Privacy and fraud statement

Privacy Policy

Policy Statement

This policy applies to TUH Health Care Services Pty Ltd (TUH HCS) ABN 65 617 894 069, a wholly owned subsidiary of Queensland Teachers’ Union Health Fund Limited (TUH Health Fund). TUH HCS is committed to protecting any personal information entrusted to or obtained by us.

We will achieve our commitment by:

  • Following processes for how we collect, use, store and disclose personal information that comply with this policy; and
  • Complying with the Privacy Act 1988, including the Australian Privacy Principles.

The Privacy Act takes priority if there is any discrepancy between it and this policy.

Policy Details

What is personal information?

Personal information is any information or opinion about you that could reasonably be expected to identify you, regardless of whether the information or opinion is true, or whether it is recorded in a hard or electronic or any other material form.

Sensitive information is a subset of personal information which is subject to greater controls. It includes health information. For the purposes of this policy, any reference to personal information includes sensitive information.

Why do we collect and use personal information?

We collect personal information primarily to enable us to provide health care services and programs.

For example, your personal information could be collected and used to:

  • Evaluate the suitability of our service or programs for your personal circumstances;
  • Verify eligibility for services;
  • Provide products and services that you have requested;
  • Make services provided by contracted third parties available to you;
  • Record details of any testing or treatment you may receive;
  • Respond to your enquiries;
  • Meet internal functions such as administration, learning and development accounting, auditing, and risk management;
  • Conduct research and analysis for product development, service improvement and marketing purposes;
  • Evaluate existing, and/or develop new products, services and processes;
  • Inform you of products or services;
  • Investigate and resolve disputes and/or complaints; and
  • Comply with our legal obligations, which include providing some personal information to government agencies.
Direct marketing

We will only use or disclose your personal information for direct marketing purposes about our own products and services, or those from other providers that you may reasonably expect us to communicate with you about. You may opt out of marketing communications at any time by letting us know.

What personal information do we collect?

The personal information we collect and hold depends on the nature of the relationship we have with you and the extent to which you have used our services. Information will only be collected with your consent (refer to ‘How do I provide consent?’ below) or as permitted by law.

The type of personal information we may collect about you may include:

  • Identification details such as name, gender, marital status and date of birth;
  • Contact details such as home, postal and email address and phone numbers;
  • Legal details such as Power of Attorney or Guardianship Orders;
  • Government details such as Medicare number;
  • Private health insurance details such as current and past levels of cover, changes of cover, cancellations and suspensions of membership;
  • Sensitive information such as health and medical details including health fund claims and services or programs that we have provided, or you have accessed through us;
  • Recordings of calls and records of email correspondence between us; and
  • Browsing history if you use our website or app.

How do I provide consent?

By making an enquiry about our products or services, completing an online health risk assessment; becoming a patient or client; visiting our website or social media pages; contacting us by email or phone or otherwise making use of services offered by us (including where the services are provided by organisations contracted by us), you are regarded as having consented to the following:

  • The collection of personal information by us, including from third parties; and
  • The use and disclosure of personal information;

in accordance with this policy.

Can I withdraw consent?

You are entitled to withdraw consent at any time by contacting our Customer Contact Centre or our Privacy Officer.

Can I deal with TUH HCS anonymously?

You can deal with us anonymously where it is lawful and practicable to do so. For example, for some general enquiries about services there will usually be no need for you to provide your personal details.

If you withdraw your consent to collect, use, store and disclose some or all your personal information that we may need, or wish to deal with us anonymously, we may not be able to provide you with many of the services that we offer.

How do we collect personal information?

Where it is reasonable and practicable to do so we will collect personal information directly from you, such as when you:

  • Contact us by phone, email, online or SMS, in writing or in person;
  • Use our website or an app we have established, including submitting an online form;
  • Arrange and receive a health care service; or
  • Participate in our health management programs.

Depending on how you use our website, we may collect your personal information indirectly through this channel using either first or third-party cookies.

Cookies are small pieces of data sent by your browser when you use many websites, including our website. The cookies are stored on your computer or device. They capture information, such as your viewing preferences, to make your use of the website more efficient.

We collect cookies data to help us understand which pages are viewed the most, when peak usage times occur along with other information that helps us improve the content and make navigation easier for you.

You can choose to disable cookies through your browser settings, however please be aware that doing so may result in a less than optimal user experience.

We may also use Google Analytics and similar tools from other organisations such as YouTube to better understand how our website is used. This makes information stored in server logs available to these companies. The information is aggregated and does not identify individuals.

Third party vendors, including Google, show our ads on sites across the internet. Third party cookies from Google and other organisations analyse website visits and provide ads based on these visits using applications that include:

  • Remarketing with Google Analytics,
  • Google Display Network Impression Reporting,
  • DoubleClick Platform integrations, and
  • Google Analytics Demographics and Interest Reporting.

You can choose to disable Google ad personalisation by following this link.


Our website uses a Facebook Pixel. This allows us to track browsing behaviour on our websites and measure the efficacy of Facebook advertising by reporting on the actions people take after viewing our ads. If you have a Facebook account, you can manage your Facebook Privacy Settings by following this link.

What about linked websites?

On our website, we provide links to third party websites. Since we do not control these sites, we encourage you to review the privacy policies posted on these third-party sites. We are not responsible for any practices on linked websites that might breach your privacy.

Information collected from third parties

We may collect information about you from another person or organisation. For example:

  • Your health insurance fund;
  • Your hospital or a health provider;
  • Persons or organisations necessary to establish eligibility for benefits where services claimed may be paid, at least in part, from another source;
  • A provider contracted by us to provide services on our behalf; or\
  • Another person that you have provided authorisation to deal with us.

How is information shared between TUH Health Care Services and TUH Health Fund?

TUH Health Fund shares personal information of its members, with TUH HCS, including identifiable information and health information obtained through claims information or an online health risk assessment questionnaire. This allows TUH HCS to complete appropriate service and program referrals for eligible members.

Once you engage with TUH HCS, including by accepting a service or program referral, the personal information, including health information that you provide to TUH HCS will be hosted, maintained and utilised only by TUH HCS.

TUH Health Fund will not be provided with personal information that is obtained by TUH HCS other than confirmation of program or service participation and completion for the purposes of paying benefits under your policy, and aggregated metrics for the purposes of program assessment and improvement.

If you attend the Fortitude Valley Health Hub and you are also a TUH fund member then we may share your information (excluding sensitive health information) between these services. For example. a request to update your address details with HCS will be shared with the fund and Health Hub to ensure your personal information is accurate across all of our information management systems.

Who can access personal information?

Any person aged 16 years and over may access their own personal information.

Responding to an access request

We will endeavour to meet all appropriate requests for access; however, access to some information may be denied, including where:

  • We no longer hold the information;
  • Denying access is required or authorised by or under law;
  • Providing access would have an unreasonable impact upon the privacy of other individuals;
  • Providing access would pose a serious threat to the life or health of any individual;
  • The request is frivolous or vexatious; and
  • Access relates to existing or anticipated legal proceedings or a court order.

Our Privacy Officer will advise the reasons why we cannot give members access to the information requested.

Under current privacy laws, we have up to 14 days to respond to a written request and 30 days to grant access.

How can you correct personal information?

We will take reasonable steps to ensure the personal information collected, used or disclosed is accurate, complete and up to date.

If you believe that your personal information is not accurate, please advise us. We will amend your records promptly unless we disagree with the change requested. If that occurs, we will explain the reason and document it on your records.

Is there a cost?

There is no charge for correcting your personal information or requesting access to it. However, you may be charged a processing fee for retrieving and providing the information depending on the complexity of the request. We will advise if a charge may apply when we respond to your request.

When do we disclose personal information?

TUH utilises a range of electronic records retention tools. As with any internet-facing environment, it is not possible for us to guarantee absolute security and there is a possibility that unauthorised access may be gained by cyber criminals. TUH uses physical, electronic, and procedural safeguards to protect your personal information. We regularly review our cyber security position and aim to minimise this risk.

We will only actively disclose information to third parties when:

  • You have authorised, or would reasonably expect us to provide information. For example, when providing contact and health information to a contracted health service provider before or after receiving treatment;
  • Another organisation or person provides a service for, or to, us and has an agreement with us that includes confidentiality provisions. For example, software suppliers, data processing and analysis, publishers, printers, mail houses, health providers, chronic disease management program providers, record management providers, research bureaux;
  • We obtain expert advice such as from medical, legal and other professional advisers;
  • You receive a health care service or become eligible to participate in a health program provided by a third party on our behalf;
  • You agree to participate in a service provided by an independent organisation such as Diabetes Australia;
  • Required or as permitted by law. For example, we provide information to regulatory bodies, government enforcement agencies (including overseas), complaints adjudicators and others; or
  • The safety of our clients or if the safety of others in the community is at risk.

We may also disclose information to other individuals that you have authorised to act on your behalf. To act on such an authority, we will need your written permission or a copy of a Power of Attorney, or similar document.

In the event of unauthorised access to, or disclosure of, your personal information, TUH HCS has procedures in place to immediately take appropriate action consistent with our Privacy Act obligations.

When do we send personal information overseas?

At times we may send your information to organisations outside Australia that we have contracted with (directly or indirectly via an Australian organisation) to provide services on our behalf. We will only do this where we are satisfied that the recipient of the information will handle and protect your information in a manner that is consistent with the Australian Privacy Principles and this Privacy Policy and:

  • We have your consent (refer to ‘How do I provide consent?’ above); or
  • We have a contractual obligation to do so or there is some other identifiable benefit to you; or
  • Where we are required to by law.

We may disclose personal information to organisations or persons in the following countries: Canada, India, Japan, New Zealand, Singapore, United Kingdom and United States.

How do we store your personal information?

We take all reasonable steps to protect your personal information from unauthorised access, misuse or disclosure.

We restrict access to personal information to authorised personnel only. Your information is kept until it is no longer required for any purpose. Information that is no longer required will be securely destroyed or deidentified. In some circumstances, your information may be retained for a longer period, for example to comply with statutory or auditing requirements, or where destroying this information would negatively impact on another of our customers. All information held by us is stored securely at our premises, at secured off-site premises, or in secure electronic environments.

Policies and procedures are also in place to protect personal information from misuse, loss or unauthorised access, modification or disclosure. We will ensure the ongoing adequacy of these policies by reviewing these documents regularly and by conducting regular employee training.

What do we do with unsolicited personal information?

If we come into possession of personal information that we did not request, we will destroy it as soon as practicable, and if lawful and reasonable to do so.

How do we communicate with you?

Where you have provided us with an email address, including by using one of our Apps, we will use that as the main method of communicating with you, unless you have nominated another preferred method. We may also contact you by phone, mail or SMS.

You can choose how we communicate with you by letting our Health Care Services team know.

Who do I contact if I want more information or to make a complaint?

If you have a question on this Privacy Policy or would like further details of how we may collect, use, store and disclose your personal information please contact our Privacy Officer.

You should also contact our Privacy Officer if you have any concerns or a complaint about how we have handled your personal information or have complied with the Australian Privacy Principles. We will acknowledge receipt within three working days and aim to resolve any complaint as soon as possible.

Office of Australian Information Commissioner (OAIC)

Further information about the Privacy Act can be found at the website of the OAIC – You can also contact the OAIC if you are not satisfied with our response or the way we have handled your complaint.

Contact Details

Phone: 1300 360 701

Office of Australian Information Commissioner
GPO Box 5218, Sydney NSW 2001
Phone: 1300 363 992