Privacy Policy

Quick Links

At CBHS we help you manage your health challenges. We believe in offering you the services, support and tools you need to live your best life.
Our Better Living Programs are available to support eligible members towards a healthier lifestyle. Each Better Living Program is subject to its own eligibility criteria.
Contact us for more information and to confirm your eligibility for a program.

CBHS Group Privacy Policy

1. Scope

1.1 CBHS Overview

The CBHS Group provide Private Health Insurance Policies or products to persons who are eligible to become members of one or more of the CBHS Group entities.

1.2 Purpose of this document

This Policy explains why we collect your Personal Information and what we do with it, along with your rights to access and correct your Personal Information or make a privacy complaint.

We are bound by laws governing how we collect and use your Personal Information including the Privacy Act 1988, the Spam Act 2003, the Do Not Call Register Act 2006 and other State and Territory laws such as the Health Records Act 2001 (Vic), Health Records (Privacy and Access) Act 1997 (ACT), the Health Records and Information Privacy Act 2002 (NSW).

1.3 Who this policy applies to

This Policy applies to:

All current and past members of the CBHS Group whose Personal Information we have collected
All individuals whose Personal Information is collected in relation to the products and services offered by CBHS Group; and
All individuals whose personal information is collected by us in the course of our functions and activities, such as service providers, contractors, and prospective employees.

2 Individuals whose information we collect

We collect Information from or about the following types of persons:

Our members (current and former) and their family members insured under the same Policy (we hold former member information as detailed in clause 7.2 of this Policy)
Applicants for membership
Applicants for employment
Employees
Persons who apply for a business opportunity with us
Persons who are notified to us as referees for applicants for employment or business opportunity
Persons who are contractors or service providers to us
Persons engaged or being engaged to provide healthcare, wellbeing or clinical services to our members and employees
Persons who are visitors on our premises
Directors, officers, agents, or employees of a body corporate who has or proposes to have a business relationship with us.

3 Types of information we collect

Our collection of Information is governed by the purpose for which we collect the Information. We only collect Personal Information and Sensitive Information about you, by lawful, fair, and reasonable means. Examples of Personal Information are provided in the sections below.

In this Policy you will see the terms Personal Information and Sensitive information used, and unless otherwise stated, all references to Personal Information include Sensitive Information.

3.1 Personal Information

Your personal details, depending on the nature of our engagement, may include name, address, other contact information, date of birth, gender, marital status, photograph, and signature
Information about you or your family members’ current or past employment with or by CBA or any of its current or past subsidiaries, contractors, or franchisees
Information necessary to collect or pay your Insurance Policy premiums or contributions and to pay claims or other moneys we owe you
Relevant Government-issued documents if you wish to access a benefit or exemption under an Australian law
Your tax file number if you are our employee
Your superannuation fund account number or membership details if you are our employee
Your household or family income information necessary to assess your eligibility for Government rebates and incentives in relation to your Insurance Policy
Sensitive Information (see below)
Information necessary to assess your health or wellbeing and provide related services to you
Membership of previous health funds and details of insurance policies you held with them
Educational and technical qualifications, work history and professional associations.

3.2 Sensitive information

Health information e.g. received through the claims process and/or applications for treatments/health services
Professional membership (employees)
Race/ethnicity as may be required for diversity and inclusion reporting
Criminal history obtained through employment related checks (employees)
Whenever practicable, we will require express consent to collect Sensitive Information.

Subject to the applicable privacy laws, by becoming or remaining a member of CBHS Group or by otherwise providing personal information to us, you confirm that you have consented to us collecting, using, and disclosing your Personal Information, however collected by us, in accordance with this Policy.

4 Purposes for which we collect information.

4.1 Products and services

We collect Information for the purposes of providing, administering, and marketing our products and services. These purposes include, but are not limited to:

Application for an insurance policy
Determining your eligibility for membership with us
Facilitating your assessment of our products and services to your individual needs and circumstances
Collecting and processing Insurance Policy contributions or premiums
Assessing and communicating to you the coverage and benefits of the products and services provided to you
Communicating with you from time to time
Communicating with hospitals and other health care service providers about your cover and benefits
Verifying your identity from time to time
Accessing health treatments or services covered by your Insurance Policy
Administering and processing your claims and payments
Managing, evaluating, developing, or improving our products or services
Conducting quality assurance or risk management activities
Developing, improving, or testing our information technology services or capabilities
Enrolling you in specialised health and wellbeing programs
Conducting member surveys, research, analysis and providing online member services
Resolving any legal and/or commercial complaints or issues in relation to products or services you have applied for or taken with us
Undertaking direct marketing activities and related communications with you.

4.2 Employment/Contractor Management

We collect Information for the purposes of offering, administering, and managing employment engagements including contracted services. These purposes include, but are not limited to:

managing the recruitment process and our relationship with you, our business and the people and organisations who provide services for us
ensuring that you are fit and proper to fulfil the requirements of the role
carrying out business activities related to recruitment including administration and risk management
carrying out our obligations and exercise rights under legislation such as health and disability information to ensure appropriate work health and safety adjustments are in place
exercising our rights, to defend ourselves from claims and to comply with laws and regulations that apply to us and the people and organisations we work with
inviting you to apply for a position or contact you about future roles that may be of interest to you.

4.3 Where required information is not provided

Your individual needs or circumstances determine the set of Information we will collect from or about you. You are not required to provide any information we ask for; however, we may be unable to provide or continue to provide you with our products or services if you fail or refuse to provide the information we ask for. If you later withdraw your consent for your information to be handled in accordance with all or some requirements of this Policy, we may not be able to provide or continue to provide you with our products or services.

5 When and how we collect information.

We collect Information in the following ways or circumstances:

5.1 Collecting information directly from you

Where practicable, we will collect Information directly from you, including when you:

Visit our office or a place of business
Contact us by telephone, email, website chat or regular mail
Complete a CBHS Group issued form
Open and start to complete – or complete – a form on our websites
Interact with us via a mobile app
Visit a Health Hub and provide Information
Complete a Government-issued form we have made available to you
Apply to us for employment or business opportunity
Enter a contract for services with us.

5.2 Couples and family health insurance policies

If you have a couples or family health Insurance Policy with us, we will collect personal and sensitive information about dependants (partner and children) from the Policy holder who establishes or makes changes to the Insurance Policy. If you are a policy holder and provide us with information about your partner or a dependant who is 16 years or over, you should:

Request their consent to provide us with their information
Advise them of the Personal Information you have provided
Advise them that our privacy practices are set out in this Policy and how they can access this Policy; and
Advise them they are entitled to access their information by contacting us.

If you are an Insurance Policy holder and provide us with information about your partner or a dependant who is 16 years or over, by providing that information you acknowledge that you are creating or that you have created the Insurance Policy on behalf of your co-insureds, and you warrant that:

You have their authority to agree to the relevant terms including consenting to the uses set out in this Policy on their behal.
You have made them aware of the information set out in this Policy and informed them of how they can obtain access to this Policy; and
You have their consent to provide the information to us - and for us to use that information for the purposes set out in this Policy - and as otherwise permitted by law, including the relevant privacy laws.

If an Insurance Policy holder lodges a claim on a dependant’s behalf, we act in reliance on the above warranties given by the Insurance Policy holder, and accordingly assume the dependant(s) have given their consent to the Insurance Policy holder to provide all the information we need to process their claim(s).

5.3 Dealing with us anonymously or using a pseudonym

You generally have the right not to identify yourself (that is, without providing Information that identifies you) when dealing with us and to use a pseudonym (that is, use a name, term or descriptor that is different to your actual name). If you do not provide or authorise the provision of Personal or Sensitive Information we request, we may be unable to provide you with some or all of our products and services or the products and services of our partners. If you ask us, we will tell you what Personal or Sensitive Information we must have in order to provide you with a particular product or service, and what requested Personal or Sensitive Information is required for that product or service.

5.4 Collecting information from authorised sources

Sometimes we collect Information from another person or organisation including in the following circumstances:

Policies insuring more than one Person - any main member or authorised person is deemed to have obtained the consent of any person whose Information they provide in relation to the Insurance Policy
Health services you received or when you make a claim – we may collect Information about those services directly from the health service provider (e.g., a hospital, medical or allied health provider) you have dealt with
Health Management Program partners – we may collect your Information from a person or organisation we have engaged to provide a specialised health and wellbeing or chronic disease management program to our members if you wish to participate in any such program
Online review platform providers – we may collect your Information from online review platform providers with whom we have partnered to help you provide reviews of services you received from healthcare providers
Relevant Government departments – we may collect your Information from Government departments we deal with in relation to Insurance Policies including but not limited to the Department of Health, the Department of Home Affairs, the Private Health Insurance Ombudsman, and the Office of the Australian Information Commissioner
Payments or billing facilities providers – we may collect Information from organisations we have engaged to provide payments or billing facilities in relation to our Products and services
Outsourced call centres – In the event that we outsource any services to a third-party call centre, they may collect your Information on our behalf
Other private health insurers – we may collect your Information from your previous private health insurer (for example, Information on your transfer certificate)
Basic contact Information from the CBA – For CBHS Health, as a restricted access private health insurer, we collect basic contact Information from the CBA or its contractors, subsidiaries, or franchisees to inform you about our products if we consider you may be eligible to join CBHS Health
Basic contact Information from referrers – we may obtain this Information from existing members, our business associates or business partners to inform you about our products or services, if we consider you may be eligible to join us, or to inform you about an employment or business opportunity with us
Referees of job or business opportunity applicants – we may collect your Information from recruitment agencies or referees you have notified to us in relation to an application for employment or business opportunity with us. In any such case, you are deemed to have given your consent to the recruitment agency or the referee to provide your Information to us for the purposes of the employment or business opportunity application
Superannuation funds – if you are our employee, we collect your Information from a superannuation fund you have advised us
Employment checks – collection of information for employment purposes including but not limited to reference and background checks
Publicly available Information – we may collect your Information from publicly available sources including from public registers, telephone or business directories, social media platforms and the internet.

If you wish to deal with any person or organisation we have engaged to act on our behalf, we strongly advise you to first read their Privacy Policy before providing them your Information.

5.5 Our website and Third-Party Service Providers

Our website uses “cookies”. A “cookie” is a packet of information that allows the website server to identify and interact more effectively with Your computer.

When you use the website, we send a cookie that gives each computer a unique identification number. Cookies do not identify individuals, although they do enable us to identify your browser type and internet service provider. You can configure your browser to accept all cookies, reject all cookies or notify the user when a cookie is sent. If you reject all cookies, you may not be able to use our website or the Member Service Centre.

We use third-party service providers such as Google (“Google Analytics”) to undertake demographic analysis of visitors to our website. We collect and use information from cookies and Google Analytics to:

Better understand how visitors use our website
Link with social media networks
Communicate relevant advertisements that may be of interest
Measure the time spent on the website
Determine the effectiveness of the navigation options
Record information obtained during the visit to streamline subsequent visits
Manage risks, including potential fraud identification and prevention.

5.6 Social media and search engines

By using our website, you consent to the collection of information about the use of your computer by Google in the manner described in Google's Privacy Policy and for the purposes set out above. You can opt out of Google Analytics if you disable or refuse the cookie, disable JavaScript, or use the Google opt out service provided by Google.

Also, we use interfaces with social media sites such as Facebook. If you choose to "like" or "share" information from this website through these services, you should review the Privacy Policy of that service. If you are a member of a social media site, the interfaces may allow the social media site to connect your visits to this site with other Information.

6 Who we disclose information to.

6.1 Authorised Organisations and Third-Party Providers

The types of persons or organisations we usually disclose Information to are:

Hospitals or healthcare service providers from whom you have received, or from whom you intend to seek, treatments
Providers of specialised health or wellbeing programs (including Health Management Programs)
Persons or organisations who provide contracted mail, mailing or messaging services on our behalf
Australian Government departments or agencies (such as the Australian Taxation Office, Medicare, the Australian Prudential Regulation Authority, the Australian Securities & Investments Commission, the Private Health Insurance Ombudsman, the Department of Health and the Department of Home Affairs
Other private health insurers, that you transfer to or from
Organisations providing payment or billing facilities in relation to our products and services
Organisations we have engaged to provide marketing services for us
Organisations providing call centre services on our behalf
Online review platform providers we have partnered with to help you provide reviews of services you received from healthcare providers
Organisations developing, improving, or testing our information technology services or capabilities
Third-party advisers (such as our auditors, actuaries, consultants, and legal advisers)
Social media platforms including Facebook and Google
The Australian Health Service Alliance (AHSA) who assists us to assess and pay claims and provide reports to the Government in relation to treatments and services you received in hospitals and other health care facilities.

AHSA’s privacy policy and contact details can be accessed from the following link – AHSA Privacy Policy. You can make a privacy breach complaint to the AHSA or ask them for access to or request them to correct the Information they hold about you.

6.2 Joint and Family Policies

All claims’ payments and general Insurance Policy information will be sent to the person listed as the main member. Dependants (over 16) and partners may request restricted visibility of the information relating to their health insurance claim from other members under the policy, using the General Enquiries contact details in Section 9.

The person listed as the main member can:

Change details on the Insurance Policy
Change the level of cover
Add and remove persons from the Insurance Policy
Receive benefits on behalf of dependants; and
Terminate the Insurance Policy.

The person listed as the main member can authorise their partner or dependant (16 years of age or over), to operate the Insurance Policy. If the person listed as the main member gives such authority, the authorised person will have the same level of access as the person listed as the main member and so will be able to receive and view all Personal Information in connection with the Insurance Policy that the person listed as the main member can see, including in respect of claims made by the person listed as the main member and co-insureds (where that information was available to the person listed as the main member).

However, the authorised person cannot:

Terminate the Insurance Policy, or
Remove the Insurance Policy holder from the Insurance Policy.

The person listed as the main member may grant this authority. The authority will remain in place until the person listed as the main member contacts us to revoke it.

6.3 Relationship breakdowns

If any members become separated or divorced, we require that the impacted members notify us as soon as reasonably practicable to prevent privacy breaches. Please inform us promptly if this occurs so that we can take steps to enforce these processes.

We cannot confirm the insured status of your child under the Insurance Policy of your ex-partner or provide details about your ex-partner’s Insurance Policy to you.

You may opt to pay for another person’s Insurance Policy, but unless they’ve given you authority, this does not permit us to otherwise disclose Information about the Insurance Policy to you. You can however, contact us to cease your payments, but be aware that if you do this, we will contact the Insurance Policy holder to advise them that their Insurance Policy will be or is un-financial due to a cancelled payment or failed debit.

6.4 Managing requests for overseas disclosure

If you request us to disclose your Information to an overseas recipient, we will provide you a clear statement explaining the potential consequences of disclosing the Information to the overseas recipient.

If business needs require us to disclose your Information to an overseas recipient, we will take all reasonable steps to ensure that the requirements under the APPs, the Privacy Act and the GDPR are upheld in relation to the Information.

Other circumstances in which we will disclose your Information to an overseas recipient are:

If the disclosure is authorised under an Australian law or by court order; or
If You request us to disclose your Information to an overseas recipient.

7 How we hold and protect information

We take reasonable steps to store your information securely and have a range of security controls in place (including physical, technology and procedural safeguards) designed to protect your Personal Information. Our employees and contractors regularly receive targeted privacy training. We take reasonable steps to make sure that the Personal Information about you that we collect, is accurate, complete, up to date and relevant.

7.1 If your Personal Information is exposed or inadvertently disclosed

If we become aware that we have inappropriately used or disclosed your personal information, or that the security of your Personal Information has been compromised (a data breach), and we are unable to rectify the data breach without any potential adverse effect on your privacy, we may contact you to inform you, and to work with you to minimise or mitigate the consequences of the data breach.

Pursuant to the Notifiable Data Breaches scheme, we may be required to notify you of a data breach as soon as we practicably can if we consider you are reasonably likely to be at risk of serious harm (including financially or to your mental or physical wellbeing). Where reasonably practicable we will give you details of the data breach and, where possible, steps you could take to lower the risk of harm to you. We may make a public notification for a data breach affecting a large number of customers, before we contact you directly or in place of direct contact.

7.2 Information we no longer need

If we no longer need Information, and we are not required by law to retain it, we will take reasonable and practical steps to destroy or de-identify the Information securely in accordance with our internal retention and destruction policies.

The criteria we use to determine the period for which we keep Information include:

The period we are required by law, a regulator or court order to keep the Information
The period we consider is necessary to keep the Information to resolve a complaint in relation to the Information
The period we consider is necessary to keep the Information to defend or take legal action in relation to the Information
The period we take to come to a reasonable conclusion that the person does not wish to continue an application for a product, service, employment, or business opportunity with us.

7.3 Dealing with unsolicited information

If we receive Information we did not ask for and we determine it is not required for any of our functions or activities, we will attempt to return it to the sender if it is contained in a document. If we cannot return the document to the sender, or the Information is contained in a voice recording, we will destroy the Information or document securely as soon as reasonably practicable.

8 Accessing and requesting correction of your information.

8.1 Reasons for seeking access

You can request access to your Information at any time by using the contact details set out in section 9.2 and 9.3. Your reason for seeking access could be simply to know what information we hold about you, to request a copy of the Information or to request its correction.

8.2 Request for access to information

When you request access to your Information, we will first identify you to ensure you are the right person to be given access to the Information.

Requests for access are actioned as soon as practicable, and in any case within 30 days of receiving the request. Where access to Information cannot be provided, we will give you a written notice setting out our reasons, your right to make a complaint about our refusal and any matter we are required by law to notify you about.

8.3 Fee for providing access

While requests for access to Information are free of charge, administrative fees may be charged for retrieving some types of Information and providing it in the form you have requested. If the circumstances apply in your case, we will inform you and request payment of the fee before giving you access to the Information.

8.4 Requesting correction of information

Should any of your Information change we require you to notify us as soon as practicable. If you believe Information we hold about you is inaccurate, out-of-date, incomplete, irrelevant, or misleading, you can request us to Correct it at any time by using the contact details set out in section 9.2 and 9.3.

8.5 Responding to requests to correct information

We will respond to the request as soon as practicable, in any case within 30 days of us receiving the request.

If we are unable to correct your Information as requested, we will give you a written notice setting out our reasons (unless it is unreasonable to do so), your right to make a complaint about our decision and any matter we are required by law to notify you about.

8.6 Associating a statement if we are unable to correct information

If we unable to correct your information, you can ask us to associate a statement with the Information that you believe is inaccurate, out-of-date, incomplete, irrelevant, or misleading. We will respond to the request as soon as practicable, in any case within 30 days of us receiving the request.

8.7 Notifying others about correction of your information

You may ask as to notify another person we previously disclosed your Information to that we have corrected it. We will action your request as soon as reasonably practicable.

9 Complaints about your privacy.

9.1 Privacy complaints handling and dispute resolution

You may make a complaint regarding your Personal or Sensitive Information or this policy by using the General enquiry details provided below or if not appropriately addressed, by escalating to Our Privacy Officer whose contact details are set out in the section 9.3.

Our Privacy Officer will first determine if, on the information available, we have breached your privacy, and if so, take steps to resolve the complaint. If Your complaint requires more detailed consideration or investigation, the Privacy Officer may ask you to provide further information. In such a case, we will endeavour to respond to the complaint as soon as reasonably practicable and, in any case, within 30 days.

If You are still not satisfied with our response to your complaint, you may take the complaint to either the Office of the Australian Information Commissioner (OAIC) or the Private Health Insurance Ombudsman (PHIO) whose contact details are provided below.

9.2 General enquiries

Telephone: 1300 586 462 (Corporate and International Health) / 1300 654 123 (CBHS Health)

General enquiries email: help@cbhs.com.au

Complaints email: complaints@cbhs.com.au

9.3 Privacy Officer contact details

Email: privacy@cbhs.com.au

Address:
Privacy Officer
CBHS Health Fund Limited
Locked Bag 5014
Parramatta NSW 2124

If you would like a physical copy of this Policy, please use the Privacy Officer contact details above.

9.4 OAIC contact details

Email: enquiries@oaic.gov.au

Address:
The Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001

Additional information
https://www.oaic.gov.au/privacy/privacy-complaints/lodge-a-privacy-complaint-with-us

9.5 PHIO’s contact details

Telephone: 1300 362 072 (option 4 for private health insurance)

Online complaint form:
https://forms.ombudsman.gov.au/prod?entitytype=Approach&layoutcode=ApproachWebForm

Email: phio.info@ombudsman.gov.au

Address:
The Private Health Insurance Ombudsman
Office of the Commonwealth Ombudsman
GPO Box 442
Canberra ACT 2601

Fax: (02) 6276 0123
Website: www.ombudsman.gov.au
Additional information: https://www.ombudsman.gov.au/complaints

10 Changing and notifying changes to this Policy.

The CBHS Group may review this Policy at any time and publish a revised version on our website at: