Effective Date: 27.10.2025

Contents

1. Introduction and Commitment to Privacy
2. Relationship with Our Website Terms of Use
3. Types of Information Collected
4. Methods of Information Collection
5. Purposes for Collection, Use and Disclosure
6. Disclosure of Information to Third Parties
7. Use of the My Health Record System
8. Workplace Surveillance and Monitoring Practices
9. Data Security, Integrity and Retention
10. Individual Rights of Access, Correction and Control
11. Enquiries, Concerns and Complaints
12. Website Hosting, Cookies and Analytics
13. Online Bookings and Recruitment Applications
14. Access to this Policy
15. Review and Updates to this Policy

1. Introduction and Commitment to Privacy

YARRA Radiology recognises that in the ordinary course of our operations, we collect and handle highly sensitive personal and health information, including but not limited to referrals, clinical histories, diagnostic images, and reports. We are committed to managing this information with the highest degree of care, security, and confidentiality, in accordance with all applicable laws and professional obligations.

We comply with strict privacy and health information laws, including but not limited to the Privacy Act 1988 (Cth), the Australian Privacy Principles, the Notifiable Data Breaches scheme, the My Health Records Act 2012 (Cth), Victoria’s Health Records Act 2001 (Vic), Health Privacy Principles, Health Records Regulations 2023, and the Surveillance Devices Act 1999 (Vic).

We are committed to maintaining compliance with evolving privacy and health information laws. We will continue to review and where necessary, update our practices and this Privacy Policy to ensure alignment with any new legislative requirements as they come into effect.

This Privacy Policy sets out the categories of information we collect, the purposes for which we collect, use, and disclose that information. The steps we take to protect it, the circumstances in which it may be shared with third parties, and how individuals may access, correct, or raise concerns in relation to their personal information.

For general enquiries, individuals may, where lawful and practicable, choose not to identify themselves. However, in the ordinary course of providing medical services and undertaking associated billing and administrative functions, YARRA Radiology will require the collection and verification of identifying information.

2. Relationship with Our Website Terms of Use

This Privacy Policy should be read together with our Website Terms of Use, which govern your access to and use of our Website, online booking system, patient portals, and related digital services (collectively, the “Services”). Together, these documents explain how YARRA Radiology manages information collected both online and in the course of providing diagnostic imaging services.

3. Types of Information Collected

At YARRA Radiology, the information we collect is guided by our commitment to patient care, safety, and quality service. We only collect information that is reasonably necessary to provide medical imaging services, meet our legal and professional obligations, and support the efficient operation of our practice.

Patient Information

For patients, we may collect and hold the following categories of information:

• Identity and Contact: name, date of birth, gender, address, phone number, email address, next of kin, Medicare number, Department of Veterans’ Affairs (DVA) details, concession or pension details, healthcare identifiers, and emergency contacts.
• Health and Clinical: referrals, clinical and medical history (including allergies, medications, and previous test results), diagnostic images and metadata, radiologist findings, correspondence with healthcare providers, records of past engagement with you, and relevant family or employment history where clinically appropriate.
• Insurance and Financial: private health fund details, Medicare/insurance claim information, WorkCover or TAC claim details, billing records, and where applicable, credit card and banking information.
• Interaction and Activity Records: records of communications and interactions with our staff, including calls, messages, online enquiry forms, and use of patient portals.
• Feedback and Complaints: records of queries, feedback, complaints, claims, disputes, or investigations.
• Referral Information: details provided by, or relating to, your referring practitioner, including referral trends and associated communications.
• Security and Safety: CCTV footage, call recordings, IT system access logs, and security event logs.
• Legal: guardianship orders, powers of attorney, and advance care directives.
• Children and Young People: information about minors, which is collected and managed with additional care and safeguards to protect their privacy.

Staff and Recruitment Information

For employees, contractors, and job applicants, we may collect and hold:

• Employment Information: qualifications, skills, CVs, professional experience, referee details, professional memberships, AHPRA registration numbers, training records, payroll details, and records of performance or conduct.
• Background Check Information: information relevant to recruitment and employment suitability, including identity verification, financial or vocational checks, criminal record check, and referee reports (where lawful and relevant).
• Workplace Interaction Data: records of IT system use, call logs, security access, and other activity logs necessary for workplace safety, compliance, and service delivery.

This list is not exhaustive. We may collect other personal information where it is reasonably necessary for the delivery of our services, the operation of our practice, or as required or authorised by law. We also take all reasonable steps to ensure that the information we collect, use, and hold is accurate, complete, and up to date.

4. Methods of Information Collection

We collect personal and sensitive information in a lawful and fair manner, and with respect for your privacy, and only where it is reasonably necessary for the provision of medical imaging services, the safe operation of our practice, or as otherwise required or authorised by law.

• Information we collect directly from you
  We collect information when you attend our clinics, book an appointment, complete forms, contact us by phone, email or through our website, use our patient portal, or otherwise communicate with us in relation to your care.

• Information we collect from others
  In some circumstances, we may collect information about you from third parties, including but not limited to:

• Referring practitioners: details included on your referral form, such as your past medical or clinical history relevant to your imaging.
• Hospitals, medical specialists, and allied health professionals: where they request or coordinate services on your behalf.
• Government agencies, insurers, employers, or clinical trial companies: where they are responsible for arranging, authorising,  or funding your care.
• Other diagnostic service providers: such as pathology laboratories, other imaging practices, or treating specialists, where results are clinically relevant.

• Relatives, guardians, carers, or personal representatives: where you authorise them to act for you, or where collection is otherwise lawful.
• Patient feedback services or survey providers: who may contact you on our behalf.
• My Health Record and other authorised health databases: where information is accessed in accordance with legislation.

• Collection from disclosure recipients

We may, where appropriate, collect additional information from the parties to whom we disclose your information (for example, feedback from your treating specialist or referrer), where this is necessary for your care or permitted by law.

• Emergency situations

Where it is not reasonable or practical to collect information directly from you, for example, if you are unconscious or otherwise unable to provide information, we may collect it from a third party, where this is necessary to protect your life, health, or safety, and in accordance with applicable laws.

• Information generated or derived by us

In providing services, we generate new personal and health information about you, such as diagnostic images, reports, and scan metadata. We may also derive or infer additional information from data we already hold, through analysis, interpretation, or the use of digital tools (including, where relevant, artificial intelligence and machine learning technologies).

• Online activity and cookies

When you use our Website and related digital services (including our patient portal), we may collect information automatically through technologies such as cookies, web beacons, and analytics tools. This may include device and browser identifiers, IP addresses, access times, pages viewed, and referring websites. We use this information to improve our services, enhance functionality, monitor security, and better understand patient needs. You may choose to disable cookies in your browser settings, but this may affect the functionality of our online services.

• Storage and security

All personal information we hold is protected by strict safeguards, technical, administrative, and physical. that are reasonable in the circumstances to prevent loss, misuse, unauthorised access, modification, or disclosure. This includes secure paper-based storage, restricted system access, and encrypted electronic records.

• Retention

We retain personal information in accordance with the Health Records Act 2001 (Vic), Privacy Act 1988 (Cth), My Health Records Act 2012 (Cth), and other applicable laws and professional standards. In general, health records are retained for the minimum statutory period required by law, and securely destroyed or de-identified when no longer needed.

• Patient reassurance

If you would like to know why we need particular information, or how it will be used, we will always explain this to you upon request.

5. Purposes for Collection, Use and Disclosure

We collect, use, and disclose personal and health information only where it is reasonably necessary to deliver imaging services, operate our practice safely and efficiently, and support quality patient care. This may include:

• providing medical imaging services by conducting examinations, preparing reports and communicating results to referring doctors, specialists and other members of a patient’s healthcare team;
• assessing health status and clinical needs, and coordinating care with hospitals, allied health professionals and other healthcare providers;
• scheduling appointments, sending reminders, verifying identity and maintaining accurate and up-to-date patient records;
• processing billing and payments, preparing invoices, lodging claims with insurers, Medicare, WorkCover or TAC, and recovering outstanding accounts where necessary;
• managing the administration of our practice, including maintaining secure IT systems, communication channels, and business continuity measures;
• meeting accreditation standards, undertaking audits, managing risk, handling insurance and indemnity matters, and running quality assurance and patient feedback programs;
• responding to complaints, investigations, disputes, subpoenas or other lawful requests, and managing medico-legal and professional indemnity requirements;
• supporting staff education and professional development to maintain high standards of care;
• contributing to research projects, with information de-identified wherever possible and identifiable data used only with consent;
• developing and applying clinical and operational technologies, including digital and artificial intelligence tools, under appropriate human oversight and safeguards;
• recruiting and managing staff and contractors, including assessing applications for current or future positions;
• facilitating legitimate business operations such as mergers, acquisitions, restructures and related due diligence, subject to confidentiality protections; and
• communicating with patients about our services with consent, in a manner that allows them to opt out at any time.

6. Disclosure of Information to Third Parties

We may disclose your information to:

• Referring doctors, treating specialists, hospitals, other diagnostic providers.
• Medicare, insurers, TAC/WorkCover, and regulators.
• Courts, tribunals or law enforcement where legally required.
• IT and cloud vendors under strict contractual safeguards.

Some service partners act as independent data controllers, including Comrad Australia Pty Ltd (online booking platform), Sectra AB (patient and referrer portals, image and report sharing platform), and Zed Technologies Pty Ltd (image and report sharing platform). Their own privacy policies and terms of use apply in addition to this Privacy Policy.

If overseas storage or access occurs, we ensure equivalent protections via recognised jurisdictions and/or strong contractual and technical safeguards.

7. Use of the My Health Record System

YARRA Radiology participates in My Health Record. Depending on your personal settings and current system rules, certain information may be uploaded and shared with your healthcare providers. You can manage access and document settings through your My Health Record account and by discussing preferences with us.

8. Workplace Surveillance and Monitoring Practices

We use CCTV in common areas, call recording for training and quality purposes and proportionate IT monitoring for security. These practices are transparent, access-controlled and retention-limited. We will update our practices and notices to reflect new Victorian surveillance laws once enacted.

9. Data Security, Integrity and Retention

YARRA Radiology takes reasonable steps to protect all personal and health information from misuse, loss, and unauthorised access, modification, or disclosure.
Our systems incorporate multi-layered safeguards including secure servers, controlled user access, encryption of data in transit (HTTPS), staff training, and regular vendor assessments.

Records are retained and managed in accordance with the Health Records Act 2001 (Vic) and Privacy Act 1988 (Cth). When information is no longer required by law or for ongoing care, it is securely destroyed or permanently de-identified.

Any eligible data breaches are managed and reported in line with the Notifiable Data Breaches (NDB) scheme.

10. Individual Rights of Access, Correction and Control

YARRA Radiology respects your rights to access, update, and manage your personal and health information in accordance with the Health Records Act 2001 (Vic) and the Privacy Act 1988 (Cth).

Access: You may request access to your personal or health records at any time. Proof of identity may be required, and a reasonable administrative fee may apply for preparing copies. We will respond within the timeframes required by law.

Correction: If you believe any information we hold about you is inaccurate, incomplete, or outdated, you may request a correction. Where we do not agree with a requested change, you may ask us to attach a written statement of disagreement to your record.

Restrictions on Use or Disclosure: You may request that we limit the use or disclosure of your information for certain purposes, where permitted by law. We will consider such requests on a case-by-case basis in line with our legal and clinical obligations.

Marketing Communications: You can opt out of receiving marketing or promotional communications at any time by following the unsubscribe instructions or contacting us directly.

Children’s Information: We handle children’s information in accordance with applicable legislation and emerging best practice, including compliance with the forthcoming Children’s Online Privacy Code, ensuring parental or guardian involvement where required.

11. Enquiries, Concerns and Complaints

We take privacy and confidentiality seriously. If you have a question, concern, or complaint about how your personal or health information has been handled, please contact our Privacy Officer:

Privacy Officer
VDX Radiology Pty Ltd (trading as YARRA Radiology)
145–147 Toorak Road, South Yarra VIC 3141
📧 This email address is being protected from spambots. You need JavaScript enabled to view it. | 📞 1300 177 199

We will acknowledge and respond to your enquiry or complaint within a reasonable timeframe and in accordance with applicable privacy laws.

If you are not satisfied with our response, you may escalate your concern to:

• Office of the Australian Information Commissioner (OAIC)
• Health Complaints Commissioner (Victoria)
• Victorian Civil and Administrative Tribunal (VCAT)

12. Website Hosting, Cookies and Analytics

Our website and related digital services are hosted on secure, industry-standard cloud infrastructure located primarily within Australia. Limited technical processing may occur in other jurisdictions for security, support, or resilience purposes. Where this happens, we take reasonable steps to ensure that equivalent privacy and data-protection safeguards apply, including encryption, contractual controls, and restricted authorised access.

We use essential cookies to ensure the website functions properly and, with your consent, analytics cookies to help us understand and improve site performance. You can manage or withdraw consent through your browser settings at any time.

Where enabled, Google Analytics collects de-identified usage data with IP anonymisation. No personal or health information is shared or used for advertising.

Certain website features, such as maps or embedded tools, may process limited technical data in accordance with their own privacy policies.

For details about acceptable website use, please see our Website Terms of Use.

13. Online Bookings and Recruitment Applications

YARRA Radiology provides online booking and recruitment services through trusted third-party platforms. These systems are used to facilitate appointments and job applications securely, in line with Australian privacy requirements.

Online Bookings:  Our online booking system is powered by Comrad, a secure healthcare scheduling platform integrated within our Website. Information you provide through the booking form is transmitted directly to us via Comrad’s encrypted system and is managed in accordance with our Privacy Policy and Website Terms of Use, as well as Comrad’s Privacy Policy and Terms of Use, which also apply to your use of the booking service.

Recruitment Applications: Information submitted through our Website or authorised recruitment partners is used solely to assess your suitability for employment and is managed in accordance with applicable privacy laws and our internal retention and security policies.

14. Access to this Policy

This Privacy Policy is available on our Website and in hard copy at our reception, free of charge upon request. You may also contact us to obtain a copy in an alternative format if required.

15. Review and Updates to this Policy

YARRA Radiology reviews this Privacy Policy periodically and updates it as required by changes in law, regulation, or operational practices. Recent and emerging reforms include higher privacy penalties, doxxing offences, AI transparency obligations, the statutory tort of privacy, and forthcoming measures such as the Children’s Online Privacy Code and enhanced surveillance laws.

This Privacy Policy is effective from 27 October 2025.
© 2025 VDX Radiology Pty Ltd (trading as YARRA Radiology)
This document supersedes all previous versions.