Privacy policy
This Policy sets out the types of personal information collected, used and disclosed by Cura Day Hospitals Group Pty Ltd (ACN 125245409) (“Cura”, “we”, “us”, “our”) and all its subsidiaries.
Cura takes your privacy seriously and is committed to open and transparent management of personal information. In dealing with personal information, Cura complies with the Privacy Act 1988 (Cth) and relevant State and Territory privacy legislation.
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not; and
(b) whether the information or opinion is recorded in a material form or not.
Sensitive information means:
(a) information or an opinion about an individual’s:
(i) racial or ethnic origin;
(ii) political opinions;
(iii) membership of a political association;
(iv) religious beliefs or affiliations;
(v) philosophical beliefs;
(vi) membership of a professional or trade association;
(vii) membership of a trade union;
(viii) sexual orientation or practices;
(ix) criminal record;
that is also personal information;
(b) health information about an individual;
(c) genetic information about an individual that is not otherwise health information;
(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification;
(e) biometric templates.
Health information means personal information which is also about the health of an individual, an individual’s expressed wishes about the future provision of health services or a health service provided or to be provide to the individual, as well as other personal information collected to provide, or in in providing a health service, other personal information collected in connection with the donation of body parts or organs or genetic information that could be predictive of the health of the individual or a genetic relative of the individual.
AI system means a machine-based system that, for explicit or implicit objectives, infers, from the input it receives, how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.
The types of personal information that Cura may collect about you will depend on the dealings you have with us and can include (but are not limited to) the following:
(a) Patients of Cura facilities: In order to provide healthcare services to our patients we collect the following information about our patients:
(i) contact details for patients and identified emergency contacts, including address, postcode, telephone and fax numbers, email addresses;
(ii) demographic information about patients, including age, date of birth, and gender, origin of birth and Aboriginal and Torres Strait Islander status;
(iii) health information about patients, including medical history, medications, diagnostic imaging and reports, pathology results, diagnoses (including mental health or disability), prosthesis details, observations, reported symptoms and may include clinical photographs;
(iv) details about a patient’s social circumstances, which may include advanced health directions, powers of attorney, details in relation to custody of paediatric patients;
(v) billing information for patients, including health insurance membership numbers, Medicare and DVA numbers.
We also collect this personal information for the management of our healthcare services, including:
(vi) billing/debt-recovery, service-monitoring, funding, complaint-handling, incident reporting, developing and planning services, evaluation, quality assurance or audit activities, and accreditation activities;
(vii) asking you to complete a patient survey or questionnaire for the purposes of service improvement;
(viii) to improve the use and operation of technology systems;
(ix) education and training of our staff, where de-identified information is not sufficient for this purpose;
(x) disclosure to a medical expert for medico-legal opinion, an insurer, an employed practitioner’s medical defence organisation, or lawyer, for the purpose of addressing liability/indemnity matters, for example following an adverse incident, or for anticipated or existing legal proceedings; and
(xi) We may use your personal information in technology systems, including AI systems to:
(i) prepare draft correspondence and draft notes;
(ii) review and improve the quality of our services;
(iii) review and analyse patient, customer and personnel /workers survey responses;
(iv) support and enable healthcare delivery and diagnostics, which may include through the use of AI scribes;
(v) support recruitment activities and manage personnel onboarding and off-boarding;
(vi) undertake clinical governance; and
(vii) manage pre-admission activities.
We may also de-identify your personal and sensitive information. We may use de-identified data for various purposes including research, quality improvement and publishing in relation to medical research.
From time-to-time Cura is involved in research. If we invite you to participate in research we will provide you with specific information about what that would involve, including the types of personal information that would be collected as part of the research.
(b) Private healthcare providers providing services at Cura facilities: In order to manage the provision of services by private providers of healthcare services at our facilities, we collect the following information about private healthcare providers:
(i) contact details of private healthcare providers including address, postcode, telephone and fax numbers, email addresses;
(ii) information about the services provided by the healthcare provider at Cura facilities including procedure types and outcomes;
(iii) provider numbers of healthcare providers.
(c) Prospective employees: In order to assess applications for employment at Cura facilities we collect the following information about prospective employees:
(i) contact details of prospective employees including address, postcode, telephone and fax numbers, email addresses;
(ii) demographic information about prospective employees, including age, date of birth, and gender;
(iii) qualifications and experience of prospective employees;
(iv) information contained in references obtained from third parties.
(d) Suppliers: If you are one of our suppliers or provide services to Cura, we may collect information about you that we consider is necessary to manage the service arrangement, such as the nature of the products and services that you provide, quotes that you provide and your direct credit details.
(e) Other collections: Cura may also collect personal information from you if you complete a survey, questionnaire or when you communicate with Cura by email, telephone, in writing or in person. Cura will use the information you provide to deal with your enquiry or request.
We only collect personal information that is reasonably necessary for our functions and activities or otherwise in compliance with the requirements of APP 3 and 4.
We will usually collect sensitive information with your consent (or consent from someone acting on your behalf if you are unable to give consent).
In some circumstances we may collect sensitive information without your consent. We will comply with the requirements of APP 3 in doing so. Some of the circumstances in which we may collect sensitive information without your consent include where:
(a) collection is required or authorised by or under an Australian law or court/tribunal order;
(b) we reasonably believe the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety, and it is unreasonable or impracticable to obtain your consent.
(c) collection is necessary to provide a health service to you, and either:
(i) the collection is required or authorised by or under an Australian law; or
(ii) the collection occurs in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality that bind Cura.
(d) collection is necessary for research relevant to public health or public safety, the compilation or analysis of statistics relevant to public health or safety, or the management, funding or monitoring of a health service, and
(i) the particular purpose cannot be served by collecting de-identified information;
(ii) it is impracticable to obtain your consent;
(iii) the collection is either:
(A) required by or under Australian law;
(B) in accordance with rules established by competent health or medical bodies that deal with obligations of professional confidentiality which bind Cura;
(C) in accordance with guidelines approved by the Information Commissioner under section 95A of the Privacy Act 1988 (Cth)
Where Cura collects personal information from will depend on the circumstances of the collection.
(a) Directly from you: Cura tries to collect personal information that is about you directly from you. We will collect personal information from you:
(i) when you are able to provide us with information about yourself and your medical condition;
(ii) if you complete a survey, questionnaire or you communicate with Cura by email, telephone, in writing or in person;
(iii) if you are providing services to Cura or patients at a Cura facility; or
(iv) if you apply for employment at Cura.
(b) From other people: Where it is unreasonable or impracticable to collect information directly from you, Cura may obtain personal information about you from a third party. For example, Cura may collect personal information from about you from:
(i) a pathology provider or imaging provider who has performed a service on request from your healthcare provider to provide healthcare services to you;
(ii) your General Practitioner or another healthcare provider who has information about your condition to assist us in providing healthcare services to you;
(iii) a member of your family, a friend or your carer to assist us in providing healthcare services to you;
(iv) your health insurer, Medicare or DVA to assist us in processing billing for healthcare services provided to you;
(v) a reference identified on your application for employment at Cura.
(c) Publicly available sources: Cura may collect information about you from the public domain, for example professional registration boards if you are a healthcare provider providing services at a Cura facility.
(d) From the Cura website: When you visit a Cura website, our web server may download a cookie to your computer. A cookie is a small piece of information sent by our server to your browser. Cookies do not contain personal information about you but can identify a user’s browser. Cura uses cookies to capture information about a user’s browser. If you do not wish to receive cookies, you may set your browser to refuse them.
(e) From our AI systems: We may collect personal information from our AI systems when you interact with them. We may also use AI systems to generate your personal information. Importantly, our AI systems will have been assessed and approved by us as meeting the security standards required for handling and managing personal information in accordance with the Privacy Act 1988 (Cth) and Australian Privacy Principles. If AI systems are used to generate or infer personal information about you, we will only use AI systems to generate or infer personal information about you that is reasonably necessary for our functions and activities, and only by lawful and fair means. The kinds of personal information that may be generated by AI systems include those set out above in this section 5. Cura will manage any personal information inferred or generated by AI systems in accordance with this Policy.
Where possible and lawful, you can interact with us anonymously or using a pseudonym. For example, if you contact us with a general question, we will not record your name unless required to adequately handle your question.
However, if you are a patient, it may not be practical for you to remain anonymous because we need to keep a record of the treatment we provide to you. We may be able to accommodate you using a pseudonym, however, you should be aware that providing a pseudonym may:
(a) limit the extent of care Cura can provide to you., and in some cases, could be dangerous to your health. For example:
(i) we will be unable to link other health information we hold about you, limiting our ability to provide coordinated care;
(ii) if you choose not to tell us medical information that is relevant to your care we may not be able to provide you the appropriate level of care.
(b) mean that you are unable to claim Medicare, DVA or health insurance refunds for your treatment. You should contact these entities to discuss the availability of refunds.
If you wish to use a pseudonym that is linked confidentially to your real identity, please let us know and we will discuss with you the arrangements that can be made for your admission to our facilities.
If you are an individual applying to be engaged by Cura (including to provide healthcare services at a Cura facility), it is not possible for you to remain anonymous or use a pseudonym. Cura is required to ensure that you are properly qualified to provide services or be engaged by Cura, and so is required to know your identity.
7.1 Cura holds personal information on databases, electronic and hard copy files. We take reasonable and appropriate steps (including organisational and technological measures) to protect your personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
Cura does not use personal information for direct marketing.
We disclose personal information in accordance with the requirements in APP6.
This means that we will usually disclose information for the particular purpose for which it was collected. For our patients, this may include disclosures that are necessary to provide healthcare to our patients. For example:
(a) disclosure of your health information to your private healthcare provider who you have engaged to provide health services at a Cura facility;
(b) disclosure of your personal and health information to MyHealth record in accordance with your account permissions;
(c) disclosure of your personal information to personnel involved in the provision of your care at a Cura facility (including healthcare providers, nurses, physiotherapists, occupational therapists) or administrative staff (involved in bookings, billing and reception duties), including staff who are not our employees;
(d) disclosure of your personal information to Medicare, DVA or your private health insurer for the purpose of billing;
In some cases we will disclose information for a different purpose to that for which it was collected. We may do this when:
(a) you consent to the disclosure (or someone acting on your behalf consents if you are unable to give consent); For example, we may seek your consent to disclose your health information to:
(i) the Australian Breast Device Registry to contribute to the continued quality and safety of breast device surgery in Australia; and
(ii) the Australian Orthopaedic Association National Joint Replacement Register;
(b) disclosure is for the facilitation of health services provided to you (ie a purpose directly related to the primary purpose of collection). For example:
(i) we may disclose personal information to pharmacy providers, pathology providers and imaging providers for the purposes of those third parties providing health services and conducting tests as ordered by your healthcare providers;
(ii) we may disclose personal information in a discharge summary to your General Practitioner to facilitate continuing health care after your discharge from a Cura facility;
(iii) where you have a medical device implanted at one of our facilities, we may disclose information about you to Medicare or another entity involved in the tracking of implanted medical devices to facilitate any recalls on medical devices.
(c) disclosure is for the management of the health service (ie a purpose directly related to the primary purpose of collection). For example:
(i) anyone to whom part or all of our assets or businesses are transferred or sold;
(ii) billing/debt-recovery, service-monitoring, funding, complaint-handling, incident reporting, developing and planning services, evaluation, quality assurance or audit activities, and accreditation activities;
(iii) education and training of our staff (who may not be our employees), where de-identified information is not sufficient for this purpose;
(iv) disclosure to a medical expert for medico-legal opinion, an insurer, an employed practitioner’s medical defence organisation, or lawyer, for the purpose of addressing liability/indemnity matters, for example following an adverse incident, or for anticipated or existing legal proceedings;
(v) disclosure to our contractors who provide services to Cura, for example IT service providers;
(vi) our professional advisers, including lawyers, accountants and auditors;
(vii) government agencies, regulatory bodies and law enforcement agencies, or other similar entities;
(viii) where disclosure will prevent or lessen a serious or imminent threat to the life, health or safety of any individual, or to public health or safety; and
(ix) the disclosure is reasonably necessary to take appropriate action in relation to suspected unlawful activity or serious misconduct.
(x)
(d) the disclosure is required or authorised or authorised by or under an Australian law or a court/tribunal order. For example, where relevant, we are required by law to disclose your health information to the Cancer Register (as relevant in each Australian jurisdiction);
(e) we reasonably believe that the disclosure is necessary to lessen or prevent a serious threat to the life, health or safety or any individual, or to public health or safety, and it is unreasonable or impracticable to obtain your consent;
(f) the disclosure is necessary for research, or the compilation or analysis of statistics, relevant to the public health or public safety, and:
(i) it is impracticable to obtain your consent; and
(ii) the disclosure is conducted in accordance with guidelines approved under section 95A of the Privacy Act 1988 (Cth);
(iii) we reasonably believe that the recipient of the information will not disclose the information, or personal information derived from the information.
(g) we are providing a health service to you, we may disclose to a ‘person responsible’ for you if:
(i) you are physically or legally incapable of giving consent to the disclosure, or physically cannot communicate consent to the disclosure;
(ii) we are satisfied that either the disclosure is necessary to provide appropriate care or treatment to you, or the disclosure is made for compassionate reasons;
(iii) the disclosure is not contrary to any wish you expressed before you became unable to give or communicate consent, and of which we are aware or could be reasonably expected to be aware; and
(iv) disclosure is limited to the extent reasonable and necessary for providing appropriate care or fulfilling the compassionate reasons.
(h) we may also disclose your personal information to third parties such as accreditation authorities as required to operate our business.
You have the right to access the personal information that Cura holds about you. There are some limited exceptions to this set out in APP12.
If you request to access your personal information, we will ask you to verify your identity and specify what information you wish to access. This will help us to identify the relevant information.
To make a request to access your personal information please contact us at [email protected] or Cura Day Hospitals Group, Ground Floor, Boundary Court, 55 Little Edward Street, Spring Hill Qld 4004 or 07 3218 3700 and ask that your request be directed to the Privacy Officer.
You have the right to request access to, or the correction of, information that Cura holds about you, such as if you consider that the information we hold is not accurate, not up-to-date, not complete, not relevant or is misleading.
To make a request please contact us at [email protected] or Cura Day Hospitals Group, Ground Floor, Boundary Court, 55 Little Edward Street, Spring Hill Qld 4004 or 07 3218 3700 and ask that your request be directed to the Privacy Officer.
If you believe that we have dealt with your personal information inappropriately, please contact us at [email protected] or Cura Day Hospitals Group, Ground Floor, Boundary Court, 55 Little Edward Street, Spring Hill Qld 4004 or 07 3218 3700 and ask that your request be directed to the Privacy Officer.
Cura has internal processes for investigating and resolving privacy complaints, including escalation to senior management of privacy matters. We will work to resolve privacy concerns with you within a reasonable timeframe.
If you are not satisfied with the resolution of your complaint by Cura, you may lodge a complaint with the Office of the Australian Information Commissioner via their website (www.oaic.gov.au).
It is unlikely that Cura will disclose personal information to entities outside of Australia. However any request received or made to disclose personal information to entities outside of Australia will require the approval of the Cura Privacy Officer prior to release of information.
For enquiries or feedback about this policy, or for complaints about Cura’s handling of your personal information, please contact Privacy Officer at: Phone (07) 3218 3700; Email: [email protected]; or Cura Day Hospitals Group, Ground Floor, Boundary Court, 55 Little Edward Street, Spring Hill Qld 4004, or Fax: (07) 3218 3799.
General information about privacy is available from the Office of the Australian Information Commissioner: http://www.oaic.gov.au/
From time to time, we may change our Policy on how we handle personal information or the types of personal information that we hold. Any changes to our Policy will be published on our website.
You may obtain a copy of our current Policy from our website or by contacting our Privacy Officer using the details above.
Dated: 5 May 2026
Date of next review: 30 November 2026