Back to Top

Privacy Policy

GP Superclinic @ Midland Railway Workshops collects patient information in order to provide high quality medical care by all members of the healthcare team.  As an organisation we are guided by the Australian Privacy Principles and are bound by the Commonwealth Privacy Act 1988 and other relevant legislation. 

As a patient of our practice you may at any time request more information about the way we manage information held at GP Superclinic @ Midland Railway Workshops by contacting our Privacy Officer.

Policy Review

This policy is reviewed on an annual basis, or more frequently in response to changes in legal or professional guidelines when applicable.


The purpose of this policy is to advise patients, their family and carer’s on how we hold, manage and handle their personal information. It also outlines and reinforces to staff, contractors and work experience students and other key stakeholders their obligations and duties regarding privacy and confidentiality of patients’ personal information.


Our Practice is committed to maintaining privacy and confidentiality at all times and requires that any information regarding individual patients, including staff members who may be patients, will not be disclosed in any form (verbally, in writing, or electronic forms, inside or outside our practice) except for strictly authorised use within the patient care context or as required by law.  

For the purposes of this policy, no distinction has been made between the handling of personal information and sensitive information (including health information), therefore all information will be referred to as "personal information" throughout this Policy.

Personal Information

Will generally include:

  • The patient's full name, address, telephone and/or mobile number, Medicare and DVA numbers and pension or concession card number;
  • Next of kin and emergency contact details;
  • Workers compensation / Motor vehicle claim details where applicable;
  • Current drugs or treatments used by the patient;
  • Immunisation history;
  • All results including but not limited to pathology and radiology;
  • Previous/current medical history, including, where clinically relevant, a family medical history, and;                                                              
  • The name of any health service provider or medical specialist to whom the patient is referred, copies of any letters of referrals and copies of any reports back.

Individual Healthcare Identifiers

- We do not collect them.

ETP service

- We do not use this service

Practice Staff Responsibility

Our Practice Staff take reasonable steps to ensure our patients are informed and understand:

  • Why and when their consent is necessary
  • What information has been,  and is being collected
  • Why the information is being collected
  • How the information will be used or disclosed
  • How the information will be stored
  • Procedures for access to and correction of information 
  • Process for making a complaint about a possible breach of privacy and confidentiality or how we have managed personal or sensitive information 
  • How we protect access to patients personal and sensitive information through designated levels of access and password protection

Patient Consent

At their first visit, patients are asked to complete a “New Patient Privacy Document” which outlines some of our important principles about how we handle information.  The GP Superclinic @ Midland Railway Workshops is committed to protecting personal information.  This information will not be used in any other way except as defined in this policy.

The Practice Staff must seek additional consent from a patient if information collected by us is required for any other purpose.   Any request for further use of information is made in writing to the patient explaining the request and obtaining the patients written consent prior to the use or release of the information. 

Consent to collect personal and sensitive information may be obtained from a patients’ guardian or responsible person where practicable and necessary, for example when a patient is unable to provide the information or is unable to do so.

In the rare case of a medical emergency we may have to COLLECT and/or USE information without a patients consent in order to provide urgent medical treatment.

We are a service company to the Practitioners who provide services at our Practice.   On behalf of the Health Practitioners at our practice, we may collect personal information regarding patients to SUPPORT our Practitioners in providing medical services, treatment and for administrative and billing purposes.

Collection of Information

We are a service company to the Practitioners who provide services at our Practice.  On behalf of the Health Practitioners at our practice, we may collect personal information regarding patients for the purpose of providing medical services, treatment and for administrative and billing purposes.  

Examples of types of information collected include but are not limited to the following:

  • Name, date of birth, address, telephone number, Medicare card number, Healthcare Identifiers
  • Next of kin and emergency contact details
  • Sensitive information about a patient such as but not limited to; past medical history, immunisation history, medications, allergies, social history, family history, cultural background, names of health care providers involved in the patients care, copies of any relevant medical referrals and reports.

Use and Disclosure of Information 

The primary purpose in collecting and holding personal information is to provide comprehensive, coordinated and continuing whole person health care for our patients.  This may include disclosing information to other health practitioners to whom we refer the patient to. 

Other purposes for which we may collect, use and disclose information may include, but are not limited to, the following;

  • To organise an appointment,
  • For billing purposes, 
  • To liaise with Government Offices regarding Medicare entitlements and payments,
  • For quality assurance purposes and 
  • To external service providers so that they can provide health care, financial, administrative or other services in connection with the operation of our business.
  • Financial information for the purpose of payments of which no cardholder information is stored on site

Where we use or disclosure our patients’ personal information to third parties engaged by, or for the Practice business purposes, such as accreditation or the provision of information technology, the information will be de-identified as much as possible. We require any third parties with whom we share your information to comply with our Privacy policy.

1) Patients personal information is held at the Practice in the following forms:

  1. As an electronic record
  2. The Practice holds all personal information securely in an electronic format, in protected information systems and in paper files in a secure environment.  Our IT environment has antivirus software and several fire walls in place and undertakes continuous monitoring our IT service provider to protect the information we have stored.
  3. As visual – x-rays, CT scans, photos
  4. As paper correspondence
    Some information such as mailed correspondence, faxed correspondence etc. may be held as a paper record which is stored in a secure area prior to being scanned to an electronic record. This paper record is held in a secure area for a maximum duration of 2 months after which it is destroyed by secure shredding.

2) The Practice Procedure for collecting personal and sensitive information is as follows:

Practice Staff collect patients’ personal information via registration when patients present to the Practice for the first time.

The Practice Staff ask our patients to confirm their identity on presenting to the reception desk by asking the patient to provide three key identifiers which include:

  1. Confirming their name;
  2. Confirming their contact details such as street address or telephone number and;
  3. Date of birth.

During the course of providing health related services, medical practitioners and other health care providers who work with us are required to access patient records to collect, use and where required as part of the provision of care, disclose relevant sensitive information within the limits of the consent provided by each patient. The treating practitioner will collect health information from the patient directly in order to diagnose and treat medical conditions. They may also collect information from other health practitioners also involved in your treatment.

3) Mature Minors

Our Practice recognises that children aged UNDER 18 years of age (mature minors) may have the same rights regarding privacy and confidentiality as would an adult patient. Our staff maintains those rights accordingly.

4) Anonymity / Pseudonymity

Patients have the right to remain anonymous or to use a pseudonym to protect their privacy. We take reasonable steps to ensure we comply with the patients’ request. Patients are advised that anonymity may have a significant impact on our ability to provide timely and appropriate communication and health care.

5) Exceptions to disclosure without patient consent are where the information is:

Required by law

  • Necessary to lessen or prevent a serious threat to a patients life, health or safety or public health or safety, or it is impractical to obtain the patients consent.
  • To assist in locating a missing person
  • To establish, exercise or defend an equitable claim 
  • For the purpose of a confidential dispute resolution process

6) Unsolicited information and direct marketing

The Practice will not use any personal information in relation to direct marketing without express consent of our patients.  The Practice evaluates all unsolicited information it receives to decide if it should be kept, acted on or destroyed

7) Cross-border disclosure

The Practice does not disclose your information to any overseas recipients, including cloud-based web services.

Confidentiality and Secure Storage

We undertake the following procedures to preserve the privacy and confidentiality of our patients information. 

  • All staff, work experience students and contractors sign and acknowledge a Privacy and Confidentiality Statement on commencement of their time with us. By signing this document, each person agrees to abide by their professional and legal obligations, the Practice Privacy Policy and procedures we have in place to protect the privacy and confidentiality of our patients. 
  • All staff, contractors and work experience students receive training on the obligations and expectations regarding privacy and confidentiality when they start work with us.
  • Electronic records are stored on secure fileservers that are regularly backed up and are password protected at multiple levels.  Computer back up tapes are secured safely off site.
  • Our Information Technology team specialize in Medical Centre hardware and software and are accredited with ISO9001
  • All hardcopy documents  which contain any patient information are shredded by an accredited company

8) Notifiable Data Breaches Scheme

From 22 February 2018, if a breach of personal information (data) occurs in our practice, we must notify the individuals involved and the Office of the Australian Information Commissioner (OAIC).

This is known as the Notifiable Data Breaches scheme. We must notify the individuals involved and the OAIC if:

• personal information is: lost; accessed by an unauthorised person or disclosed to an unauthorised person; and

• this is likely to result in serious harm to someone; and

• we can’t take steps to prevent the risk of serious harm.”


Destroying of information 

Information that is no longer needed is destroyed by an accredited shredding company or by reformatting hard drives by IT Specialists to ensure information has been securely disposed of.  We keep individual patient records for 7 years from the date of last entry for an adult and until the age of 25 for a child in accordance with current legislation.

Health Promotion

At times, GP Superclinic @ Midland Railway Workshops may contact our patients with regard to activities that the Healthcare team feel would be of benefit to their health.  Immunisations, health promotion activities, chronic disease management, health checks that the patient is entitled to via Government initiatives will be brought to our patients attention via a phone call or letter.  If our patients prefer not to receive this type of information, our receptionists can put this alert in the patients file and the Practice will not contact the patient for this purpose.  The option to refuse this service is given to each patient on their first visit via the “New Patient Privacy Form”.

Access to Information

The Practice acknowledges patients may request access to their medical records.  Patients are encouraged to make this request in writing and the Practice will respond within a reasonable time.  The patient may incur a cost for the transfer of medical record; the patient will be informed of this at the time of the request. The cost is to cover the time and resources required to retrieve and prepare records for transfer or access. Where access is denied or needs to be limited due to concerns about the patient’s health and wellbeing or that of another person, this will be discussed with the patient. 

The Practice will take reasonable steps to correct personal information where it is satisfied to ensure it is accurate and up to date.  This is undertaken by our receptionist who asks each patient on every visit their current phone number and address.  Patients are encouraged to request the Practice corrects or updates their information when attending the Practice.


The Practice takes complaints and concerns about the privacy of patients personal information seriously. Patients are encouraged to express any privacy concerns in writing.  

The Practice will then manage the complaint in line with our complaint resolution procedure outlined below:

Complaint Resolution Procedure

  1. The patient submits a privacy complaint in writing to the Privacy Officer
  2. The Privacy Officer will document the complaint in a complaint privacy register including a brief description
  3. The Privacy Officer will then write to the patient and inform them that we have received the complaint and outline that we will take up to 30 days to investigate and respond in writing.
  4. Investigation
    ​The Privacy Officer will conduct an investigation and confirm:
    • Whether the actions complied with the Privacy Policy
    • The breach or issue
    • Key stakeholders involved
    • Timeline of events
  5. Resolution
    • If the Privacy Officer determines a violation has occurred, the operations manager will be 
    • All documentation will be provided to the operations manager maintained for …. years
    • If the investigation reveals there is an issue with a process, the process will be reviewed and 
  6. Notification
    1. The privacy officer will notify the patient submitting the complaint in writing of the results of the investigation.
  7. If the patient receives notification from the Privacy Officer and is not content with the resolution,the patient is to be advised that they do have the option to take the matter to the Office of the Australian Information Commissioner to review (please see details below).


For requests for access, to correct personal information, enquires about this policy or to make a complaint please direct your correspondence to:

The Privacy Officer
GP Superclinic @ Midland Railway Workshops
6 Centennial Place
Midland WA 6056

Postal Address:
P.O. Box 3516
Midland   WA   6056

Ph: 08 9374 7000

For further information about privacy issues in general practice and patient rights, we encourage our patients to contact:

Office of the Australian Information Commissioner:

Telephone: 1300 363 992
Post: PO Box 5218 Sydney NSW 2001

Book Online