Privacy Policy

Date of Last Revision: March 2024

Introduction
HPS branded pharmacies (HPS Pharmacies) are independently owned and operated pharmacies that provide pharmacy services to health facilities throughout Australia.

HPS Services Pty Ltd ACN 160 438 559 (HPS Services) provides support services and systems for each HPS Pharmacy. HPS Services is part of the HPS Group of companies including HPS Corrections Pty Ltd (ACN 159 945 936), HPS Hospitals Pty Ltd (ACN 136 875 922), HPS IVF Pty Ltd (ACN 156 303 561), HPS Finance Pty Ltd (ACN 169 377 986), Hospharm Pty Ltd (ACN 136 875 922), and HPS Brands Pty Ltd (ACN 167 204 962) (HPS Group).

Any references to “we”, “us” or “HPS” in this Privacy Policy are references to each HPS Pharmacies, HPS Services, a HPS Group company, or any one of them depending on the circumstances.
We know that privacy is important to you. We are committed to responsible privacy practices and to complying with all relevant privacy laws including:

(a) the Privacy Act 1988 (Cth) (Privacy Act), including the Australian Privacy Principles (Privacy Principles) and Notifiable Data Breaches scheme contained in the Privacy Act; and
(b) where relevant, applicable state and territory health records legislation.

Where applicable, we will handle personal information relying on the related bodies corporate exemption and the employee records exemption in the Privacy Act and any other applicable exemptions in the Privacy Act or other legislation.
This Privacy Policy sets out our policies on the management of personal information including how we collect personal information, the purposes for which we use this information, and to whom this information is disclosed. We may change our Privacy Policy from time to time at our discretion. At any time, the latest version of our Privacy Policy is available from our website at www.hps.com.au/privacy-policy/

All HPS Pharmacies have their own privacy policies that deal with the collection, use and disclosure of your personal information. In providing products and services to you, we may collect, use and disclose your personal information from and to HPS Pharmacies as detailed in this Privacy Policy.

What is personal information?
In this Privacy Policy, ‘personal information’ has the meaning set out in the Privacy Act. Essentially, personal information is information or an opinion about an individual who is reasonably identifiable.

A reference to ‘personal information’ in this Privacy Policy includes ‘health information’, as defined in the Privacy Act and applicable health records legislation. Essentially, health information is information or an opinion relating to the health or a disability of an individual who is reasonably identifiable.

What types of personal information do we collect?
The types of personal information we collect from you depends on the circumstances in which the information is collected.
If you are a patient receiving treatment from a health service provider (for example at a hospital), when a health professional involved in your care prescribes or orders medication for you via their systems, a record will be made in HPS’ electronic dispensing system (HPS Dispensing System). Personal information collected and held in the HPS Dispensing System may include:

(a) your name, date of birth and contact details (address, email address, phone number);
(b) government identifiers where required including your Medicare number, NDSS registration number, pension number, Veteran’s Affairs number and concession card numbers;
(c) details of your private health insurance;
(d) your health information including details of your prescriptions, medications, treatments, dispense history, medical history (for example reason for admission, medical history, allergic reactions, and drug interactions);
(e) details about products and services you purchase, including your transactional and payment information (excluding your credit card details);
(f) details of patient carers or support networks;
(g) details about your treating health professionals (for example general practitioners, consultant specialists, allied health professionals); and
(h) details about clinical pharmacy services provided to you (for example advice provided by HPS pharmacists about medications you are taking).

HPS may also collect information from you if you contact us directly, for example about an invoice or payment.

If your interaction with HPS is not as a patient (for example health professionals, job applicants, commercial contacts) the types of personal information we collect will depend on your dealings with HPS. Generally, it will include your name, contact information, professional details and information required to support our dealings with you.

If you are applying for employment with HPS, we collect personal information from you required to assess your application and suitability for employment.

Where it is practical for us to allow you to do so, you may deal with us anonymously (for example when enquiring generally about our services). However, it is generally not possible for us to provide pharmacy services, dispense medication or answer your queries if we cannot identify you.

When you use our website, we may collect website usage information such as the IP address you are using, the name of your Internet service provider, your browser version, the web site that referred you to us and the next website you go to, the pages you request, the date and time of those requests and the country you are in.

In addition to the types of personal information identified above, HPS may collect personal information as otherwise permitted or required by law.

How do we collect and hold your personal information?
HPS collects personal information in several ways. The most common ways we collect your personal information are:

(a) directly from you when you provide it to us;
(b) from your health service provider or treating health professional, including your doctor or hospital, in order to dispense medication and provide pharmacy services to you;
(c) from your parent or guardian if you are under 18 (if you have capacity to make decisions about your health care, we may also collect personal information directly from you);
(d) via our website or when you deal with us online (including through our social media pages); and
(e) from recruitment agencies, previous employers or referees you have nominated when applying for a job at HPS.

Information that we hold about you will be securely stored electronically, in paper files or other hardcopy formats. We may store some of your information in secure data centres that are located in Australia or in other secure data centres of our contracted service providers (including cloud storage providers) that may be located outside of Australia.

For what purpose do we collect, use and disclose your personal information?
The purposes for which we use and disclose your personal information will depend on the circumstances in which we collect it. Whenever practical we endeavour to inform you why we are collecting your personal information, how we intend to use that information and to whom we intend to disclose it at the time we collect your personal information.

We may use or disclose your personal information:

(a) for the purposes for which we collected it (and certain secondary purposes where permitted by law);
(b) for other purposes to which you have consented; and
(c) as otherwise authorised or required by law.

Unless otherwise required or permitted by law, we will only collect health information about you with your consent and we will only use that information for the primary purpose for which it was collected. In some circumstances, we may collect your health information through third parties (e.g. from health professionals who are treating you). We will only do this if you have consented or where otherwise permitted or required by law.
Some of the specific purposes for which we collect, use and disclose personal information are to:

(a) provide you with pharmacy goods and services, or assist health professionals and service providers to provide you with health-related services;
(b) verify your identity;
(c) maintain and improve our products, services and systems;
(d) conduct risk management, safety and quality assurance activities;
(e) manage legal liabilities and claims;
(f) administer and manage services, including charging, billing and collecting fees;
(g) comply with and manage our commercial contracts and service level agreements;
(h) respond to enquiries (including via our websites, email or other correspondence sent to us) and to address any issues or complaints regarding our products and services;
(i) contact you regarding the above, including via electronic messaging such as SMS and email, by mail, by phone, by fax or in any other lawful manner.

We may also use and disclose your personal information for the purpose of direct marketing to you where:

(a) you have consented to us doing so; or
(b) it is otherwise permitted by law.

Direct marketing involves communicating directly with you for the purpose of promoting goods or services to you and to provide you with special offers. Direct marketing can be delivered by a range of methods including mail, fax, telephone, email or SMS. You can unsubscribe from our direct marketing, or change your contact preferences, by contacting us (see section 14 of this Privacy Policy).

What happens if you don’t provide personal information?
Generally, you have no obligation to provide any personal information requested by us. However, if you choose to withhold requested personal information, we may not be able to provide you with products and services that depend on the collection of that information.

To whom do we disclose personal information?
We may disclose your personal information to third parties in connection with the purposes described in section 5 of this Privacy Policy.
This may include disclosing your personal information to the following types of third parties:

(a) our related companies, including HPS Services and other members of the HPS Group;
(b) health service providers, pharmacy suppliers or treating health professionals (such as your doctor, pharmacist or hospital), in connection with providing health-related goods and services;
(c) other third parties that may provide goods and services to us (including suppliers, marketing agencies, data analysis specialists, data processing organisations, billing and debt recovery providers, website and data hosting providers, and other IT and business administration suppliers);
(d) our accountants, insurers, lawyers, auditors and other professional advisers;
(e) government and regulatory authorities, courts, tribunals and other bodies as required or authorised by law;
(f) any third parties to whom you have directed or permitted us to disclose your personal information (e.g. referees);
(g) carefully selected third parties with whom we have data sharing arrangements;
(h) third parties that require the information for law enforcement or to prevent a serious threat to public safety; and
(i) otherwise as permitted or required by law.

Where we disclose your personal information to third parties we will take reasonable steps to ensure that such third parties only use your personal information as reasonably required for the purpose we disclosed it to them and in a manner consistent with the Privacy Principles and relevant health records legislation (e.g. by (where commercially practical) including suitable privacy and confidentiality clauses in our agreement with a third party service provider to which we disclose your personal information).

If you post information to public parts of our websites or to our social media pages, you acknowledge that such information (including your personal information) may be available to be viewed by the public. You should use discretion in deciding what information you upload to such sites.

Disclosure of information outside the State/Territory of collection
Some of the third parties to whom we disclose personal information may be located outside the state or territory in which the information was collected or outside Australia. The state/territories and countries in which such third parties are located will depend on the circumstances. For example, we may disclose personal information to our related companies overseas and to our overseas service providers.

In the ordinary course of business, we may disclose personal information to third party providers based overseas, or that need to access, store or transfer personal information overseas.

Except in some cases where we may rely on an exception under the Privacy Act or other law, we will take reasonable steps to ensure that such overseas recipients do not breach the Privacy Principles in relation to such information.

In respect of health information covered by health records legislation, unless otherwise required or permitted by law, we will only disclose your health information to a third party outside the
state/territory of collection if we reasonably believe that the recipient of the information is subject to a law, binding scheme or contract which upholds principles for fair handling of the information that are substantially similar to those in the applicable health records legislation.

How do we protect personal information?
We will take reasonable steps to keep any personal information we hold about you secure. Please notify us immediately if you become aware of any breach of security.

Accuracy of the personal information we hold
We try to maintain your personal information as accurately as reasonably possible. We rely on the accuracy of personal information as provided to us both directly (from you) and indirectly.

You may also contact us if the personal information we hold about you is incorrect or to notify us of a change in your personal information. Our contact details are set out in section 14 of this Privacy Policy.

Links, cookies and use of HPS websites and applications
When you visit our website without an account, we may record anonymous information which tells us about visitors to our website but not the identity of those visitors. For example, we may collect information about the date, time and duration of those visits and which pages of our website are being commonly accessed.

Our websites may contain links to other sites. This Privacy Policy applies to our websites and not any linked sites which are not operated or controlled by us. We encourage you to read the privacy policy of each website that collects your personal information.

We use ‘cookies’ and similar technology on our websites and in other technology applications. The use of such technologies is an industry standard and helps us monitor the effectiveness of our advertising and how visitors use our websites/applications. We use such technologies to generate statistics, measure your activity, improve the usefulness of our websites/applications and to enhance the ‘customer’ experience.

If you prefer not to receive cookies you can adjust your Internet browser to refuse cookies or to warn you when cookies are being used. However, our websites may not function properly or optimally if cookies have been turned off.

How can you access and correct personal information we hold about you?
You may seek access to personal information which we hold about you by contacting us as described in section 14 of this Privacy Policy. We will provide access to that information in accordance with the Privacy Act and health records legislation, subject to certain exemptions which may apply. We may require that the person requesting access provide suitable identification and where permitted by law we may charge an administration fee for granting access to your personal information.

If you become aware that any personal information we hold about you is incorrect or if you wish to update your information, please contact us (see section 14 of this Privacy Policy).

Queries, comments and complaints about our handling of personal information
If you have any questions, comments or complaints about our collection, use or disclosure of personal information, or if you believe that we have not complied with this Privacy Policy, the Privacy Act or applicable health records legislation, please contact us (see section 14 of this Privacy Policy).

When contacting us please provide as much detail as possible in relation to your question, comment or complaint.

We will take any privacy complaint seriously and any complaint will be assessed by an appropriate person with the aim of resolving any issue in a timely and efficient manner. We request that you cooperate with us during this process and provide us with any relevant information that we may need.

If you are not satisfied with the outcome of our assessment of your complaint, you may wish to contact the Office of the Australian Information Commissioner (click here for information) or other relevant regulators.

How can you contact us?
Please address all privacy complaints and requests to update or access information to

Attention: Privacy Officer
EBOS Group Ltd Level 7
737 Bourke Street Docklands
VIC 3008
OR
[email protected]

Any requests to access, update or correct your personal information should be made in writing.

This privacy policy was last updated March 2024.