Privacy Policy

Effective May 2022

  1. About this Privacy Policy

This Privacy Policy applies to eligible individuals who intend to activate a CU Health membership account and use any of the healthcare services available to members through the CU Health Portal.

CU Health Pty Limited ABN 22 635 562 720 and our related bodies corporate (CU Health, we or us) is the Portal administrator and a registered Australian healthcare service provider. The groups of people bound to uphold the responsibilities within this Privacy Policy are:

  • CU Health staff

  • Healthcare professionals

  • Contracted service providers to CU Health

This Privacy Policy provides detailed information about our handling practices for personal information and sets out how CU Health complies with the Privacy Act 1988 (Cth).

This Privacy Policy includes the following information:

  • the kinds of personal information that we collect and hold

  • how we collect and hold your personal information

  • the purpose for which we collect, hold, use, and disclose your personal information including the different types of communications we send.

  • personal information that may be disclosed to overseas recipients

  • how you can contact us if you want to access or correct personal information that we hold about you

  • how you can complain about a breach of the Privacy Act and how we will respond to your complaint.

This Privacy Policy may be updated from time to time by posting an updated version on our website.

  1. What we do

CU Health’s mission is to improve the health and wellbeing of working Australians through better workplace health outcomes.

CU Health is a registered Australian healthcare provider that delivers secure video-based healthcare services through its own Portal. We provide whole-person healthcare including acute and preventative medical care, chronic disease management, pain management and mental health services.

CU Health provides members with access to a multi-disciplinary healthcare team and allows General Practitioners with an existing clinical relationship with a member to continue to care for them by providing access to the Portal functionality to conduct video appointments.

Our diverse set of responsibilities include:

  • assessing an individual’s physical and psychological health including diagnosing illness and disability.

  • providing evidence-based treatments for chronic diseases to improve or maintain an individual’s physical and psychological health.

  • identifying the risk factors for chronic diseases and providing support and advice to help individuals overcome the barriers to changing behaviour and lifestyle factors.

  • providing medications through the delivery of electronic prescriptions when appropriate.

  • co-ordinating care with a broad range of physical and mental health professionals and services when needed, for example antenatal shared care, audiology, physiotherapy, podiatry, psychology, psychiatry, occupational therapy and optometry.

  • helping people stay healthy by coordinating and promoting preventive health and disease prevention activities including timely cancer screenings.

  • treating mild to moderate COVID-19 at home.

Further information about CU Health can be found on CU Health’s website.

  1. Our obligations under the Privacy Act

As an Australian health service care provider, CU Health Pty Limited ABN 22 635 562 720 and our related bodies corporate (CU Health, we or us) is bound by the Privacy Act 1988 (the Privacy Act) and the requirements of the Australian Privacy Principles (APPs) in Schedule 1 of the Privacy Act.   The Privacy Act sets out 13 APPs which regulate how we collect, use, disclose and store your personal health information.

Under APP 1, we are required to have a Privacy Policy about how we manage personal information, as defined in the Privacy Act. The Privacy Act defines ‘personal information’ as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  • whether the information or opinion is true or not; and

  • whether the information or opinion is recorded in a material form or not.

You may notify us should you no longer want to receive certain communications and provided your request to opt-out is clinically appropriate your preference will be updated.   

Where possible, we will allow you to interact with us anonymously or using a pseudonym. If you want to discuss setting up and using a pseudonym account, and the limitations, use the contact details at the end of this policy to arrange a confidential appointment with the Privacy Officer.

Using a pseudonym means to use a different name or term instead of your actual name. For example, we may not need your personal information when you:

  • seek general information during a video appointment or integrated messaging feature

  • provide feedback to us about our service

  • provide a tip-off about an alleged fraud or misconduct

In other circumstances however it may be impracticable to remain anonymous or use a pseudonym, or we may be legally required to deal with you in an identified form. It may also be necessary to collect some personal information from you to resolve a complaint that you have made.  We will notify you at the time of collection if this is the case.

  1. Methods of collection

We collect reasonably necessary personal and sensitive information about you in the provision of healthcare. Where reasonable to do so we will notify you of the purpose at the time of collection, or as soon as practicable after collection.

We collect your personal information only by lawful and fair means and in most cases, we will collect your personal information directly from you. We take reasonable steps to ensure that personal information we collect about you is accurate, up-to-date, complete, relevant and not misleading.           

In accordance with the Privacy Act, and where it is reasonably necessary to do so, we can collect personal information about you through a range of different channels including:

  • paper-based and electronic forms (including registration forms and surveys).

  • telehealth appointments.

  • face to face appointments.

  • a family member (with your consent or in an emergency where it is unreasonable or impracticable to collect the information only from you).

  • communications within the CU Health portal, by telephone, email or facsimile.

  • other Australian health care providers or organisations.

  • Government websites (including MyHealthRecord).

  • As an authorised healthcare provider under the Healthcare Identifiers Act (HI Act) CU Health can collect your individual healthcare identifiers (IHIs) for the purpose of providing healthcare to you.

  • social media websites and accounts.

  • CU Health’s mobile application.

  • international health care facilities and treating practitioners (with your consent in certain circumstances, such as when you are overseas and in need of treatment from an overseas health care facility or treating practitioner).

  • other bodies where it is reasonably necessary for, or directly related to, the provision of healthcare.

  1. Personal information we collect

In the provision of healthcare, we collect the following types of personal information:

  • name, address and contact details (for example, phone or email).

  • information about your personal circumstances (for example, marital status, age, gender and relevant information about your partner and children).

  • information about your identity (for example, date of birth).

  • information about your employment.

  • information about your regular healthcare professionals.

  • government identifiers (for example, Medicare number and health care identifier).

  • information about your entitlements under the legislation.

  • information that does not include your name and date of birth but is considered. personal information if it includes other information about you.

We will only collect personal information about children when required or authorised by or under law, or otherwise in accordance with the Privacy Act.

  1. Sensitive information we collect

Sensitive information is a subset of personal information. The Privacy Act defines ‘sensitive information’ as information or an opinion about a person’s health, illness, injury or disability. Health information is classified as ‘sensitive information’ under the Privacy Act.

We will only collect health information when you have consented, it is required or authorised by or under law, or permitted under the Privacy Act.

We only collect information that is reasonably necessary for the purposes of providing our services to you, and we will take steps that are reasonably necessary to ensure that the information collected is relevant to these purposes, not excessive, and is accurate, up to date, complete, and will not intrude unreasonably on your personal affairs.

We collect the following types of health information:

  • medical history where relevant to your individual health (including information about your medical history and any disability or injury you may have, or a family member’s medical history)

  • appointment details

  • your wishes about future health services

  • health risk factors

  • notes of your symptoms or diagnosis

  • allergies and adverse reactions

  • immunisations

  • information about a health service you’ve had or will receive

  • specialist reports and test results

  • prescriptions and other medications

  • genetic or biometric information

  • racial or ethnic origin

  • relevant family history

  • relevant social history where clinically relevant including health goals and lifestyle factors

  • sexual orientation or practices

  • any other personal information about you when a health service provider collects it

CU Health collects personal information related to notifiable diseases and adverse events from the use of therapeutic goods regardless of age, for the purposes of managing public health risks.

  1. Unsolicited personal information we may collect

We may, on occasion, receive personal information about you from individuals or other entities, without it being requested by us.  This information is considered ‘unsolicited’.  An example of ‘unsolicited’ personal information is where you write to us to provide feedback on your experience with us and you provide information that is not required to respond to your query or feedback.

We will deal with unsolicited personal information in accordance with the APPs.  We will destroy your personal information unless we consider that we could have lawfully collected it under the APPs.

  1. Information security policies to protect your personal information

CU Health has a layered in-depth security approach to protecting information from misuse, interference and loss from unauthorised access, modification, or disclosure. CU Health’s detailed information security policies are in a separate Security Management Plan that has been guided by the information security policies and guidelines within:

  • Information security in general practice, Royal Australian College General Practitioners (RACGP)

  • Guide to Information Security, the Office of the Australian Information Commissioner (OAIC)

In each case where CU Health authorises contracted service providers to act on its behalf, CU Health takes the following measures to ensure that  the third party complies with the same privacy requirements applicable to CU Health:

  • our contractual agreements with third parties include privacy clauses to handle personal information in accordance with the Privacy Act 1988 (Cth) and in accordance with the APPs and this Privacy Policy, as updated from time to time. These clauses contractually require them to protect personal information to the same standards as CU Health.

  • Individuals are provisioned security controls to limit access to information that is necessary to perform their duties and functions.  Access to personal records by staff and contractors is restricted to  a ‘need to know’ basis. 

  • Individuals sign a confidentially agreement before being granted access

  • Any personal information disclosed to contracted service providers is reviewed and reduced to the minimum amount of personal information to enable the appropriate functionality.

Further information can be found

  1. Why we collect personal information

The purpose for which we collect your personal information is important as it restricts how we can use and disclose your personal information. 

Unless an exception applies in the Privacy Act, we will only use or disclose your personal information where it is reasonably necessary for, or directly related to, the provision of healthcare including for the following purposes:

  • to verify that it is you logging into your account.

  • to provide health services including to assess, maintain, or improve your individual health.

  • to follow up on treatment you are currently receiving for example management of chronic conditions, quitting smoking, ongoing treatment of a thyroid disorder or hormone replacement therapy.

  • to measure improvements in your individual health over time.

  • to inform better clinical decisions made by other treating providers for example to collaborate on chronic disease management plan.

  • to undertake health management activities including duty of care responsibilities.

  • to comply with legislative requirements including the National Notifiable Disease Surveillance System.

  • to remind you of preventive health initiatives such as cancer screenings.

  • to remind you of upcoming appointments.

  • to perform clinical functions and activities such as to send you care plans and educational material.

  • to manage our contracts.

  • to discuss feedback provided to us.

  • to manage any complaints (including privacy complaints).

  • to evaluate the provision and commissioning of our healthcare programs and services.

  • to manage fraud, compliance investigations and audits.

  • to compile population health statistics.

  • to notify you of updates to our Terms of Service or privacy policy and issue notices or security alerts relating to your access to or use of the Portal.

This list is not exhaustive, and we may send you additional communications in accordance with the Privacy Act.

  1. Why we use information we collect

We will only use or disclose your personal information for another purpose where we are able to do so in accordance with the Privacy Act.  We may use the information we collect from you:

  • to facilitate healthcare services and functions such as sending you electronic scripts, referrals and investigation order forms.

  • to inform clinical decision-making.

  • to keep up-to-date medical records and clinical notes.

  • to notify you when test results, correspondence or investigation reports have been received.

  • to send you support and administrative messages, reminders, technical notices, updates, security alerts, and information requested by you;

  • to verify your identity with Services Australia (which operates Medicare) and the Healthcare Identifiers (HI) Service Operator.

  • to handle complaints or resolving incidents.

  • to ensure the system is operating in a safe and secure manner.
    to send you healthcare information that may be of interest to you based on your medical history or demographic profile

  • to send you invoices or statements and to collect payments (only where we have agreed).

  • to conduct research and optimise the user experience on our website, portal and mobile app

  • to administer rewards, surveys, activities, or events managed by us

  • to comply with our legal obligations, resolve any disputes.

  1. Personal information we disclose

We will only disclose your personal information:

CU Health is authorised under the HI Act to disclose ‘identifying information’ to the HI Service to the purpose of assigning you a healthcare identifier. This may include your name, address, date of birth, sex, Medicare number, CU Health or Veteran Affairs number. 

  • Human Services (Medicare) Act 1973 (Cth) and National Health Act 1953 (Cth).

CU Health is authorised to disclose reasonably necessary personal information in administering the Medicare Benefits Schedule, the Pharmaceutical Benefits Scheme, or other health related programs.

  • NSW Public Health Act 2010 (NSW)

CU Health is required to record information about individuals with certain diseases and notify the relevant health authority. CU Health is required to notify the NSW Department of Health and record information about patients with certain medical conditions such as AIDS, malaria, measles, tetanus, and typhoid.  

  • to an overseas recipient only if you require us to issue a letter with personal information about you to the relevant treating facility in an overseas country to allow you to receive the relevant treatment. 

  • to another health service, hospital or medical specialist in Australia involved in your care and treatment.

  • Where authorised or required by or under an Australian law or a court/tribunal order

  • To people or contracted service provider organisations authorised by CU Health including Technology vendors (to enable the features and functionality available on the Portal), Information, Communications and Technology service providers, or Other service providers assisting with corporate functions.

  1. Storage, retention, and destruction of your medical record

We are required to retain medical records and health information and follow the legal requirements and guidelines of individual States.

Personal information held by CU Health is stored on electronic media, including the Electronic Practice Management Software, Enterprise Data Warehouse, business applications and cloud computing solutions. Personal information may also be held on paper files.

CU Health follows the relevant State and Territory Government authorities with respect to storage, retention and destruction of your personal information including your medical record.  Typically, in New South Wales, medical records must be retained for at least 7 years after the last record. We will take reasonable steps to destroy or de-identify your personal information if we no longer need it for the purpose for which it was collected, unless required or authorised by or under law or a court/tribunal order to retain the information. 

  1. Accessing your personal information

You can request access to your personal information by contacting us using the contact details set out at the end of this Privacy Policy. 

We will take reasonable steps to provide you with access and/or make a correction to your personal information within 30 calendar days, unless we consider there is a sound reason under the Privacy Act or other relevant law to withhold the information, or not make the changes. For example, we may refuse access to your personal information where the record includes another individual’s personal information.

If we do not provide you with access to your personal information, or refuse to correct your personal information, where reasonable we will:

  • provide you with a written notice including the reasons for the refusal

  • provide you with information regarding available complaint mechanisms

  • at your request, take reasonable steps to associate a statement with the personal information that you believe to be inaccurate, out of date, incomplete, irrelevant or misleading.         

  1. My Health Record

CU Health is a registered Portal Operator in the My Health Record system and is bound by the My Health Records Act 2012 (Cth).

You have the discretion to connect your My Health Record (My Gov account) to your CU Health account to view the health information in your My Health Record within your personal dashboard. This information is provided as read-only and we are not able to access, view or store your health information.

Further information can be found in the My Health Record Privacy Policy.

  1. Correcting or updating your personal information

It is important to tell us if your circumstances change to ensure that the information we hold, use or disclose about you is accurate, up-to-date and complete. 

You also have a right to request correction of your personal information if it is inaccurate, out of date, incomplete, irrelevant or misleading.

If we correct your personal information, at your request, we will also take reasonable steps to notify other organisations that we have previously disclosed your personal information to, and that are bound by the Privacy Act, of the correction.

You can contact us to update your personal information using the contact details set out at the end of this Privacy Policy.

  1. In the event of a suspected or actual data breach

If CU Health suspects an eligible data breach may have occurred must quickly assess the incident to determine if it is likely to result in serious harm to any individual.

Under the Notifiable Data Breach (NDB) scheme CU Health will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) about an eligible data breach.

An eligible data breach occurs when:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds

  • this is likely to result in serious harm to one or more individuals, and

  • we have not been able to prevent the likely risk of serious harm with remedial action

  1. Making a privacy complaint

If you believe that we have breached the APPs or mishandled your personal information, you should take the following steps:

  1. Contact us: in the first instance, any privacy concern or complaint should be reported directly to CU Health.  This can be done using the contact details set out at the end of this document.

  2. Submit your concern or complaint in writing: in order to be able to fully investigate your complaint, we would prefer that you make your complaint in writing using the contact details set out at the end of this document.  The complaint should include information about the claimed privacy breach and your contact details.  Please note that if you do not provide sufficient information or if you submit an anonymous complaint, we may not be able to fully investigate and respond to your complaint.

  3. Reasonable amount of time: we will acknowledge your concern or complaint upon receipt.  This may involve email or telephone correspondence with you.  We will also provide you with updates as to our investigation into your privacy complaint, if you provide your contact details.  We will try to respond to your privacy concern or complaint as soon as practicable.

We will use the information from your complaint to investigate and seek to resolve the issues you have raised.  This may include speaking to relevant healthcare providers and considering their processes as well as speaking to third parties where relevant. 

We will use the information you provide in your complaint to provide feedback to staff or our business areas.  If you are not satisfied with our response, you can complain directly to the OAIC. 

The OAIC’s details are:

Means of contact

Contact details

Telephone: 1300 363 992


Post: Australian Information Commissioner, GPO Box 5218, Office of the Australian Information CommissionerSydney, NSW, 2001

Please note that the OAIC generally requires that a complaint first be raised with us before the OAIC will investigate.

  1. How to contact us

If you still have more questions or concerns about how we’re processing personal information, or you would like to know more about how to exercise your rights, you can contact our Privacy Officer on:

Phone: 1300 284 325 (1300 CU HEALTH)


Post: Privacy Officer, CU Health, 275 Darling Street, Balmain NSW 2041

If you would like to access this Privacy Policy in an alternate format, please contact us using the contact details set out above.