1.1 Who we are and what we do
CBHS Health Fund Limited ABN 87 087 648 717 (CBHS) is a restricted-access private health insurer and employer. It provides Insurance Policies or products to Persons who are eligible to become members of CBHS.
1.2 Purpose of this document
The term “Personal Information” is defined in section 2 (Definitions) below.
The Policy is based on the relevant requirements in:
- CBHS’ “Customer First” values;
- The Privacy Act (as defined in section 2 (Definitions) below) and its APPs (as defined in section 2 (Definitions) below);
- The privacy legislation of Australian States and Territories; and
- The GDPR (as defined in section 2 (Definitions) below).
1.3 When rights under the GDPR apply
The relevant requirements in the GDPR apply to a Person whose Personal Information We Collect while the Person is resident in a EU Country.
The terms “Collect”, “EU Country”, “GDPR”, “Person” and “Personal Information” are defined in section 2 (Definitions)
1.4 Information in this Policy
- 1 Scope
- 2 Definitions
- 3 Individuals whose information we collect
- 4 Types of information we collect
- 5 Purposes for which we collect information
- 6 When and how we collect information
- 7 Dealing with us anonymously or using a pseudonym
- 8 Who we disclose information to
- 9 Disclosing information outside Australia
- 10 Direct marketing
- 11 Information we collect when you use our website
- 12 How we hold and protect information
- 13 Accessing and requesting correction of your information
- 14 Complaints about your privacy
- 15 Contacting us about this Policy
- 16 Your consent
- 17 Changing and notifying changes to this Policy
The words in bold in this section have the following meanings in this Policy:
- APPs means the Australian Privacy Principles in the Privacy Act.
- Collect includes use, disclose, disclosure, holding and Processing of Personal Information. “Collects”, “collecting”, “collected” or “collection” has a corresponding meaning. The terms “Processing” and “Personal Information” are defined below.
- Correct includes “rectification” of inaccurate personal data as described in Article 16 of the GDPR. “Correction” or “corrected” has a corresponding meaning. The term “GDPR” is defined below.
- De-identify means removing or altering information that identifies a Person or is reasonably likely to identify a Person and includes the meaning of “pseudonymisation” given in Article 4 (5) of the GDPR. The term “Person” is defined below.
- Destroy includes “erasure” of personal data as described in Article 17 (1) of the GDPR. “Destroyed” or “destruction” has a corresponding meaning.
- EU Country means a current Member State of the European Union.
- GDPR means the General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and of the Council.
- Health Hub means a CBHS interactive health and wellness assessment centre set up at various locations in Australia, which provides an assessment of a user’s health status. “Health Hubs” has a corresponding meaning.
- Information means Personal Information, as defined below, unless the context indicates otherwise.
- Insurance Policy means private health insurance policy, Overseas Visitor Health Cover or Overseas Student Health Cover taken with CBHS. “Insurance policies” has a corresponding meaning.
- Person means a natural person and includes a “data subject” as described in Article 4 (1) of the GDPR. “Persons” has a corresponding meaning.
- Personal Information means information or a statement or opinion about an identified Person (as defined above), or from which a Person is reasonably identifiable. Personal Information includes Sensitive Information (as defined below) and “personal data” as defined in Article 4 (1) of the GDPR.
- Policy means this document, unless the context indicates otherwise.
- Privacy Act means the Privacy Act 1988 of the Commonwealth Government of Australia.
- Processing has the meaning given in Article 4 (2) of the GDPR unless the context indicates otherwise. “Process” or “processed” has a corresponding meaning.
- Sensitive Information means Personal Information (as defined above), that is health, wellbeing, biometric, genetic, sexual orientation or practices information or biometric templates. Sensitive Information includes information of similar nature mentioned in Article 9 (1) of the GDPR.
- Supervisory Authority has the meaning given in Article 4 (21) of the GDPR.
- You or Your means any Person (as defined above) whose information We (defined below) Collect.
- We, Us or Our means "CBHS" (as identified in section 1.1 (Who we are and what we do) above).
3 Individuals whose information we collect
We Collect Information from or about the following persons:
- Members (current and former) of CBHS and their family members insured under the same Insurance Policy.
- Applicants for membership in CBHS.
- Applicants for employment or business opportunity with CBHS.
- Referees who are persons notified to CBHS by an applicant for employment or business opportunity with CBHS.
- CBHS’ contractors or service providers who are persons.
- Health care professionals or health care service providers who are persons.
- Visitors to CBHS’ premises.
- Directors or officers of a body corporate who has or proposes to have a business relationship with CBHS.
4 Types of information we collect
Depending upon Your needs or circumstances or Your relationship with Us, We will Collect the following types of Information:
- Personal details such as name, address, other contact information, date of birth, gender, marital status, photograph and signature.
- You or Your family members’ current or past employment with or by the Commonwealth Bank of Australia (CBA) or any of its subsidiaries, contractors or franchisees.
- Information necessary to collect or pay Your Insurance Policy premiums or contributions and to pay claims or other moneys due to You.
- Medicare number.
- Tax file number if You are an employee of CBHS.
- Superannuation fund account number or membership details if You are an employee of CBHS.
- Household or family income information to assess eligibility for government rebates and incentives for an Insurance Policy.
- Information to assess eligibility for benefits from the Department of Veterans' Affairs.
- Sensitive Information, as defined in section 2 (Definitions) above.
- Information necessary to assess Your health or wellbeing and provide related services to You.
- Membership of previous health funds and details of insurance policies You held with them.
- Educational and technical qualifications, work history and professional associations or relationships if You apply for employment or a business opportunity with Us.
4.2 Sensitive information
- Apply for some types of insurance policies.
- Access treatments or health services covered by Your Insurance Policy.
- Make a claim for treatments or services covered by Your Insurance Policy.
- Join a specialised health and wellbeing program, see section 5.3 (Specialised health and wellbeing programs) below.
Whenever practicable, We will require Your express consent to Collect Your Sensitive Information.
4.3 Visitors to our website
CBHS collects information that is not Personal Information of visitors to Our website, section 11 ( Information we collect when you use our website) below. Such information is collected regardless of whether You complete a form from Our website.
5 Purposes for which we collect information
5.1 Products and services
We Collect Information (including Sensitive Information) for the purposes of providing, administering and marketing Our products and services. These purposes include:
- Determining Your eligibility for membership with Us.
- Matching products and services to Your individual needs and circumstances.
- Collecting and processing Insurance Policy contributions or premiums.
- Assessing and communicating to You the coverage and benefits of the products and services provided to You.
- Communicating with You from time to time.
- Communicating with hospitals and other health care service providers about Your cover and benefits.
- Verifying Your identity from time to time.
- Administering and processing claims and payments.
- Managing, evaluating, developing or improving Our products and services.
- Undertaking quality assurance or risk management activities.
- Developing, improving or testing Our information technology services or capabilities.
- Enrolling You in specialised health and wellbeing programs.
- Conducting member surveys, research, analysis and providing online member services.
- Resolving any legal and/or commercial disputes, complaints or issues in relation to products or services You have applied for or taken with Us.
- Undertaking direct marketing activities and related communications with You.
5.2 Compliance with laws
We also Collect Information to meet Our compliance and reporting obligations in various Australian Commonwealth Government laws including the:
- Corporations Act.
- Financial Sector (Collection of Data) Act.
- Private Health Insurance Act.
- Private Health Insurance (Risk Equalisation Policy) Rules.
- Private Health Insurance (Risk Equalisation Administration) Rules.
- Private Health Insurance (Data Provision) Rules.
- Private Health Insurance (Incentives) Rules.
- Private Health Insurance (Lifetime Health Cover) Rules.
5.3 Better Living programs
CBHS develops Better Living programs and initiatives to assist members with day-to-day health and wellbeing issues such as dieting and exercise as well as chronic disease management.
We use Sensitive Information, to identify members who can be or are enrolled in these programs. Participation in the programs is not mandatory and depends on your cover. You may choose to or not to participate in them. If You join a program, You can withdraw from it at any time.
5.4 Consequences if information we ask for is not provided
CBHS has assessed Information it will Collect as reasonably necessary for the purposes set out in sections 5.1, 5.2 and 5.3 above. Your individual needs or circumstances determine the set of Information We will Collect from or about You.
We cannot compel You to provide any Information We ask for. However, in most cases, We will be unable to provide or continue to provide You with Our products or services if You fail or refuse to provide the Information We ask for. Also, if You later withdraw Your consent for Your Information to be handled in accordance with all or some requirements of this Policy, We may not be able to provide or continue to provide You with Our products or services.
6 When and how we collect information
CBHS collects Information in the following ways or circumstances.
6.1 Collecting information directly from you
Where practicable, We will Collect Information directly from You, including, when You:
- Visit Our office or place of business.
- Contact Us by telephone, email or regular mail.
- Complete a CBHS-issued paper form.
- Complete a form on Our website.
- Interact with Us via a mobile app.
- Visit any of Our health hubs and provide Information voluntarily.
- Complete a government-issued form We have made available to You.
- Apply to Us for employment or business opportunity.
- Enter a contract for services with Us.
6.2 Collecting information from someone else
Sometimes, We Collect Information about You from another Person or organisation including in the following circumstances:
- Policies insuring more than one Person - We Collect Information from the main member on an Insurance Policy or from a Person You have authorised to provide the Information on Your behalf. Any main or authorised Person is deemed to have obtained the consent of any Person whose Information they provide in relation to the Insurance Policy.
- Health services You received or when You make a claim – We may Collect Information about those services directly from the health service provider (e.g. a hospital, medical or allied health provider) You have dealt with.
- Health and wellbeing partners – We may Collect Your Information from a Person or organisation We have engaged to provide a specialised health and wellbeing program (see section 5.3, above) to Our members if You wish to participate in any such program.
- Online review platform providers – We may Collect Your Information from online review platform providers with whom We have partnered to help You provide reviews of services You received from healthcare providers.
- Relevant Australian government departments – We may Collect Information from government departments We deal with in relation to insurance policies including the Department of Health, Medicare Australia, the Private Health Insurance Ombudsman, the Office of the Australian Information Commissioner and the Department of Home Affairs.
- Call centres - We may collect Your Information from call centres acting on Our behalf.
- Other private health insurers – We may Collect Information from Your previous private health insurer (for example, Information on Your transfer certificate).
- Basic contact Information from the CBA – as a restricted access private health insurer, We Collect basic contact Information from the CBA or its contractors, subsidiaries or franchisees to inform You about Our products if We consider You may be eligible to join CBHS.
- Basic contact Information from referrers – We may Collect this from Our business associates, business partners or existing members to inform You about Our products or services if We consider You may be eligible to join CBHS, or to inform You about employment or business opportunities with Us.
- Referees of job or business opportunity applicants – We may Collect Information from a recruitment agency or a referee You have used in relation to an application for employment or business opportunity with Us. In any such case, You are deemed to have given Your consent to the recruitment agency or the referee to provide Your Information to Us for the purposes of the employment or business opportunity application.
- Superannuation funds – If You are Our employee, We Collect Your Information from a superannuation fund You have advised Us.
- Publicly available Information – We may Collect Your Information from publicly available sources including Information from public registers, telephone or business directories, social media and the internet.
7 Dealing with us anonymously or using a pseudonym
When You are dealing with Us, and it is lawful and practicable to do so, You can remain anonymous (that is, without providing information that identifies You), or use a pseudonym (that is, use a name, term or descriptor that is different to Your actual name).
Examples of when You can remain anonymous or use a pseudonym are when You:
- Are making general enquiries only about Us or about Our products or services.
- Are participating in a product or service survey or research We are doing.
- Wish to make a report of wrongdoing on the part of any of Our officers or employees, unless Your identity is required to investigate the wrongdoing properly.
- Consider identifying Yourself may pose a serious risk of harm to You or some other Person.
However, there are many circumstances in which it will not be lawful or practicable for Us to deal with You if you do not provide your actual name. Examples are when You wish to:
- Join CBHS or take an Insurance Policy with Us.
- Claim a government rebate or incentive through Us.
- Join any of Our specialised health and wellbeing programs.
- Make a complaint under Our internal complaints handling procedure.
- Access or request correction or update of Your Information or that of another Person on the same Insurance Policy.
- Lodge a claim under Your Insurance Policy.
If You wish to remain anonymous or use a pseudonym, tell Us at the time and We can confirm whether You can do so in the circumstances.
8 Who we disclose information to
The types of persons or organisations We usually disclose Information to are:
- Hospitals or healthcare service providers from whom You have received, or from whom You intend to seek, treatments.
- Providers of specialised health or wellbeing programs (see section 5.3 ( Specialised health and wellbeing programs) above).
- Persons or organisations who provide contracted mail, mailing or messaging services on Our behalf.
- Australian government departments or agencies (such as the Australian Taxation Office, Medicare, the Australian Prudential Regulation Authority, the Australian Securities & Investments Commission, the Private Health Insurance Ombudsman, the Department of Health and the Department of Home Affairs.
- Other private health insurers, that You transfer to or from.
- Organisations providing marketing services on Our behalf.
- Organisation providing call services on Our behalf.
- Online review platform providers We have partnered with to help You provide reviews of services You received from healthcare providers.
- Organisations developing, improving or testing our information technology services or capabilities.
- Third-party advisers (such as Our auditors, actuaries, consultants and legal advisers).
- Social media platforms including Facebook and Google.
- Persons or organisations providing call centre services for Us.
- The Australian Health Service Alliance (AHSA) who assists Us to assess and pay claims and provide reports to the government in relation to treatments and services You received in hospitals and other health care facilities.
You can make a privacy breach complaint to the AHSA or ask them for access to or request them to correct the Information they hold about You.
9 Disclosing information outside Australia
If business needs require Us to disclose Information to an overseas recipient, We will take all reasonable steps to ensure that the overseas recipient will not breach the APPs, the Privacy Act or the GDPR in relation to the Information.
Other circumstances in which We will disclose Information to an overseas recipient are:
- If the disclosure is authorised under an Australian law or by a court order.
- If You request Us to disclose the Information to an overseas recipient.
9.1 Managing requests for information to be disclosed overseas
If you request Us to disclose Your Information to an overseas recipient, We will provide You a clear statement explaining the potential consequences of disclosing the Information to the overseas recipient.
10 Direct marketing
We or organisations acting for Us may contact You from time-to-time about Our products and services. Such contact may be via regular mail, email, phone or SMS.
10.1 Request not to be sent direct marketing
You may, at any time, request Us not to send You direct marketing communications. Also, You can request Us to send such communication to You via a preferred channel of communication including by regular mail, email, phone or SMS. You can use any or the following means to make any such request:
- Logging in to Your Member Centre account (if one is set up for You) and change Your preferences.
- Sending Us an email at email@example.com;.
- Calling Us on 1300 654 123 (Monday to Friday 7am-7pm AEDT).
We include in all direct marketing communications, information on how You can request us not to send You such communication in the future. A request will be updated as soon as reasonably practicable after receiving it.
Note that while You cannot opt out of receiving information or notices We are required by law to send to You, You can tell Us how You would like Us to send such information or notices to You.
11 Information we collect when you use our website
The CBHS website uses “cookies”. A “cookie” is a packet of information that allows the website server to identify and interact more effectively with Your computer.
When You use the website, We send a cookie that gives Your computer a unique identification number. Cookies do not identify You, although they enable Us to identify Your browser type and internet service provider. Your browser may be configured to accept all cookies, reject all cookies or notify the user when a cookie is sent. If You reject all cookies, You may not be able to use the CBHS website or the Member Service Centre.
We use third-party service providers such as Google to undertake demographic analysis of visitors to Our website ('Google Analytics'). We Collect and use information from cookies and Google Analytics to:
- Better understand how visitors use the CBHS website.
- Link with social media networks.
- Communicate relevant advertisements that may be of interest to visitors.
- Measure the time visitors spend on the website.
- Determine the effectiveness of visitors’ navigation options.
- Record information obtained during visits to streamline subsequent visits.
12 How we hold and protect information
We primarily store Information in electronic form in information technology systems on Our premises.
To meet legislative, regulatory and business continuity requirements, We store copies of some documents containing Information in remote, secure locations in Australia.
If We convert paper-based documents to electronic form, We destroy the originals securely. Paper-based documents We hold on temporary basis are held securely at Our premises or by third-party document management and mail processing service providers in Australia.
We maintain physical and operational security over Our paper and electronic data stores. We also maintain computer and network security for Our information technology systems. For example, We use firewalls and other security systems such as user identifiers
and passwords to control access to Our information technology systems.
12.1 Information we no longer need
We destroy or De-identify Information We no longer need.
Under our documents destruction and retention policy, we use the following criteria to determine the period we will keep Information:
- The period We are required by law, a Regulator or court order to keep the Information.
- The period We consider is necessary to keep the Information to resolve a complaint in relation to the Information.
- The period We consider is necessary to keep the Information to defend or take legal action in relation to the Information.
- The period We take to come to a reasonable conclusion that a Person does not wish to continue an application for a product, service, employment or business opportunity with Us.
12.2 Dealing with information we did not ask for or require
If We receive Information We did not ask for and We determine it is not required for any of Our functions or activities, We will attempt to return it to the sender if it is contained in a document. If We cannot return the document to the sender, or the Information is contained in a voice recording, We will destroy the Information or document securely as soon as reasonably practicable.
13 Accessing and requesting correction of your information
13.1 Reasons for seeking access
You can request access to Your Information at any time by using the contact details set out in section 15 ( Contacting us about this Policy) below. Your
reason for seeking access could be simply to know what information We hold about You, to request a copy the Information, to request its correction or to exercise any right You have under the GDPR, including the rights to request correction, destruction
or restriction of Processing of the Information (see section 1.3 ( When rights under the GDPR apply) above).
13.2 Request for access to information
When You request access to Your Information, We will first identify You to ensure You are the right Person to be given access to the Information.
Requests for access are actioned as soon as practicable, and in any case within 30 days of receiving the request.
If We refuse to give access to Information, We will give You a written notice setting out Our reasons, Your right to make a complaint about Our refusal and any matter we are required by law to notify You about.
13.3 Fee for providing access
While requests for access to Information are free of charge, administrative fees may be charged for retrieving some types of Information and providing it in the form You have requested. If the circumstances apply in Your case, We will inform You and request
payment of the fee before giving You access to the Information.
13.4 Requesting correction of information
If You believe Information We hold about You is inaccurate, out-of-date, incomplete, irrelevant or misleading, You can request Us to Correct the Information at any time by using the contact details set out in section 15 ( Contacting us about this Policy).
13.5 Responding to requests to correct information
We will respond to the request as soon as practicable, in any case within 30 days of receiving it.
If We refuse to Correct Your Information as requested, We will give You a written notice setting out Our reasons (unless it is unreasonable to do so), how You can make a complaint about Our decision and any matter we are required by the law to notify
13.6 Associating a statement if we refuse to correct information
If We refuse to Correct Your Information, You can ask Us to associate a statement with the Information that You believe the Information is inaccurate, out-of-date, incomplete, irrelevant or misleading. We will respond to the request as soon as practicable,
in any case within 30 days of Us receiving the request.
13.7 Notifying others about correction of your information
You may ask as to notify another Person We previously disclosed Your Information to that We have corrected it. We will action Your request as soon as reasonably practicable.
If the GDPR applies to your Information, (see section 1.3 (When rights under the GDPR apply) above), We will notify any such Person as soon as practicable unless this proves impossible or involves disproportionate effort.
14 Complaints about your privacy
CBHS has policies and procedures for the handling of members’ complaints including privacy complaints. Information on these is available at: https://www.cbhs.com.au/contact-us
You may make a complaint about a breach of Your privacy under the Privacy Act or under the GDPR (if the latter applies to You, see section 1.3 ( When rights under the GDPR apply) above). You can contact Our Privacy Officer through the contact details set out in section 15.1 ( Privacy Officer’s contact details) below. You should first make Your complaint in writing.
Our Privacy Officer will first determine whether, on the information available at this stage, CBHS has breached Your privacy, and if so, take immediate steps to resolve the complaint within 3 days of receiving it.
The Privacy Officer may request additional information from You if the complaint requires more detailed consideration or investigation. In such a case, the Privacy Officer will endeavour to resolve the complaint as soon as reasonably practicable and, in any case, within 30 days.
If You are not satisfied with Our response to Your complaint, You may take the complaint to either the Private Health Insurance Ombudsman (PHIO) or the Office of the Australian Information Commissioner (OAIC). Their contact
details are set out below.
14.1 PHIO’s contact details:
Telephone: 1300 362 072 (option 4 for private health insurance)
Online complaint form:
The Private Health Insurance Ombudsman
Office of the Commonwealth Ombudsman
GPO Box 442
Canberra ACT 2601
Fax: (02) 6276 0123
14.2 OAIC contact details
The Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
14.3 Information regulated by GDPR
If Your complaint is based on Information to which the GDPR applies (see section 1.3 ( When rights under the GDPR apply) above), You may make a complaint directly to the Supervisory Authority in the relevant EU Country or make the complaint to Our Privacy Officer whose contact details are set out in section 15.1 ( Privacy Officer’s contact details) below.
15 Contacting us about this Policy
You may contact Us for any reason related to this Policy including, to:
- Obtain a copy of this Policy or seek further Information about the Policy.
- Request access to Your Information.
- Request correction, destruction or de-identification of Your Information.
- Request Us to associate a statement with Your Information if We refuse to Correct the Information.
- Request Us to inform a Person We previously disclosed Your Information that We have corrected the Information.
- Request Us not to send You direct marketing material in the future or change Your preferred means of being sent such material including, by regular mail, email or SMS.
- Make a complaint about a breach of Your privacy or how this Policy was applied to You.
- Withdraw Your consent to the collection of Your Information generally or in any respect.
- Exercise any right You have under the GDPR: see section 1.3 ( When rights under the GDPR apply) above.
15.1 Privacy Officer’s contact details
CBHS Health Fund Limited
Locked Bag 5014
Parramatta NSW 2124
15.2 Other contact details
Phone: 1300 654 123
Fax: (02) 9843 7676
Email: us at firstname.lastname@example.org
16 Your consent
16.1 Consent required
Whenever practicable, CBHS will obtain Your express consent for Your Information to be collected in accordance with the requirements of this Policy.
16.2 Withdrawal of consent
You may withdraw Your consent to the collection of Your information at any time after giving it in the following circumstances:
- If your information is regulated by the APPs and the Privacy Act, and you wish to remain a member of CBHS, You may only withdraw Your consent for the Information to be used for direct marketing.
- If your Information is regulated by the GDPR, You may withdraw Your consent for Us to continue to Collect the Information in accordance with all the requirements of this Policy or for the Information to be only collected in a respect You specify.
16.3 Consequences if you withdraw consent
In some cases, We may not be able to provide You or continue to provide You Our products or services after You have withdrawn Your consent.
Also, if we are required by law or an internal policy to retain Your Information for a period (see section 12.1 ( Information we no longer need) above), we
will retain the Information for that period after You have withdrawn Your Consent.
16.4 If we refuse your request to withdraw consent
If We refuse to allow You to withdraw Your consent in accordance with section 16.2 ( Withdrawal of consent) above, We will provide You our written reasons for the refusal and include information on Your right to make a complaint about Our refusal and any matter We are required by law to inform You about.
17 Changing and notifying changes to this Policy
We may review this Policy at any time and notify members of the changes by posting an updated version of the Policy on Our website at: https://www.cbhs.com.au/policies/privacy-policy.
You can request a copy of this Policy free of charge by contacting Us: see section 15.1 ( Privacy Officer’s contact details); or section 15.2 ( Other contact details) above. If it is practicable to do so, We will provide a copy of the Policy in the form You have requested it.