LVF Eye Centre Privacy Policy
Version 2.0 | March 2026
This policy applies to the LVF Eye Centre clinical ophthalmology practice operated by Professor Christopher Layton (ABN: 61 162 716 074) at ‘HQ SOUTH TOWER’ L 3 520 WICKHAM St FORTITUDE VALLEY QLD 4006. It does not govern the Layton Vision Foundation (ABN: 48 610 760 604), which maintains a separate privacy policy. Where both entities interact with your personal information (for example, in the context of research participation), this will be clearly identified at the time of collection.
1. Introduction and Our Commitment
The LVF Eye Centre is committed to the responsible management of personal information in accordance with the Privacy Act 1988 (Cth) (the Privacy Act) and the Australian Privacy Principles (APPs) set out in Schedule 1 of the Privacy Act. As a private health service provider, the LVF Eye Centre is an APP entity and handles health information, which is a category of sensitive information attracting the highest level of protection under the Privacy Act.
This Privacy Policy explains:
– the kinds of personal information (including health information) we collect and hold
– how we collect and hold that information
– the purposes for which we collect, hold, use and disclose personal information
– how you may access and seek correction of the personal information we hold about you
– how you may complain about a breach of the APPs and how we will deal with that complaint
– whether we are likely to disclose personal information to overseas recipients, and if so, the countries in which those recipients are likely to be located
– how we handle website data, cookies and analytics
This policy is available on our website at www.lvfeyecentre.org.au, at our reception, and in hard copy upon request. We review this policy regularly to ensure it reflects current law and our operational practices. This version takes into account the Privacy and Other Legislation Amendment Act 2024 (Cth) (POLA), the National Health (Privacy) Rules 2025, and Queensland Health Sector records retention requirements.
2. What Personal Information Do We Collect and Hold?
As a specialist ophthalmology practice, the personal information we collect is primarily health information for the purposes of the Privacy Act. The types of information we may collect and hold include:
Identification and contact information:
– Full name, date of birth, address, telephone number and email address
– Medicare number, DVA number, private health fund membership number and other government identifiers
– Emergency contact details and next-of-kin information
Clinical health information:
– Presenting symptoms, diagnoses and clinical findings
– Visual acuity, intraocular pressure measurements, optical coherence tomography (OCT) results and other ophthalmic diagnostic data
– Surgical and procedural records, including operative notes and anaesthetic records
– Prescribed medications, allergies and adverse drug reactions
– Pathology and imaging results
– Correspondence from referring practitioners, general practitioners and other treating specialists
– Your Individual Healthcare Identifier (IHI)
– My Health Record entries uploaded or downloaded by treating clinicians
– Genetic information, where relevant to a hereditary eye condition
Administrative and financial information:
– Appointment records and billing details
– Health insurance claim information
– Medicare claims records (which must be retained for a minimum of two years from the date of service)
We do not collect personal information unless it is reasonably necessary for, or directly related to, one or more of the purposes identified in this policy. We do not collect sensitive information about race, religion or sexuality unless this is clinically relevant and you have consented to its collection.
3. How We Collect Personal Information
We collect personal information by lawful and fair means. We collect personal information:
– Directly from you when you register as a patient, complete forms at reception, provide information during a clinical consultation, or contact us by telephone or email
– From referring practitioners your general practitioner, optometrist or other specialist may send referral letters, clinical notes or investigation results to us as part of organising your care
– From other members of your treating team including hospitals, diagnostic imaging services, pathology laboratories, and allied health practitioners involved in your care
– From the My Health Record system if you are registered on the My Health Record system, your treating clinician may access or upload relevant clinical information with your consent, subject to the My Health Records Act 2018 (Cth)
– From electronic prescription services where the practice participates in electronic transfer of prescriptions
– From your health insurer or Medicare in connection with billing and insurance claiming
– Via our website and online booking systems when you submit an enquiry, request an appointment, or interact with our website (see section 11 below regarding website data)
Where it is lawful and practicable to do so, we will collect personal information directly from you. If we collect personal information about you from a third party, we will take reasonable steps to notify you of that collection as soon as practicable, unless you already know of it or notification is not required by law.
4. Anonymity and Pseudonymity
The Privacy Act provides that individuals must generally be given the option of not identifying themselves, or of using a pseudonym, when dealing with an APP entity (APP 2). However, in the context of a clinical ophthalmology practice, it is generally impracticable to provide services on an anonymous or pseudonymous basis. This is because:
– Accurate patient identification is essential for safe clinical care, including prescribing and surgery
– Medicare and private health fund claiming requires verified patient identity
– Surgical procedures require verified consent from an identified individual
Accordingly, we require patients to identify themselves when attending for clinical care. In limited circumstances (for example, where you wish to make a general enquiry about our services) you may do so without providing identifying information.
5. Why We Collect, Hold, Use and Disclose Personal Information
We collect, hold, use and disclose your personal information for the following primary purposes:
Clinical care:
– To assess, diagnose, treat and manage your eye health
– To provide surgical and procedural care, including pre- and post-operative management
– To obtain and review diagnostic test results
– To communicate with you regarding your care, including appointment reminders and follow-up
Care coordination:
– To consult with and refer to other members of your treating team, including your GP, optometrist, other specialists, hospitals and allied health practitioners
– To correspond with your referring practitioner regarding your progress and treatment outcomes
Administrative and billing purposes:
– To manage billing, process Medicare claims, liaise with your private health fund, and pursue unpaid accounts where necessary
– To manage our practice administration systems, including appointment scheduling and medical records systems
Legal and regulatory compliance:
– To comply with legal obligations, including mandatory reporting under applicable legislation (such as mandatory notification of communicable diseases)
– To respond to lawfully issued subpoenas, court orders and requests from regulatory bodies
– To comply with obligations under the Health Practitioner Regulation National Law
Research (where separately consented):
– The LVF Ophthalmology Research Centre conducts ophthalmic research. If you are invited to participate in a research study, your personal and health information will only be used for research purposes with your separate, written, informed consent, and subject to ethics approval. Your decision whether or not to participate will not affect your clinical care.
We will not use your health information for direct marketing purposes without your express consent, and you may withdraw that consent at any time. The AMA advises caution regarding direct marketing in medical practices, and we do not engage in unsolicited direct marketing to patients.
6. Disclosure of Personal Information
We disclose your personal information only for the purposes for which it was collected, or as permitted by law. We may disclose your personal information to:
– Treating practitioners GPs, optometrists, specialists, hospitals, anesthetists, and allied health practitioners involved in your care
– Diagnostic and pathology services to obtain test results and reports
– My Health Record your treating clinician may upload relevant clinical information to your My Health Record where you are registered on the system
– Electronic prescription services where the practice participates in this service
– Health insurers and Medicare for billing and claiming purposes
– The Department of Veterans’ Affairs if you hold a DVA entitlement
– Debt collection and legal services only where reasonably necessary to recover unpaid accounts, subject to minimum necessary disclosure
– Regulatory bodies including AHPRA, the Medical Board of Australia and the Queensland Health Ombudsman, where required or authorised by law
– The Office of the Australian Information Commissioner (OAIC) in connection with privacy complaints or investigations
– Practice staff and contractors including employees, locum practitioners and contracted IT service providers who are bound by confidentiality obligations
– Anyone you have authorised us to disclose information to in accordance with your written or clearly expressed instructions
We do not sell, rent or trade your personal information to third parties for commercial purposes.
7. Overseas Disclosure
Some of the third-party systems and service providers we use may store or process data overseas. Specifically:- Cloud-based software and storage our practice management software Genie/Gentu may utilise cloud infrastructure hosted in Australia and the United States. Where cloud storage is provided by an offshore entity that is able to access (not merely store in encrypted form) patient data, this constitutes a cross-border disclosure under APP 8.
– Email services if you communicate with us by email, your email may transit servers located outside Australia.
– International referrals where you have previously received care from an overseas practitioner and we need to obtain those records, or where you are referred to an overseas provider, information may be disclosed internationally with your consent.
– AI scribe to help prepare accurate clinical notes and referral letters, we may use an Australian based “AI scribe” service that records or captures audio from your consultation. A clinician reviews and signs all notes before they become part of your record. You can opt out at any time without affecting your care – please tell your clinician. Some processing or secure storage may occur outside Australia (for example, the USA) and, in limited cases, a trained reviewer may access excerpts for quality assurance. We remain responsible under the Privacy Act 1988 (Australian Privacy Principles) and take reasonable steps to protect your information (encryption, access controls, retention limits). We do not allow your information to be used to train AI systems unless you give separate, explicit consent. If you require details, contact the practice.
Before disclosing personal information to any overseas recipient, we will take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to that information (APP 8.1), or we will obtain your consent to the disclosure on the basis that APP 8.1 will not apply.
8. How We Hold and Protect Your Personal Information
We take reasonable steps (including both technical and organisational measures) to protect the personal information we hold from misuse, interference, loss, and from unauthorised access, modification or disclosure. These steps include, but are not limited to:
– Patient records are stored in a password-protected, encrypted practice management software system with role-based access controls limiting access to staff who require it for their clinical or administrative duties
– Paper records (where held) are stored in locked filing cabinets accessible only to authorised personnel
– All practice staff and contractors are required to sign confidentiality agreements and receive training on their privacy obligations
– Remote access to clinical systems is protected by multi-factor authentication
– Our IT systems are protected by current antivirus and firewall software
– We maintain a document retention and destruction policy consistent with Queensland Health Sector records retention requirements (see section 9 below)
– We conduct regular reviews of our information security practices
Despite these measures, no information transmitted over the internet can be guaranteed to be fully secure. If you are concerned about transmitting personal information to us electronically, please contact us by telephone.
9. Retention and Destruction of Health Records
We retain health records in accordance with Queensland Health Sector (Clinical Records) Retention and Disposal Schedule requirements and Avant guidance:
| Patient age at date of last entry | Minimum retention period |
| Adult (18 years or over) | 7 years from date of last entry |
| Minor (under 18 at date of last entry) | Until the patient reaches or would have reached 28 years of age AND 10 years after last service provision or legal action, whichever is later |
| Deceased minor | 10 years from date of patient’s death, AND 10 years after last medico-legal action |
| Medicare claims records | Minimum 2 years from date of service (superseded by the above where longer) |
When health records are no longer required to be retained, they will be destroyed securely in a manner that protects patient confidentiality. A register of all records destroyed is maintained by the practice.
10. Accessing and Correcting Your Personal Information
Access: You have a right under APP 12 to request access to the personal information we hold about you. To make an access request, please contact us in writing at the details set out in section 14 below. We will respond to your request within 30 days. A reasonable fee may apply to cover the administrative cost of locating, retrieving and copying records; if so, we will advise you of the cost before proceeding.
We may refuse access in limited circumstances permitted by the Privacy Act (for example, where providing access would pose a serious threat to the life or health of another person, or where access would have an unreasonable impact on the privacy of other individuals). If we refuse access, we will provide written reasons and advise you of the mechanism available to complain about the refusal.
Correction: You have a right under APP 13 to request correction of personal information we hold about you if it is inaccurate, out of date, incomplete, irrelevant or misleading. Please contact us in writing using the details in section 14 below. We will respond within 30 days.
11. Website, Cookies and Online Interactions
Website enquiries and online booking: When you submit an enquiry, book an appointment online, or otherwise interact with our website, we collect the personal information you provide. This information is used to respond to your enquiry, confirm your appointment, or otherwise assist you.
Cookies and analytics: Our website may use cookies and website analytics tools (such as Google Analytics) to collect information about how visitors use our site. This information is used in aggregate form to improve our website and does not identify individual users. Cookies used on our site include:
– Essential cookies necessary for the operation of the website (e.g., session management)
– Analytics cookies used to understand site usage patterns in aggregate (e.g., page visits, referral sources)
You may configure your browser to refuse cookies. However, some parts of our website may not function correctly if cookies are disabled.
No sensitive health information is collected via our website contact forms, and our website does not include a patient portal or any functionality that involves the submission of clinical information online. Where Google Analytics or similar analytics tools are used, these do not receive identifiable health information.
If the practice introduces any tools that do collect identifiable health information online (such as a symptom questionnaire), this policy will be updated before that functionality goes live.
12. Notifiable Data Breaches
The LVF Eye Centre is subject to the Notifiable Data Breaches (NDB) Scheme under Part IIIC of the Privacy Act. As a private health service provider, we are required to notify affected individuals and the OAIC as soon as practicable if we experience an eligible data breach (that is, a data breach that is likely to result in serious harm to any individual whose information is involved in the breach).
If we suspect an eligible data breach has occurred, we will:
1. Take immediate steps to contain the breach
2. Conduct a prompt assessment to determine whether the breach is likely to cause serious harm
3. Notify affected individuals and the OAIC if our assessment concludes that serious harm is likely (in any event within 30 days of becoming aware of the breach)
4. Take reasonable steps to prevent or reduce the risk of harm resulting from the breach
In the event of a data breach involving the My Health Record system, we will also notify the System Operator as required under section 75 of the My Health Records Act 2018 (Cth).
If you believe your personal information held by this practice may have been accessed or disclosed without authorisation, please contact us immediately using the details in section 14 below.
13. Privacy Complaints
If you have a concern about how we have handled your personal information, or wish to make a complaint about a breach of the Australian Privacy Principles, please contact us in writing using the details in section 14 below. We will:
– Acknowledge receipt of your complaint within 5 business days
– Investigate your complaint and take it seriously
– Respond to you with the outcome of our investigation within 30 days
If you are dissatisfied with our response, or we have not responded within 30 days, you may refer your complaint to the Office of the Australian Information Commissioner (OAIC):
| Phone | 1300 363 992 |
| enquiries@oaic.gov.au | |
| Website | www.oaic.gov.au/individuals/how-do-i-make-a-privacy-complaint |
| Post | GPO Box 5218, Sydney NSW 2001 |
You may also raise concerns with the Queensland Health Ombudsman in relation to the handling of your health information:
| Phone | 133 OHO (133 646) |
| Website | www.oho.qld.gov.au |
14. Contact Details (Privacy Officer)
For all privacy-related enquiries, access requests, correction requests or complaints, please contact our Privacy Officer:
Privacy Officer
LVF Eye Centre
Greenslopes Private Hospital
Newdgate Street
Greenslopes QLD 4120
Email: privacy@lvfeyecentre.org.au
Phone: 07 3398 9494
15. Updates to This Policy
This policy will be reviewed at least annually, and whenever there is a material change to relevant legislation, our information handling practices, or our use of third-party systems. The current version will always be available on our website at www.lvfeyecentre.org.au. If significant changes are made, we will post a notification on our website and display a notice at reception.