Our privacy policy

This Privacy Policy applies to GenesisCare (as described above) and sets out our approach to collecting and managing personal information of all individuals that interact with GenesisCare, other than GenesisCare’s staff. Current and former GenesisCare staff should instead refer to the Privacy Notice for Staff (Australia).

GenesisCare is committed to treating any personal information it collects and handles with respect, and to ensuring that it complies with relevant privacy laws, including the Privacy Act 1988 (Cth) (Privacy Act), and health records legislation.

This will depend on the nature of our relationship with you.

3.1. Patients

If you are a patient, the personal information we collect about you may include your name, contact details and date of birth, as well as other sensitive information including health and financial information and personal demographics information. This may include gender, race, heritage/ethnic origin, and marital status, Medicare details, concession/pension information (including DVA number if applicable), ambulance membership number, health insurance details, billing/account details, occupation and employment information, medical history information, diagnosis information, test results, family medical history, lifestyle information relevant to your health, next of kin and emergency contact information, guardian or legal representative information, other information that may be relevant to your diagnoses, treatment or healthcare and any other information you share with us.

We may also collect information about your interactions with us, including your responses to patient surveys relating to service improvement.

We may take photographs or audio-visual recordings of you in a clinical context in connection with your treatment or healthcare. We also operate video surveillance systems at our clinics for safety and security purposes. This may include the collection of still or video footage of individuals attending our premises. Where CCTV or other recording technologies are in use, signage will be displayed to notify individuals. Footage is collected and stored securely, and access is restricted to authorised personnel. GenesisCare does not use surveillance footage for any purpose other than safety, security, and incident investigation, unless required by law. For more information, please contact us at the details set out at the end of this Privacy Policy. We will only collect information about your health, or other sensitive personal information about you (including photographs or audio-visual recordings of you), if we have your consent or if we are otherwise permitted or required by law to do so.

3.2 Healthcare professionals

If you are a referring clinician or other healthcare professional, the personal information we collect about you may include your name, contact information, professional details (including qualifications, accreditation and registration information), information regarding your interactions or work with us and any other information you choose to share with us.

If you are a representative of a pharmaceutical company, medical device manufacturer, research institution, or other external organisation interacting with GenesisCare in a research or clinical trial context, we may collect personal information such as your name, contact details, professional credentials, and interaction history with GenesisCare. This information is used for collaboration, contracting, compliance, and research governance purposes.

GenesisCare may also collect and manage information related to your role in clinical trials, including trial documentation, site monitoring reports, and regulatory submissions. All data handling complies with applicable privacy laws and contractual obligations.

3.3 Others

If you are participating in a research study conducted or supported by GenesisCare, we may collect personal and sensitive information about you in accordance with the approved research protocol and applicable ethics approvals. This may include health information, demographic data, biological samples (e.g. blood or tissue), and study-related observations. All data collection is subject to your informed consent or a waiver granted by a Human Research Ethics Committee (HREC), as required by law. We also use the de-identified information of patients for research purposes, in order to analyse and improve our cancer treatments. Where applicable, your data may be shared with research collaborators, sponsors, or regulatory authorities under strict contractual and ethical safeguards. We implement robust security measures to protect your information and ensure that it is only accessed by authorised personnel in accordance with the law.

We may also collect personal information about other members of the public, including visitors, families, and those who contact us via our website and other avenues.

The types of personal information we collect about you may include your name, contact information, identification information (for verification), relationship to a patient (if applicable), and any other information you choose to share with us.

4.1. Patients

Personal Information

Where practicable, we will collect your personal information directly from you when you complete our patient documentation, attend our clinics, or communicate with us over the phone. This may include your name, contact details, date of birth, Medicare number, health insurance details, billing and account information, and emergency contact details. We may also collect information about your interactions with us, including responses to patient surveys.

We may sometimes collect personal information from third parties, including your family members, referring clinicians, other healthcare professionals, service provider organisations, and government departments or national record repositories.

Sensitive Information

We may collect sensitive information about you, including health information, medical history, diagnosis details, test results, family medical history, lifestyle information relevant to your health, concession/pension information and personal demographics (such as gender, race, heritage/ethnic origin, and marital status). We may also take photographs or audio-visual recordings of you in a clinical context in connection with your treatment or healthcare.

GenesisCare may operate video surveillance systems at its facilities for the purposes of protecting the safety of our staff, patients, and visitors. This may include the collection of still or video footage of individuals attending our premises. Where CCTV or other recording technologies are in use, signage will be displayed to notify individuals. Footage is collected and stored securely, and access is restricted to authorised personnel.

We will only collect sensitive information (including health information and clinical recordings) if we have your consent or if we are otherwise permitted or required by law to do so, such as in a medical emergency.

4.2 Healthcare professionals

Personal Information

We will collect your personal information directly from you, unless a patient provides your details to us, in which case we will verify the details with you. This may include your name, contact information, professional details (such as qualifications, accreditation, and registration), and information regarding your interactions or work with us.

GenesisCare may operate video surveillance systems at its facilities for safety and security purposes. This may include the collection of footage of individuals attending our premises.

4.3 Others

Personal Information

Where practicable, we will collect your personal information directly from you. We may sometimes collect your personal information from another person, organisation or agency, where it is unreasonable or impracticable for us to collect it directly from you. We may also operate video surveillance systems at our facilities for the purposes of maintaining the safety of our staff, patients and visitors.

5.1. General

We collect and use your personal information (including sensitive information) for the following purposes (as applicable):

• Providing healthcare services to patients
• Performing activities reasonably incidental to our ordinary course operations

 such as:

• Administration functions, including scheduling appointments and billing, safety and security purposes
• Education, training, quality assurance and other analytical activities to evaluate and improve our patient management processes, patient outcomes, and broader healthcare and healthcare delivery
• Dealing with enquiries, complaints and legal proceedings
• Complying with legal obligations, including in relation to statutory and public health reporting requirements, such as those under the Privacy Act, Public Health Acts, Health Practitioner Regulation National Law, Therapeutic Goods Act 1989 (Cth), Health Records and Information Privacy Act 2002 (NSW) and other applicable laws.
• Corresponding with clinicians and other healthcare professionals about clinical updates, events and other news which may be of interest to them or their practice
• Other purposes with your consent or approval from a registered Human Research Ethics Committee (if applicable), or as otherwise required or authorised by law

5.2. Direct Marketing

GenesisCare may use your personal information to share information with you about our products, services, and programs that may be of interest to you. We will only send direct marketing communications in accordance with applicable laws, including the Spam Act 2003 (Cth) and the Privacy Act. You will always be given the opportunity to opt out of receiving marketing communications, and we will respect your preferences.

GenesisCare does not use sensitive information (such as health information or demographic data) for direct marketing purposes unless you have provided your express consent or we are otherwise permitted by law to do so.

5.3. Medical research and product development

We may use and disclose sensitive information for medical research and product development. For example, this may include the development of new diagnostic tools and products, treatment methods and pathways.

In this case:

• We will only use or disclose your information in identifiable form if we have your consent or approval from a registered Human Research Ethics Committee
• We may use or disclosure your information in de-identified form without further notice and without your consent. De-identification means that we take reasonable steps to ensure that you are no longer identifiable from the information, including when combined with other data that is reasonably available. Once de-identified, the information cannot be used to reasonably ascertain your identity.

We require that all researchers who have access to your information follow strict ethical guidelines.

We may need to disclose your information to others for one or more of the purposes described above.

For example, depending on the circumstances, we may need to disclose your information to:

• Clinicians and other healthcare professionals, such as GPs, pathologists, radiologists, medical and surgical specialists, pharmacists and allied health professionals, involved in your care
• Government agencies and public hospitals, where we provide care to you under a contract with that agency or hospital and are required to provide the information under the relevant contract
• The Australian Government’s My Health Record system, where you have registered for this service. This may include uploading approved clinical documents, such as discharge summaries, to your My Health Record in accordance with the standing consent provided at registration. You may opt out of this process or request that specific documents not be uploaded by notifying your treating clinician or administrative staff (see section 12, below).Private hospitals and other private healthcare providers, where we provide health services to you (or they provide health services to you) under a contract between GenesisCare and that provider and are required to provide the information under the relevant contract
• Courts and other public authorities, where we are required to do so by law (for example, if we are issued with a subpoena to produce medical records in relation to court proceedings)
• Our lawyers, insurers (including Medical Defence Organisations) and medical experts who help us to deal with enquiries, complaints and legal proceedings
• External service providers and advisors who help us run our business, including software vendors and service providers who help run our IT systems
• GenesisCare group entities
• People legally responsible for your healthcare decisions, including your attorneys, guardians or other personal representatives
• Researchers involved in medical research or product development
• Other people with your consent, such as your insurers, lawyers and close family, or as otherwise required or authorised by law

GenesisCare may transfer personal information within the GenesisCare group of companies, including to its related companies located in Spain and the United Kingdom, for purposes such as patient continuity of treatment. We may disclose personal information to global suppliers that we engage for the provision of services to the GenesisCare group of companies. Such disclosures occur only where necessary to deliver services or support to an individual, or where access to data sets is required under a vendor’s maintenance or support agreement with GenesisCare. For example, certain vendor’s may require access to our Electronic Medical Record system for technical support purposes, but this does not necessarily involve access to individual patient records. These suppliers may be located outside

Australia, including in countries such as the United States, United Kingdom, Spain, New Zealand, Canada, Ireland, India, China and Southeast Asia.

However, in accordance with the Foreign Investment Review Board (FIRB) conditions (that GenesisCare adheres to), all Australian patient data, including sensitive information such as health records, is stored in Australia. Overseas disclosure of patient information will only occur in very limited circumstances, such as where it is necessary to provide or facilitate the delivery of health services to the patient, and only in compliance with applicable privacy laws. GenesisCare takes reasonable steps to ensure that any overseas recipients of personal information do not breach the Australian Privacy Principles in relation to that information.

We hold personal information electronically and in hard copy form, both at our own premises and with the assistance of third-party service providers who provide data storage, hosting and cloud computing services. In all cases we take reasonable steps in the circumstances to protect your personal information from misuse, interference, loss, unauthorised access, modification and disclosure and implement a range of measures to protect the security of that personal information in accordance with our obligations under the Privacy Act, including physical security measures, secure access controls, staff training, multi-factor authentication, and encryption of data.

9.1 AI Tools

We may use artificial intelligence (AI) technologies to support diagnosis and treatment decisions as part of your clinical care. These tools are designed to assist your treating doctor by analysing clinical data and medical images (such as biopsy pathology slides) to provide personalised treatment insights, and give your doctor access to greater information, to assist their clinical judgement. In particular, we may securely share relevant clinical and pathology data with trusted service providers, such as ArteraAI, who use AI to evaluate the potential benefit of certain treatments (e.g. hormone therapy for prostate cancer). These tools do not replace medical judgment but support more tailored, evidence-based care. Our doctors use Heidi Health, an AI-powered medical scribe and transcription platform designed to support clinicians by automating documentation tasks during patient consultations. We also use Large Language Model (LLM) tools to support clinical decision-making and enhance the quality and efficiency of patient care. These tools assist our clinicians by extracting and analysing structured and unstructured data from electronic medical records (EMRs), including imaging, pathology, and administrative records.

The AI tools are used to:

• Pre-populate diagnosis and staging fields in clinical workflows.
• Support clinical trial matching by identifying potentially eligible patients.
• Improve the accuracy, completeness, and timeliness of clinical documentation.

9.2 Human Oversight and Decision-Making

All outputs generated by LLM tools are reviewed and validated by qualified healthcare professionals. These tools do not make autonomous decisions. Final clinical decisions remain the responsibility of the treating clinician, ensuring that AI serves as a support mechanism rather than a replacement for medical judgment.

9.3 Data Privacy and Security

GenesisCare is committed to protecting the privacy of personal and health information. The use of any AI tools complies with the Privacy Act and other relevant laws. Where possible, data processed by these tools is de-identified. When identifiable data is used, it remains within GenesisCare’s secure systems and is not transferred externally without appropriate safeguards.

9.4 Transparency and Consent

Patients are informed about the use of AI tools in their care as part of our broader privacy and consent processes. GenesisCare ensures that patients understand the role of AI in their treatment and the safeguards in place to protect their information.

9.5 Monitoring and Governance

GenesisCare conducts regular audits of AI tool performance, including accuracy and bias assessments. Any new or modified use of AI tools is subject to legal, ethical, and cybersecurity review, and must be approved in accordance with our internal AI Governance Framework, which includes the following safeguards:

• Personal information is only shared with Ai technology providers where necessary for your care.
• We have strict contractual and data protection agreements with all service providers.
• Where possible, we use de-identified or pseudonymised data.
• We do not use AI to make automated decisions without clinical oversight.
• We do not use your information for training or improving AI tools without your consent or appropriate ethics approval.

If you have any concerns about how your information is used in AI-supported care, you can contact our Privacy Officer using the details provided below at section 15.

If you do not provide your personal information to us when requested, we may be unable to carry out the purposes described above. For example, we may be unable to provide you with healthcare services and treatment. The impact will depend on the nature of your relationship with us, your location and the type of personal information you wish to withhold. We will tell you about the implications of your decision if it becomes relevant.

You may request access to any personal information we hold about you by contacting our Privacy Officer using the contact details set out below.

Please also let us know if your personal details change (for example, your name or contact details), or if you notice errors or discrepancies in information we hold about you. You may do this at your next appointment with us (if you are a patient) or by contacting our Privacy Officer using the contact details set out below at section 15.

We may ask you to verify your identity when you make an access or correction request. There may also be circumstances in which we will not be able to comply with your request. In these cases, we will provide reasons for why we cannot comply and will explain what other options may be available to you.

GenesisCare participates in the Australian Government’s My Health Record program. There are no changes to the way GenesisCare collects, stores, or discloses personal information as a result of implementing My Health Record. Where a patient has registered for My Health Record, GenesisCare may access information stored in the Patient’s record and upload an approved Discharge Summary to their record in accordance with the standing consent provided at registration. This upload occurs unless the patient has explicitly opted out or requested that we do not send the summary to My Health Record. Patients may opt out of this upload process at any time by notifying their treating clinician or administrative staff or by modifying access controls within their My Health Record account or by opting out of the My Health Record program entirely. GenesisCare has implemented procedures to ensure that any such opt-out requests are respected and that no information is uploaded where a patient has withdrawn consent. We maintain a My Health Record Security and Access Policy in accordance with Rule 42 of the My Health Records Rule 2016, and ensure that authorised staff are appropriately trained and access is monitored. For more information about My Health Record, including how to manage your access controls, visit https://www.myhealthrecord.gov.au

Our websites may use cookies to identify and interact more effectively with the access device you are using. Cookies are text files placed on your device.

We use four types of cookies:

• Strictly necessary cookies: These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.
• Performance cookies: These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance.
• Functional cookies: These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.
• Targeting cookies: These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

We may use Google Analytics and Adobe Experience Manager to analyse usage of our websites from time to time. For more information about how these companies and their services collect and processes data, please see: www.google.com/policies/privacy/partners/ and www.adobe.com/privacy/experience-cloud

You may accept or decline most types of cookies by adjusting the settings in your web browser. If you choose to decline cookies, you may not be able to fully experience the interactive features of our websites.

Our websites may include links to other websites that are run by third parties. We are not responsible for how those third parties may collect, use and share your information. Please carefully review any privacy statements published on third-party websites before you interact with those websites.

If you have questions regarding this Privacy Policy or wish to make a complaint about our handling of personal information, please contact our Privacy Officer in writing, using the contact details set out below.

We may need to verify your identity and ask for further information, in order to investigate and respond to your question or complaint. We will aim to respond to you within a reasonable time (generally between 5 and 20 business days).

If we are unable to satisfactorily resolve your concern or complaint, you may wish to contact the State Privacy Regulators for complaints involving health information regulated under state-specific laws (e.g. Health Records and Information Privacy Act 2002 (NSW) or Health Records Act 2001 (VIC)). For example, the Information and Privacy Commission NSW, or the Office of the Victorian Information Commissioner; or for complaints relating to information handling regulated under the Privacy Act go to the Office of the Australian Information Commissioner (OAIC). Contact details for the OAIC can be found at the OAIC’s website: https://www.oaic.gov.au.

We may review and update this Privacy Policy from time-to-time. A copy of the latest version of this Privacy Policy is available at www.genesiscare.com.

Last updated November 2025.