1 How we handle your personal information

Cornerstone is required to comply with the Australian Privacy Principles (APPs) under the Privacy Act. The APPs regulate how we may collect, use, disclose and store personal information and how individuals may access and correct personal information which we hold about them.

2 Your personal and health information

Personal information is defined under the Privacy Act as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not’.

The personal information which Cornerstone collects may include your name, address, phone number, email address, date of birth, gender and emergency contact information or financial information such as credit card details.

It may also include ‘health information’ as defined under the Privacy Act. ‘Health information’ is a type of personal information, including information about your health or disability (at any time), your medical records, your wishes about health services to be provided to you, and genetic information.

Your personal information, including health information, could be held in any form, including paper, electronic and visual information.

3 What happens if we can’t collect your personal information?

If you do not provide us with your personal information, we may not be able to provide, or provide to the same standard, the services requested by you and/or your diagnosis and treatment may be inaccurate or incomplete.

4 What personal information does Cornerstone collect?

If you are a patient, Cornerstone collects personal information from you that is necessary for Cornerstone to manage our relationship with you and for healthcare practitioners to provide you with health care and diagnostic imaging services.

This includes health information and may include collecting information about your health and clinical history, diagnoses, medications, results of tests and procedures, family history, your ethnic background or your lifestyle, to assist with the diagnosis and treatment of your condition.

We may also collect geo-location data when you use the Our Medical app to check in at a medical centre, to confirm that you are at the centre.

If you are a person other than a patient, Cornerstone collects personal information from you to manage our relationship with you, to render services to you or receive services from you, and as is otherwise necessary for Cornerstone to perform its business functions.

5 How do we collect your personal information?

Cornerstone collects and uses your personal information with your consent and will obtain that information from you directly, unless it is unreasonable or impractical to do so.

Your personal information is collected by Cornerstone from you in the following ways:

• by clerical employees of Cornerstone, including receptionists;
• by independent healthcare practitioners located at Our Medical centres, dental clinics and diagnostic imaging sites co-located at Our Medical centres or by healthcare practitioners who use the Our Sage Telehealth platform, and record information on patient medical records that belong to Cornerstone;
• through our websites in the form of online enquiries and requests for appointments;
• through the Our Rewards membership program; or
• through the Our Sage or Our Medical app.

There may be occasions when Cornerstone obtains personal information and health information about you indirectly from a third party. For example, Cornerstone may collect personal information indirectly in the following ways:

• from referring health care practitioners;
• from medical specialists;
• from private health insurers; or
• from the ‘My Health Record’ system.

6 For what purposes do we collect, hold, use and disclose your personal information?

If you are a patient, we collect, hold, use and disclose your personal information and health information for the following purposes:

• to enable the independent healthcare practitioners and other allied healthcare professionals co-located within and external to our facilities to provide medical services, diagnostic imaging services, and treatment to you;
• to enable the independent healthcare practitioners and other allied healthcare professionals co-located within and external to our facilities to provide specialist referrals;
• to enable the independent healthcare practitioners and other allied health professionals co-located within and external to our facilities to report to referring practitioners and any such other medical practitioners as your referring healthcare practitioners may nominate;
• to enable the independent healthcare practitioners and other allied health professionals within our facilities to input information into your ‘My Health Record’ as required;
• to check you into the queue for a consultation with an independent healthcare practitioner and to manage the queue;
• for administrative and billing purposes and processing payments;
• to comply with any legal or regulatory obligations;
• to send appointment reminders (including by notifications in the Our Medical app, SMS or email);
• for inclusion in a recall register to be advised of follow up consultations;
• for the purpose of reporting back to your employer or a prospective employer, their authorised representatives and their insurer in the case of a work-related consultation or service;
• to provide notifications (including by the Our Medical app, mail, telephone call, SMS or email) from time to time, of the health care and clinical services that you or a dependent can access at our medical centres and through Our Sage;
• to process and respond to any complaint made by you;
• for administration, marketing (including direct marketing) by Cornerstone, planning, product or service development, quality control and research by Cornerstone, including by providing personal information to our related bodies corporate and service providers for those purposes; and
• to meet obligations of notification to our medical defence organisations or insurers, or those of an independent health care practitioner who practises or practised from a Cornerstone medical centre or a co-located dental or diagnostic imaging site or who practices using the Our Sage Telehealth platform.

If you are a person other than a patient (such as a service provider or an independent healthcare practitioner), we collect, hold, use and disclose your personal information to manage our relationship with you, including to assess and engage with job applicants.

We will only use your personal and health information for the purposes described above, unless:

• the other purpose is directly related to the purpose for which you have given us the information and you would reasonably expect that we would use or disclose the information for that purpose, including but not limited to the storage of the data by a contractor engaged to provide storage services to Cornerstone, including a cloud storage service provider. Our agreements with such contractors require that they keep your personal information confidential, and that they only use or disclose your personal information for the purposes of providing those goods or services to us;
• you have consented for us to use your information for another purpose;
• Cornerstone is required or authorised by law to disclose your information for another purpose (for example, to prevent a threat to the life, health or safety of any individual); or
• we reasonably believe that the use or disclosure is reasonably necessary for one or more enforcement related activities, including an assessment or investigation of a complaint or notification, conducted by, or on behalf of, an enforcement or professional regulatory body.

A Cornerstone company may disclose your personal information to a related entity, being another Cornerstone company, to facilitate the other Cornerstone company doing anything within the purposes set out above.

Your personal information will not be shared, sold, rented or disclosed other than as described in this Privacy Policy or as permitted under the Privacy Act. We will not sell or disclose your personal information to be used for any third party’s sales, marketing or other purposes.

7 Document and clinical notes security

The privacy of your personal and health information is of the utmost importance to Cornerstone. Cornerstone utilises a secure medical records software system which meets all the relevant legal requirements and standards. The word processing application of the medical records software system uses algorithms that will only import personal and health information that is necessary for the particular application such as referrals and medical certificates.

The medical records software system has the appropriate level of security authentication protocols and all necessary unique user access credentials are in place to ensure security integrity.

8 How can you access your data?

On request, you may have access to your personal information held by Cornerstone. If you are a patient at an Our Medical centre, you will need to complete a request for access form which is available at the reception of the Our Medical centre or dental or diagnostic imaging sites co-located in the medical centre that you attend. If you are a patient receiving medical services through Our Sage Telehealth, you will need to email your request to adminsupport@oursage.com.au. Please note that you may have access to your personal information held by Cornerstone, except in circumstances where access may be denied under the Privacy Act or other law. Examples of these circumstances are:

• where providing access will pose an unreasonable impact on the privacy of another individual; or
• where your request for access is frivolous or vexatious; or
• where the information relates to existing or anticipated legal proceedings between Cornerstone and you, and the information would not be accessible by the process of discovery in those legal proceedings; or
• where providing access would be unlawful, would pose a threat to the life or health of an individual, may prejudice an investigation of possible unlawful activity, may prejudice the enforcement of laws, or denying access is specifically authorised by law.

Cornerstone will endeavour to acknowledge a request for access to personal information and provide the information requested within 30 days.

If access is provided to you as the result of a request, you will be charged a fee for costs incurred in providing access to that information.

If access is denied, Cornerstone will provide you with reasons for its decision.

9 Quality and correction of your health information

Cornerstone takes reasonable steps to ensure the personal information we collect, store and disclose from you is accurate, up-to-date and complete.

If you believe that personal information of a clinical or medical nature that Cornerstone holds about you is inaccurate, out-of-date, incomplete, irrelevant or misleading, you will need to contact either your treating healthcare practitioner at the medical centre that you attend or alternatively, contact the Practice Manager of the centre who will assist you.

If your non-clinical or medical type personal information such as name, address or contact phone numbers are incorrect, out-of-date or incomplete, it is important that you correct that information as soon as possible through the Our Medical app or Our Sage app or when you next attend the medical centre. Alternatively, where reasonable and practical, Cornerstone will correct it and will advise any third parties to whom we may have previously disclosed that information of the correction.

If you request that your information be corrected and we do not agree that it is incorrect, we may refuse to update that information. In such a scenario, we will provide written notice of our refusal to do so within 30 days and, upon your request, will place a statement of what you allege the correct information to be where your personal information is kept and accessed.

10 Do we disclose your personal information to anyone overseas?

Cornerstone may use a service provider such as Stripe to process payments from you. In that case, personal information that we or the payment processer collect from you may be disclosed to recipients located outside of Australia, but only to the extent necessary to process the payment.

Other than that, we do not disclose any of your personal information to recipients located outside of Australia.

11 Direct marketing materials

From time to time we may send you direct marketing communications such as by mail, SMS or email, in accordance with the Spam Act 2003 (Cth). If your preference is to opt-out of receiving marketing communications from us, you may unsubscribe in the manner described in the particular communication you have received. Alternatively, you can opt out of receiving our communications by emailing us at enquiries@cornerstonehealth.com.au or phoning (02) 8311 1000.

12 Security

Cornerstone takes reasonable steps, and implements reasonable safeguards, to protect your personal information from misuse, interference, loss, unauthorised access, modification or disclosure. All patient information is handled securely and in accordance with professional duties of confidentiality. We will destroy or permanently de-identify any of your information once it is no longer required for the purpose for which it was collected provided we are not otherwise required by law to retain that information.

Cornerstone is subject to a range of rules relating to the periods for which it must retain certain health information and records. As the owner of medical records, Cornerstone must generally retain health information about an individual:

• for 7 years from the last occasion in which we facilitated the provision of a health service to the individual – if we collected the information when the individual was at least 18 years old; or
• until the individual turns 25 – if we collected the information when the individual was less than 18 years old.

13 Communication by app notification, SMS or email

If you are a patient, we may need to communicate with you for various reasons, including to confirm check in details at the medical centre and when you’re due to be seen by a health care practitioner, to recall you for a consultation if your health care practitioner determines that you need another consultation, and to provide you with test results, specialist reports, and other documents.

Generally, Cornerstone uses the Our Medical app and Our Sage app to communicate with you and send you documents but in some circumstances, we may need to use another means of communicating, for instance by SMS or email or letter. For example, if the way you configure your settings in the Our Medical app and on your phone prevents us from sending you notifications, we will communicate with you by SMS and email (but note that, for security reasons, we will not send you test results or other documents by email).

If you provide us with contact details, you consent to us using those contact details to communicate with you, even if someone else may be able to have access to those communications (for instance, because you share an email address with someone else). If you are concerned about someone else being able to have access to our communications to you, you should only give us contact details that you alone have access to.

14 Website data

We are committed to protecting the privacy of visitors to our website. Information collected via our website is voluntarily provided by you.

When you visit our website, a small data file called a “cookie” is stored on your computer or mobile device by our server. We use cookies to maintain user sessions and to generate statistics about the number of people that visit our websites. Generally, this information will not identify you and we do not link it back to your identity or other information that you have provided to us.

Cornerstone is not responsible for the content or privacy policies employed by any website linked to ours.

We endeavour to take all reasonable steps to protect your personal data including use of encryption technology. However, the internet is inherently insecure and therefore we cannot guarantee the security of transmission of information you communicate to us online. Accordingly, any information which you transmit to us online is transmitted at your own risk.

15 What is the process for complaining about a breach of privacy?

If you have any complaints or questions about this policy or with regard to our collection, use or management of your personal information, please contact:

Privacy Officer Cornerstone Health Pty Ltd Level 8, 5 Blue Street North Sydney NSW 2060 enquiries@cornerstonehealth.com.au

We will endeavour to respond to your question or complaint within a reasonable period. If you are unhappy with our response, you may refer your complaint to the Office of the Australian Information Commissioner: www.oaic.gov.au.

16 Dealing with us anonymously

You have the right to deal with us anonymously or under a pseudonym unless it is impracticable for us to do so or unless we are required or authorised by law to only deal with identified individuals.

17 Changes to our privacy policy

We will update this privacy policy from time to time. Current versions of our privacy policy will be available on our website and will commence from the date of posting on our website. This privacy policy was last updated on 25 March 2025 and will be reviewed annually.