforms to Australian privacy requirements)
• reporting and disclosure of personal and sensitive information to State or Commonwealth government authorities, regulatory bodies and health organisations on matters relating to public health and safety initiatives; and
  • this may extend to the disclosure of personal and sensitive information for health research and improvements to the broader health system, including data linkage, and surveillance data collected to track an individual’s journey through a health-related initiative/system
• compliance with any applicable laws, for legal proceedings, enforcement actions, or compulsory reporting to State or Federal authorities.

BACK TO TOP

---

How do we collect your personal and sensitive information?

Healthdirect collects your personal and sensitive information when you use any of our services.

Contacting Healthdirect via telephone

When interacting with Healthdirect via telephone, we collect personal and sensitive information directly from you. Where it is impracticable or unreasonable to do so, we may collect your personal and sensitive information from an authorised person or representative.

Outbound services

Healthdirect may contact you based on information provided by a third party about the provision of a health-related service to you. Often this information is provided by a government agency, healthcare provider, or other health organisation.

Where this information is provided by a health practitioner, or health organisation, Healthdirect usually receives this information via a referral — either through an online or written form.

Where a referral is being used, you should be asked for your consent before this information is passed to us.

Encounter summary

Some of Healthdirect’s services, such as the healthdirect helpline, are able to provide you with the option of receiving a personalised summary of advice and information via SMS.

At the end of your interaction, the call agent will offer to send an SMS to you with information that will help you manage your health. Encounter summaries are provided on an opt-in basis.

The Encounter summary SMS will direct you to a webpage that has been designed not to include any specific personal or identifiable information; and generally, includes only the following:

• the date and time of call;
• a generic description of any symptoms described to the call agent; and
• additional care information provided to you on the call.

An Encounter summary is usually available where a valid mobile phone number is provided. A summary of your encounter is not available currently for our Pregnancy, Birth and Baby service.

Interacting via Healthdirect Video Call

Certain Healthdirect services utilise an in-house secure video consulting platform. Currently, the GP Helpline, Pregnancy, Birth and Baby, and My Aged Care services use this platform. For more information related to Healthdirect Video Call terms of use, please visit:

• Platform Terms of Use – Callers and Guests
• Platform Terms of Use – Signed-in users
• About Healthdirect Video Call – Healthdirect Australia

Healthdirect Video Call platform itself does not provide access to or retain any of the information collected by our services.

Interacting with Healthdirect’s digital services and products

Most digital services and products can be used without providing identifiable information. However, some information such as your sex, age and symptoms may be relevant for us to provide you accurate health advice. For example, these services require some demographic information:

• Symptom Checker
• Service Finder
• Opioid Risk Indicator
• Pain Question Planner
• Risk Checker

If you ask for your results to be sent to you, Healthdirect will collect your name and/or email address which may identify you. If you choose to share your results with other individuals and/or organisations, you should be aware that your results may become identifiable and/or linked to you.

Our digital services and products may have links to other websites that are not controlled or owned by us. Similarly, you may access our services or products via social media platforms (for example, Facebook, Messenger, X (formerly Twitter) etc). In these situations, any personal and sensitive information you provide on these platforms will be handled under the privacy policies of those platform providers. We encourage you to check those privacy policies prior to use.

Please remember to be responsible and respectful when interacting with us and others on social media platforms. For more information, please see our Social Media Acceptable Use Policy.

User accounts

A healthdirect user account enables you to save your health information and allows you to connect your My Health Record and certain Medicare records to the healthdirect app. When you set up a user account, you can create a profile, save your interactions, and set information and notification preferences for optional notifications (noting that some notifications or messages, such as those relating to your privacy or the security of your personal and sensitive information, are non-optional and you cannot opt-out of). You can return to your information at any time. The user account holder can also add family members, and tag and add health events of family members to the user account. This means that we may collect personal information from you about your family members that you have added to your user account. We have designed user accounts to encourage you to use nicknames of family members to limit the identifiable information you give to us.

BACK TO TOP

---

How do we use or disclose your personal and sensitive information?

Like most organisations, Healthdirect uses and discloses your personal and sensitive information to perform its functions and activities. This includes using:

• identifying information to confirm your identity to ensure an integrated and comprehensive level of service is able to be provided to you;
• your demographic and health information to provide you with safe, high-quality health information and advice, and to facilitate healthcare and/or treatment, such as through referring you to the GP Helpline, where required. We may also collect your demographic and health information when you use our digital services and products, for example when you set up a healthdirect user account for web browser or in the healthdirect app. While logged in to your healthdirect user account, we may collect your health information, such as your symptoms, when you use Symptom Checker or our other digital services and tools;
• contact information you have provided to communicate with you about updates and changes to our services. For example, when you use a service or tool on our website and choose to have your results emailed to you; or when you use the GP Helpline which is a call-back service; or when you access some of our services, and choose to receive a copy of your Encounter Summary;
• contact information to communicate with you, where you have registered an enquiry or made a complaint;
• information about how you use our services to provide an improved experience for members of the public who use our services, including service testing and analytics;
• your personal and sensitive information to exercise our legal rights where it is necessary to do so, for example to detect, prevent and respond to fraud claims, intellectual property infringement claims or violations of law or our applicable terms of use; and
• your personal and sensitive information to customise your experience with our tools and services, such as by providing you with relevant information associated with the symptoms that you have presented with.

For many of our services, the personal and sensitive information that you have provided to us is disclosed to support the delivery of healthcare, or in accordance with our other functions and activities, in the following ways:

Routine disclosures

Routine disclosures are those made as part of, or to assist with the delivery of our services and may include third parties and contracted services providers.

Primarily we make disclosures, with your consent to facilitate the provision of appropriate healthcare, such as where we refer you to a further healthcare option.

Healthdirect may disclose information to third-party service providers for the purpose of undertaking surveys and analytics on how members of the public use Healthdirect’s services.

Instructed disclosures

In its capacity as a contracted service provider to Commonwealth, State or Territory agencies, Healthdirect may, consistent with relevant legal authority, disclose personal and sensitive information to an agency or a directed third party.

Occasional disclosures

On occasion, Healthdirect may be required to disclose personal and sensitive information outside of routine or instructed disclosures. Examples of these types of disclosures, include:

• the disclosure is required or authorised by or under an Australian law or a court/tribunal order; or
• the disclosure of personal and sensitive information is required to be made to regulators, for example, disclosing details of Healthdirect user accounts to the Australian Digital Health Agency, as system operator of the My Health Record (MHR) system to assist, following a real or suspected data breach involving the MHR system; or
• Healthdirect reasonably believes that the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety and it is unreasonable or impracticable to obtain the individual’s consent to the disclosure; or
• where we are transitioning our services to another service provider, in which case personal information may be transferred to them for continuity of service.

Healthdirect does not sell your personal or sensitive information.

Dealing with us anonymously or via a pseudonym

Healthdirect recognises that the choice of how much information you provide to us is yours. Where possible, Healthdirect provides the option of interacting with us anonymously, for example, by using the Symptom Checker application on our website.

For some services, you will be able to use a pseudonym, that is, a nickname, alias or descriptor that is not your real name. If you do not wish to disclose your identity, please advise the call agent answering your call. For example, if you have a user account, you can choose to set it up with a pseudonym, such as a nickname.

However, if you choose to withhold some or all of your personal or sensitive information, there may be limitations to the services that we are able to provide to you, such as limitations on our ability to provide specific health information and advice, or for us to refer or pass your details to other services. For example, the GP Helpline is a call-back service, that requires that you provide identifying details to access the service. You will not be able to receive this service if you choose to remain anonymous or provide a pseudonym.

Some of our helpline services are unable to be used anonymously, or pseudonymously since we are required to collect a minimum amount of personal or sensitive information about you to provide safe, high-quality care.

Overseas disclosures

As part of our operations, Healthdirect uses a United States (US) based telephony system that captures and stores information about incoming phone numbers and content of the Encounter summary text messages sent to members of the public. For services that have this capability enabled, the phone number, text message content, and details about the time and date of the call or message are encrypted and retained for a short period of time for disaster recovery purposes in the United States before being redacted from the system’s database. This means that no consumer health data is retained overseas for longer than is operationally required, which is around five to six hours.

De-identified information

De-identification is the process of removing or altering information that identifies an individual or is reasonably likely to enable their identification. As Healthdirect is publicly funded, this means it must share some service delivery data with its government funders and other organisations across the health industry to demonstrate value and accountability.

Healthdirect shares data:

• to help improve the healthcare system;
• to enable research and statistical analysis; and
• to help evaluate healthcare services.

Healthdirect de-identifies data when it shares or reports this data. This usually includes the removal of personal identifiers, and other indirect identifiers, or aggregating data so that no single person is identifiable.

Healthdirect takes measures to ensure that de-identified information is protected from unauthorised re-identification, access, modification, or disclosure. This includes where Healthdirect has shared this data with organisations based overseas.

BACK TO TOP

---

How long do we retain your personal and sensitive information?

Healthdirect balances our obligation to dispose of information that we no longer require for any purpose with our health records obligations. This is so we can retain personal and sensitive information for members of the public who use our services for varying periods of time.

Depending on which State or Territory the service was delivered to you in, we are obliged under health records legislation to retain records of your health or digital service delivery for up to 15 years from the last occasion on which health services were provided to you.

The records of individuals under the age of 18 year, must be kept until they are at least 25 years of age, and in some States or Territories, 28 years of age.

We retain records of non-clinical advice and services we provide for shorter periods of time, depending on the service type.

After these periods, if the information is no longer required by us for any purpose for which it was collected and is no longer required by law to be retained by us, we will securely destroy or de-identify it.

BACK TO TOP

---

How do we protect your personal and sensitive information?

Healthdirect has an obligation to ensure that the personal and sensitive information that you provide is appropriately protected from misuse, interference, and loss, and from unauthorised access, modification, and disclosure.

Healthdirect aligns with the Australian Cyber Security Centre (ACSC) Essential Eight as our baseline for security standards. The Essential Eight is a prescribed list of technical strategies that aim to mitigate threats within our system and networks. More information about these security standards can be found here: Essential Eight (cyber.gov.au)

Healthdirect complements this approach with:

• requirements for data encryption, including personal and sensitive information, encrypted at rest and in transit;
• continuous monitoring of our systems and applications including our website and various databases;
• data storage that conforms to Australian privacy requirements; and
• authenticating users, including members of the public, helpline agents and employees to ensure that all points of access to data are protected from inappropriate access, use or disclosure.

Biometrics

You may choose to use biometrics (fingerprint or face ID login) on your device to use some services and products that Healthdirect offers, such as user accounts. Please note, however, that Healthdirect does not collect or store your biometrics information.

BACK TO TOP

---

How to manage your personal or sensitive information

Accessing or correcting your information

You have a right to request access to the personal and sensitive information that we collect and hold about you. You may also request that Healthdirect corrects the information that it holds about you.

For some Healthdirect services and products the data may be held by third parties engaged to provide or administer the service. Healthdirect will advise on the appropriate access process for these services and products.

Given the sensitivity of the information that we hold, we will require you to confirm your identity before we provide you with access to the information we hold about you.

Click here to access the Healthdirect Personal Records Access or Change Request Form.

Some of our services, such as Healthdirect user accounts, offer self-service options where you can access and edit your personal information yourself.

If we refuse to provide you with access to your personal and sensitive information or refuse to provide you with access to your information in the way you have requested, we will provide you with a written notice outlining our reasons for refusal.

Deleting your information

While we consider requests for deletion, the Privacy Act does not currently give individuals the right to ‘delete’ or ‘erase’ their personal and sensitive information.

Healthdirect has legal obligations to keep records of different types of interactions, such as health records. We consider these obligations before determining whether we can delete your information.

Given the sensitivity of the information that we hold, we will require you to confirm your identity before your information can be modified.

Click here to access the Healthdirect Personal Records Access or Change Request Form.

Complaints

If you have a privacy complaint or concern regarding how we have handled your personal information, please contact Healthdirect. We will investigate your complaint or concern and endeavour to respond to you within 10 working days.

If you feel we have not adequately resolved your complaint or concern, you may contact the Office of the Australian Information Commissioner at Privacy complaints (oaic.gov.au).

BACK TO TOP

---

How to contact us

You can contact our Privacy Officer as follows:

Email: privacy@healthdirect.org.au

Postal address:

Privacy Officer
Healthdirect Australia
PO Box K411
Haymarket NSW 1240
Australia

BACK TO TOP