Privacy Policy

Mayfair Specialist Centre (MSC)
Effective date: 13/08/2025

1) Who we are and scope

Mayfair Specialist Centre (MSC) provides consulting suites and clinical services in East Melbourne and operates this website (including our online referral form). This policy explains how we handle personal information and health information collected in-clinic and online.

MSC complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), and—because we operate in Victoria—the Health Records Act 2001 (Vic) and Health Privacy Principles (HPPs) for health information.

2) The information we collect

Depending on your interaction with us, we may collect:
  • Identity and contact details: name, date of birth, address, phone, email.
  • Health information: referral details, clinical notes, history, diagnostic information, images and reports.
  • Administrative/billing: Medicare number, claim details, transaction records (if applicable).
  • Website data: IP address, device/browser info, pages viewed, form metadata, and cookies/analytics.
  • Uploaded files: documents sent with online referrals (e.g., letters, images, reports).
Health information is treated as sensitive information under Australian privacy law and is subject to additional protections.

3) How we collect information

  • Directly from you (in person, by phone, email, forms).
  • From referring practitioners via our online referral form.
  • From other healthcare providers or diagnostic services where reasonably necessary for your care.
  • Automatically via our website (cookies/analytics). You can manage cookies in your browser settings.

4) Why we collect and use information

We collect, use and disclose information to:

  • provide clinical care, triage referrals, and coordinate appointments and follow-up;
  • communicate with you and your referring/treating practitioners;
  • process Medicare claims and administrative functions;
  • operate, secure and improve our website and services;
  • meet legal, regulatory and reporting obligations (including privacy and health record laws).

These purposes align with the APPs and HPPs governing collection, use and disclosure of personal and health information. 

5) Online referral form

Referrals submitted via our online form are transmitted over encrypted connections to authorised practice staff. Supporting documents are handled securely and removed from our systems after a short retention period (normally within 30 days).

6) Disclosing information

We may disclose information, where appropriate and necessary, to:

  • our clinicians and authorised practice staff;
  • your referring and treating practitioners and allied health providers;
  • diagnostic services (e.g., pathology, imaging);
  • IT, hosting and security providers (e.g., managed WordPress hosting on AWS Sydney and network protection via Cloudflare);
  • government agencies, regulators, insurers or courts/tribunals as required by law;
  • other third parties with your consent or where permitted by law.

Where we use external service providers, we take reasonable steps to ensure they meet appropriate privacy and security standards. Some providers (e.g., content delivery/security networks) may process limited personal information outside Australia; we use reputable providers and safeguards consistent with the APPs.

7) Data security

We use administrative, technical and physical safeguards appropriate to a healthcare setting (e.g., role-based access, encryption in transit, strong authentication, least-privilege access, patching/updates, logging/monitoring). Despite safeguards, no system is risk-free; we maintain and test our incident response plan and follow the Notifiable Data Breaches (NDB) scheme where an eligible breach is suspected or confirmed.

8) Retention and destruction

  • Clinical records: In Victoria, minimum retention is 7 years from the last entry for adults, and until a child turns 25 (or longer if clinically or legally prudent). We securely destroy or de-identify records when no longer required and when permitted by law.
  • Website referral entries: automatically deleted 30 days after submission (see Section 5).
  • Backups/logs are kept for limited periods necessary for security and continuity

9) Access and correction

You may request access to, or correction of, your personal/health information. We will respond within a reasonable time and may need to verify identity. Access might attract a permitted fee and may be refused in limited cases (we’ll tell you why and how to complain). These rights are supported under the APPs and HPPs.

10) Direct marketing

We do not use health information for direct marketing. If we ever send general updates (e.g., clinic notices), you can opt out at any time.

11) Cookies and analytics

Our website may use cookies and analytics to improve performance, security and user experience (e.g., page load optimisation, spam/abuse prevention). You can disable cookies in your browser, but some features may not work as intended.

12) Contact us

Our contact information is available here.

13) Complaints

If you have a privacy concern, please contact our Privacy Officer first. We’ll investigate and respond. If you’re not satisfied, you can contact:

  • Office of the Australian Information Commissioner (OAIC) – privacy complaints and the NDB scheme.  
  • Health Complaints Commissioner (Victoria) – complaints about handling of health information under the Health Records Act 2001 (Vic). 

14) Changes to this policy

We may update this policy to reflect changes in our services, technologies or legal requirements. The latest version will always be available on our website and marked with its effective date.

Enquiry form