Privacy Policy

Sunshine Coast Gastroenterology Pty Ltd (ACN 651 805 739, ABN 30 651 805 739), trading as Sunshine Coast Gastroenterology.

This Privacy Policy explains how Sunshine Coast Gastroenterology (we, us, our or the Practice) handles personal information.

It covers:

personal information collected through the website at scgastro.com.au;
personal information (including health information) collected in the course of providing clinical care to patients; and
the Collection Notice we are required to give under Australian Privacy Principle 5.

This Policy is designed to comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act, the My Health Records Act 2012 (Cth), the Healthcare Identifiers Act 2010 (Cth), the OAIC Guide to Health Privacy (May 2025), the Medical Board of Australia's Good medical practice code, and Queensland health-records legislation.

We are bound by the Privacy Act regardless of our turnover. The small-business exemption does not apply to us because we provide a health service.

1. About this Policy

1.1 Who we are

Sunshine Coast Gastroenterology is a specialist gastroenterology and hepatology practice with rooms at Suite 1, Sunshine Coast University Private Hospital, 3 Doherty Street, Birtinya QLD 4575. We operate in Queensland only.

1.2 Two contexts

This Policy covers two distinct contexts:

Website context — when you visit scgastro.com.au, complete an online form, send us an email, attend a continuing-education event we host, apply for a position with us, or interact with us as a supplier, contractor or media enquirer.
Clinical context — when you are a patient of the Practice, when you are an authorised representative of a patient, or when information about you is provided to us by a treating practitioner.

Some sections of this Policy apply to both contexts; some apply only to one. Where the distinction matters, we say so.

1.3 Updates

We may update this Policy from time to time. The current version is published on our website and a copy is available at reception. We review this Policy at least annually. Material changes will be drawn to your attention.

2. Definitions

In this Policy:

APP means an Australian Privacy Principle.
Health information has the meaning given in section 6FA of the Privacy Act. It includes information about a person's physical or mental health, disability, the health services they have received, donations of body parts, genetic information, and personal information collected in the course of providing a health service.
Personal information has the meaning given in section 6 of the Privacy Act. It is information or an opinion about an identified or reasonably identifiable individual.
Sensitive information has the meaning given in section 6 of the Privacy Act, and includes health information.
Privacy Act means the Privacy Act 1988 (Cth).
You and your refer to the patient (or, where the patient is a child or lacks capacity, the patient's parent, guardian or substitute decision-maker), or to the website visitor or other person whose information we hold, as the context requires.

3. The kinds of information we collect

3.1 Through the website (website context)

When you visit the website we may collect:

(a) Information you provide voluntarily — your name, email address, phone number, postal address, the content of any message you send, and any other information you choose to give us when you complete a contact form, sign up for a Gut Club event, submit feedback, or send us an email.

(b) Technical information collected automatically — your internet protocol (IP) address, the type of device and browser you use, the operating system, the pages of the website you view, the time and date of your visit, the website that referred you, and other standard web log information.

3.2 In other non-clinical interactions (website context)

(a) Referrer information — name, AHPRA registration number, practice name and contact details of medical practitioners who refer patients to us or correspond with us.

(b) Event information — name, professional role, AHPRA number, dietary requirements and CPD details for medical practitioners and other health professionals who attend Sunshine Coast Gut Club educational events.

(c) Employment information — if you apply for a position with the Practice, we may collect your CV, qualifications, references, working-rights documentation and AHPRA registration details (where applicable). Information about unsuccessful candidates is retained for [INSERT — typically 12 months] unless you ask us to delete it sooner.

(d) Supplier and contractor information — name, business contact details and ABN of suppliers, contractors and service providers.

3.3 In the course of providing clinical care (clinical context)

We collect personal information necessary to provide you with safe, accurate and effective gastroenterology and hepatology care.

Identification and contact information: Full name (and any other or previous names used); date of birth; sex and gender; residential and postal address; phone and email; Aboriginal or Torres Strait Islander status (to support culturally safe care — you may decline); preferred language and interpreter needs; next-of-kin and emergency contact details; substitute decision-maker, enduring power of attorney or advance care directive (where relevant); photograph (with consent, used for in-system identification); and government identifiers permitted by law, including Medicare, DVA, Healthcare Identifier (HI), pension and concession-card details.

Financial and insurance information: Private health-insurance details; workers' compensation, motor accident or third-party insurance details where relevant; billing details. Card details are processed and tokenised by our payment provider — we do not store full card numbers on our systems.

Health information: The reason for your referral; symptoms, history, examination findings, working and final diagnoses; past medical and surgical history; family history relevant to your care; current and past medications, including over-the-counter and complementary medicines; allergies and adverse reactions; lifestyle and risk-factor information where clinically necessary; test results (pathology, imaging, endoscopy, intestinal ultrasound, breath testing, motility studies); procedure reports, photographs and video documentation captured during endoscopic procedures; anaesthesia records; consent forms; correspondence with you, your referring practitioner, other treating practitioners, hospitals, anaesthetists and pathology providers; clinical notes; and any other information necessary to provide your care.

3.4 What we do not collect through the website

The website is not a clinical communication channel. Referrals should be sent by Medical Objects, HealthLink, secure email, fax or post.

4. How we collect your information

4.1 Directly from you

Most personal information is collected directly from you — when you complete a form, send an email, call us, attend our rooms, or attend an event.

4.2 From others involved in your care

In the clinical context, we collect information from:

Your referring general practitioner or specialist;
Other practitioners involved in your care (anaesthetists, pathologists, radiologists, dietitians, surgeons);
The hospital or day-surgery facility at which we provide a procedure;
Your authorised representative; and
Where you have consented and the connection is appropriate, your My Health Record.

4.3 From regulatory and benefit systems

Medicare, the Department of Veterans' Affairs, and your private health insurer (for billing and rebate processing);
The Healthcare Identifier Service (to confirm your HI);
The Australian Immunisation Register (where relevant); and
The National Bowel Cancer Screening Program register (where you have engaged with the program).

4.4 Notice at the time of collection (APP 5)

When we collect personal information from you directly, we will (where required by APP 5) make you aware of the matters listed in section 5 — what we collect, why, who we share it with, and how to contact us. Section 5 is itself written to satisfy our APP 5 obligations.

5. Why we collect, use and disclose personal information

5.1 Website-related purposes

For website-context interactions, we collect, use and disclose personal information to:

(a) respond to your enquiries, feedback, complaints or requests; (b) communicate with referring practitioners about referrals, our services and continuing-education events; (c) operate, maintain, secure, improve and analyse the website and our digital services; (d) organise, host and follow up on Sunshine Coast Gut Club educational events; (e) manage internal administrative, employment, supplier and contractor relationships; (f) comply with our legal, regulatory and professional obligations; and (g) investigate, defend or enforce our legal rights.

5.2 Clinical purposes

For clinical-context interactions, the primary purpose of collection is to provide you with clinical care.

We also use and disclose your information for secondary purposes related to that primary purpose, where you would reasonably expect us to do so, or where you have consented. These include:

(a) liaison with your referring practitioner and other practitioners involved in your care; (b) billing, claiming and reconciliation with Medicare, DVA and your private health fund; (c) processing payments and recovering unpaid fees (which may, as a last resort, involve disclosure to a debt-collection agency); (d) responding to your enquiries and managing your appointments (including SMS reminders); (e) compliance with our professional, ethical, accreditation and legal obligations, including mandatory disease notification under the Public Health Act 2005 (Qld); (f) responding to subpoenas, court orders, search warrants, statutory production notices and lawful requests from regulators, including AHPRA, the Medical Board of Australia and the Office of the Health Ombudsman (Queensland); (g) establishing, exercising or defending legal claims; (h) clinical and quality auditing (typically using de-identified data); (i) credentialling, supervision and training of doctors, registrars and fellows; (j) clinical research with ethics-committee approval (see section 11); (k) liaison with our medical-defence organisation; and (l) the management, transition or sale of the Practice (see section 14).

5.3 Sensitive information — express or implied consent

Health information and other sensitive information will only be collected, used or disclosed where:

(a) you have consented (which may be express or, in routine clinical contexts, reasonably implied from the circumstances of seeking care); or (b) the collection, use or disclosure is permitted or required by law (for example, mandatory disease notification, court orders, serious threat to life or health, mandatory child-protection reporting).

5.4 Information about other people

You may give us information about other people — for example, your next-of-kin, your emergency contact, or family-history information about a relative. By giving us that information, you confirm that the other person is aware that their information has been provided to us, or that it is impracticable to obtain their consent and the disclosure is reasonably necessary for your care.

5.5 What if you don't give us the information?

If you do not give us the information we need, we may not be able to provide you with safe care. We cannot bill Medicare without your Medicare number. We cannot make a sound clinical assessment without your relevant medical history.

6. To whom we disclose your information

We disclose your information only to those who need it for the purposes set out in section 5.

6.1 In the clinical context

(a) Our doctors and clinical staff — including our partner anaesthetists and pathologists. (b) Your referring practitioner and other treating practitioners — by Medical Objects, HealthLink, secure email, fax or post.

Sunshine Coast University Private Hospital (Birtinya), operated by Ramsay Health Care;
Caloundra Day Private Hospital, operated by Ramsay Health Care; and
Buderim Private Hospital, operated by UnitingCare Queensland.

(d) Pathology providers to whom we send specimens (independent practices with their own Privacy Policies; you may ask reception which provider is used for your care). (e) Imaging providers for radiology referrals. (f) Dietitians and other allied-health practitioners to whom we refer you. (g) Pharmacies, where relevant to your medication management. (h) Medicare, the Department of Veterans' Affairs and your private health insurer for billing, claiming, eligibility and rebate processing. (i) Workers' compensation and motor-accident insurers, where your care is funded by them. (j) The National Bowel Cancer Screening Program register, where you have engaged with the program. (k) Your My Health Record, where you have one and have not opted out of provider uploads. (l) Software providers that host or process information on our behalf in Australia — see section 8. (m) Public-health authorities for mandatory disease notification under the Public Health Act 2005 (Qld). (n) AHPRA, the Medical Board of Australia and the Office of the Health Ombudsman (Queensland), where required by law. (o) Our medical-defence organisation, lawyers and insurers, where required to manage actual or potential complaints or claims. (p) Researchers, only with your consent or under an ethics approval that satisfies sections 95 or 95A of the Privacy Act. (q) Debt-collection agencies and lawyers, as a last resort to recover unpaid fees. (r) Police, courts and other authorities, where we are required by law or where there is a serious threat to life, health or safety.

6.2 In the website context

(a) Our doctors, employees, contractors and consultants, on a need-to-know basis; (b) Third-party service providers that help us operate the website and our administrative systems (see section 8); (c) Our professional advisors (legal, accounting, insurance, IT and medico-legal advisors); (d) Our medical-defence organisation; (e) AHPRA, the Medical Board of Australia, the Office of the Health Ombudsman (Queensland), the OAIC, or any other regulator with jurisdiction over us, where we are required to do so; and (f) Law-enforcement agencies, courts, tribunals or other public authorities where we are required or permitted by law to do so.

6.3 We do not sell your information

We do not sell, rent or trade your personal information. We do not disclose your personal information to third parties for direct marketing of unrelated products or services.

6.4 Marketing

With your consent, we may send you appointment reminders, recall notices for surveillance and procedure follow-up, and information about your care.

We may, from time to time, contact referring practitioners and Gut Club registrants about our services, our educational events, or changes to the Practice. We will only do so consistent with section 5 and APP 7. You may opt out of direct-marketing communications at any time.

7. Where your information is held and processed

7.1 Clinical information

We do not transfer health information about patients overseas. Clinical records are held in Australia by our Australian-hosted clinical-management system (Xestro) and clinical-documentation tooling (Heidi Health).

7.2 Website hosting and analytics

The website is hosted on Squarespace, which is operated by Squarespace, Inc. (a US company) and may store website data (which is not health information) on infrastructure located in the United States. By using the website, you acknowledge that information automatically collected through the website (IP address, browser type, standard web-log data) may be processed in the United States.

7.4 Reasonable steps

Where we disclose personal information to an overseas recipient, we take reasonable steps to ensure the recipient handles the information consistently with the APPs, except where APP 8.2 applies (for example, where the disclosure is to a country with a substantially similar privacy regime, or where you have consented on the basis that APP 8.1 will not apply).

8. Our key information systems

Xestro Clinic management - AustraliaPatient identification, appointments, billing, clinical records

Heidi Health - Clinical documentation tooling (see section 9)

Medical Objects/Healthlink - Secure clinical messaging

Squarespace - Website hosting

Google - Email and workspace (BAA in place)

Each provider is bound by contract to handle your information in accordance with the Privacy Act and our instructions.

9. AI-assisted clinical documentation

9.1 What we use

Our doctors may use Heidi Health, an Australian-based clinical-documentation tool, to assist with note-taking. Heidi Health is also used by Queensland Health and other Australian health services.

9.2 How it works

The tool listens to the consultation (with your knowledge), transcribes it in real time, and produces a draft clinical note that the doctor reviews, edits and finalises before it becomes part of your record.

9.3 What this means for you

You will be told before the tool is used. Your doctor will tell you the tool is being used and ask whether you object.
Audio is not retained. Heidi Health processes the consultation audio in real time and does not retain the recording. Only the doctor-reviewed, finalised note is retained as part of your record.
Data stays in Australia. Heidi Health processes the audio and transcript in Australia.
Doctor responsibility. The clinical note is the doctor's professional document. The doctor reviews and is responsible for the accuracy of every note, regardless of how the draft was produced.
Opt out at any time — there is no impact on your care if you opt out.

9.4 Other AI tools

We do not currently use any other artificial-intelligence tooling that processes your personal information. If we adopt other AI tooling, we will update this Policy and notify patients before use.

10. Cookies

10.1 What cookies are

Cookies are small data files placed on your device by a website. We use cookies to recognise you when you return, remember your preferences, understand how the website is used, and improve it.

10.2 Categories we use

(a) Strictly necessary cookies — required for the website to function. These cannot be turned off. (b) Analytics cookies — placed by Squarespace and, if enabled, Google Analytics, to help us understand how visitors use the website. (c) Functional cookies — used to remember your preferences and choices.

We do not use targeted advertising or remarketing cookies.

10.3 Your choices

You can configure your browser to refuse some or all cookies, or to alert you when a cookie is being set. If you refuse cookies, some parts of the website may not function as intended.

11. Research, teaching and quality activities

11.1 Quality and safety

We continuously monitor our clinical quality. This usually involves de-identified data and does not require your consent. Where a quality activity uses identifiable information, we will only do so on a basis permitted by the Privacy Act.

11.2 Teaching

Our doctors are involved in teaching registrars, fellows and medical students. Where another health professional or trainee will be present at your consultation, you will be told and asked for your consent.

11.3 Research

If you are invited to participate in a research project, we will give you a Participant Information and Consent Form approved by a Human Research Ethics Committee (HREC). Your decision to participate or decline will not affect your care.

We may also use your health information for research without specific consent only where the use complies with the Guidelines under section 95 or 95A of the Privacy Act, as approved by the National Health and Medical Research Council and the Privacy Commissioner.

12. Communication channels

12.1 In-person and telephone

Most clinical communication occurs in person or by telephone.

12.2 SMS

We may use SMS for appointment reminders and short non-clinical communications. SMS is not encrypted and should not be used to send identifiable clinical detail. We will not include sensitive clinical content in SMS.

12.3 Email

We will email general correspondence (an account, an appointment confirmation, a letter you have asked to receive electronically, or information you send to us) where you have consented to email communication.

12.4 Secure messaging (Medical Objects, HealthLink)

For practitioner-to-practitioner clinical correspondence, we use Medical Objects and other secure-messaging providers that meet the standards of the Australian Digital Health Agency.

13. Anonymity and pseudonymity (APP 2)

You have the right to deal with us anonymously or under a pseudonym, except where:

(a) it is impracticable for us to do so; or (b) we are required or authorised by law to deal with you only when you are identified.

In the clinical context, anonymity is generally not practicable: Medicare, hospitals, anaesthetists, pathology providers and your insurer require accurate identification for billing, safety and continuity of care. We will discuss practicable options with you.

In the website context, you may browse the website anonymously and you may contact reception with a general enquiry without giving your name.

14. Sale, merger or transition of the Practice

If the Practice is sold or merges with another practice, we may transfer your records to the successor practice. We will notify you, and you will have the option to direct us to transfer your records to a different practice or to provide them to you, in accordance with applicable professional guidance and the Privacy Act.

If the Practice closes, we will retain your records for the period required by law and notify you about how to access them.

15. Security

15.1 Reasonable steps

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access, modification or disclosure. These steps include:

(a) physical security at our rooms and at our doctors' rooms in our partner hospitals; (b) encryption of clinical information at rest and in transit within our clinical-management systems; (c) password and multi-factor authentication on staff accounts; (d) role-based access controls — staff have access only to the information they need for their role; (e) audit logging within our clinical-management system; (f) regular software updates and security patching; (g) staff training on privacy and information-security obligations as part of induction and at least annually thereafter; (h) confidentiality obligations in employment contracts and contractor agreements; (i) secure disposal of paper records once they are no longer required and where no legal retention obligation applies; (j) a documented Data Breach Response Plan (see section 16); and (k) periodic review of our service providers' security practices.

15.2 No system is perfect

While we take reasonable steps, no system is perfectly secure. We cannot guarantee the security of all information all of the time.

16. Data breaches

16.1 Our response

If we become aware or suspect that personal information has been or may have been subject to unauthorised access, loss or disclosure, we will:

(a) contain the breach; (b) assess whether the breach is likely to result in serious harm; (c) take steps to remediate the breach where practicable; and (d) where the breach is an "eligible data breach" under the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act, notify each affected individual and the Office of the Australian Information Commissioner as required by law.

16.2 Notification to you

If we are required to notify you of a breach, we will do so as soon as practicable, by the contact details you have given us. We will tell you what information was affected, what we are doing about it, and what steps you can take to protect yourself.

17. Your rights — access, correction, complaints (APPs 12 and 13)

17.1 Access to your information

You have a right to access the personal information we hold about you. To request access, contact our Privacy Officer (section 18) in writing.

We will respond within a reasonable period (and in any event within 30 days). We may charge a reasonable cost-recovery fee for providing access — we will tell you in advance.

We may decline access, in whole or in part, on grounds permitted by APP 12 — for example, if access would have an unreasonable impact on the privacy of another person, would prejudice a legal proceeding or investigation, or would pose a serious threat to your life, health or safety. If we decline, we will tell you why and how to complain.

For minors, access requests by a parent or guardian are managed in accordance with the doctor's professional judgement, the relevant Medical Board guidelines, and the law.

17.2 Transfer to another practitioner

You may request that a copy or summary of your records be sent to another practitioner. We will do so, generally within 30 days. A reasonable cost-recovery fee may apply.

17.3 Correction

If you believe information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, contact us. We will take reasonable steps to correct it, generally within 30 days.

If we and your treating doctor disagree with your proposed correction (for example, because the original record is the doctor's contemporaneous clinical opinion), we will record your statement of correction alongside the original record so that any future reader sees both.

17.4 Complaints

If you have a complaint about how we have handled your personal information:

First, contact our Privacy Officer (section 18). We will acknowledge your complaint within 7 days and respond substantively within 30 days.
If not resolved, complain to the Office of the Australian Information Commissioner:
- Phone: 1300 363 992
- Online: oaic.gov.au/complaints
- Post: GPO Box 5288, Sydney NSW 2001

For complaints about clinical care (rather than handling of personal information), contact reception or:

The Office of the Health Ombudsman (Queensland): 133 646 / oho.qld.gov.au; or
AHPRA for concerns about a registered practitioner's conduct: 1300 419 495 / ahpra.gov.au.

We do not take adverse action against patients who complain.

18. The Privacy Officer

The Privacy Officer Sunshine Coast Gastroenterology Pty Ltd Suite 1, Sunshine Coast University Private Hospital 3 Doherty Street, Birtinya QLD 4575

Email:admin@scgastro.com.auPhone: 07 5228 0221 Fax: 07 5228 0218

19. Retention

19.1 Clinical records

(a) Adult patient records — retained for at least 7 years from the date of last contact; (b) Patient records of a person who was under 18 at the time of contact — until the person turns 25 years of age; (c) My Health Record uploads — in accordance with the My Health Records Act 2012 (Cth); (d) Records relating to a clinical complaint, claim or proceeding — until the matter is finalised and any further claim period has expired; and (e) Records relating to research participants — in accordance with the relevant ethics-committee approval and applicable research-records guidelines.

19.2 Other records

(a) Website enquiry and contact-form data: retained for [INSERT — typically 24 months], then securely deleted. (b) Referrer correspondence: retained as required by professional and clinical-record obligations. (c) Event registration and CPD attendance data: retained for 7 years from the event. (d) Employment applications: retained for [INSERT — typically 12 months] from the date of application unless you ask us to delete sooner. (e) Web logs and analytics data: retained in accordance with the retention settings of our analytics provider (typically 14 to 26 months).

19.3 Longer retention

We may retain personal information longer where we are required or authorised by law, or where reasonably necessary to investigate, defend or prosecute legal claims.

19.4 Secure destruction

When we no longer need to retain your information, we securely destroy or de-identify it.

20. Collection Notice (APP 5)

This Policy itself satisfies the requirements of Australian Privacy Principle 5. In summary:

Who we are. Sunshine Coast Gastroenterology Pty Ltd, with contact details in section 18.
What we collect. See sections 3.1 to 3.3.
Why we collect it. See section 5.
To whom we disclose it. See section 6.
Where it is held. Mostly in Australia. See sections 7 and 8.
Whether we send it overseas. No for health information; the website is hosted in the US (section 7.2).
What happens if you don't give it to us. See section 5.5.
Your rights of access, correction and complaint. See section 17.

A short version of this Collection Notice is provided to all new patients at the time of registration and is available at reception in hard copy.

Approved on 16 May 2026, Vikas Gupta, Director, for and on behalf of Sunshine Coast Gastroenterology Pty Ltd.

Read this Policy together with our Website Terms and Conditions of Use and our Website Disclaimer.