Skip navigation

Privacy Policy

Effective Date: 15 July 2024
Last Review Date: 30 June 2026

1. About GPEx

gpex Limited (ACN 608 491 621) (“GPEx”, “we”, “us”, “our”) is a not-for-profit company limited by guarantee. We are a national strategic education partner for organisations, including governments and for-purpose organisations and not-for-profits. This Privacy Policy applies to all of gpex’s Australian operations.

2. About this Privacy Policy

gpex is committed to protecting your privacy. We handle personal information in accordance with the Privacy Act 1988 (Cth), including the Australian Privacy Principles (APPs). This Privacy Policy outlines, in plain English, how we manage personal information. In some situations, additional or separate privacy notices may apply (for example, for our employees or specific programs), and legal exemptions or requirements might override parts of this Policy (such as Australia’s employee records exemption). This Policy is not intended to limit any rights or allowances we have under law. By engaging with gpex – for example, by using our websites (gpex.com.au, modmed.com.au, learn.gpex.com.au, learn.modmed.com.au) or by providing your personal information to us – you agree to the practices described in this Privacy Policy.

What this Privacy Policy covers:

  • The kinds of personal information we collect and hold.
  • How and why, we collect personal information (including if we receive information without asking).
  • How we use personal information and the purposes for which we may disclose it (and the importance of consent when required).
  • Who we may share personal information with, including overseas recipients in some cases.
  • How we keep personal information secure and when we delete it.
  • How you can access your personal information or request corrections.
  • Your options, including dealing with us anonymously where possible, and how to opt out of direct marketing.
  • How to contact us with privacy questions or to lodge a privacy complaint, and how we will handle complaints.

3. Your privacy choices – dealing with us anonymously

Where practical and lawful (in certain general inquiries or initial contact), you may choose not to identify yourself or use a pseudonym when dealing with us. For example, if you contact us with a question (and it does not require us to know who you are), we will respect your choice not to provide your name. However, for most of our services – such as enrolling in our education or events or responding to specific requests – we generally need to know your identity and contact details to serve you and comply with our obligations. If you request to remain anonymous or use a pseudonym, we will let you know if this is possible in the circumstances. When anonymity or pseudonymity is feasible (for instance, if you are making a general inquiry or certain feedback/complaints), we will take reasonable steps to comply with your request and not associate your communication with your identity. You can discuss any anonymity requests with our Privacy Officer.

4. What personal information we collect

“Personal information” means any information or opinion about an identifiable individual. gpex will only collect personal information that is reasonably necessary for our work – we do not collect excessive or irrelevant data. The types of personal information we commonly collect include:

  • Identity details – such as your name, date of birth, and (if needed) gender.
  • Contact information – such as your residential and work addresses, telephone numbers, and email addresses (personal and work).
  • Professional details – such as your occupation, and your relevant academic and employment history (for example, qualifications and work experience, if you are undertaking a training program with us).
  • Program-related information – for participants in our education, we collect information about your program enrolment, progression, and assessment results.

This is not an exhaustive list. Depending on your interaction with gpex, we may request additional personal information necessary for specific activities or services. In some cases, we may also seek your consent to collect sensitive information – for example, details about your health (health information) or whether you are a member of a professional association. We will only collect sensitive information if it’s essential for our functions (for instance, health details to support your training placement) and with your consent, or as otherwise required by law.

Please note that if you follow links from our websites to third-party websites or services, their privacy practices will apply to any information you provide to those third parties. We encourage you to review the privacy policies of any external websites we link to.

5. How we collect personal information

Direct collection from you: In most cases, gpex collects personal information directly from you. This can happen in various ways, for example:

  • When you communicate with us by email, phone, or in person (such as making an enquiry or providing feedback).
  • When you fill out our forms or provide details to us (for example, when you enrol in a training program, register for a course or event, or subscribe to our newsletters).
  • During the delivery of education or support services to you (for instance, when you participate in workshops or assessments, and we record your progress).

You are not required by law to provide us with personal information. However, if you choose not to provide certain details, we may not be able to enrol you in programs, respond to your inquiries, or otherwise deliver the services or assistance you have requested.

If you provide us with personal information about another person (for example, providing an emergency contact’s details or referring a colleague), please ensure that you have their permission to do so. You should also inform them that you have given their information to gpex and direct them to this Privacy Policy so they understand how we will handle their information.

Third-party or indirect collection: We may also collect personal information from other sources in some situations, for example:

  • From third parties, if it is unreasonable or impracticable to collect the information directly from you. For instance, we might collect details from a professional college, a training supervisor, or a public register if needed for your training program.
  • From publicly available sources, such as professional registration directories or public websites, but only if necessary for our functions (e.g. verifying your professional qualifications).

If we receive your personal information from someone else (and not directly from you), we will take reasonable steps to notify you as soon as practicable. We will inform you what we collected and why and point you to this Privacy Policy or any specific privacy collection notice that applies, so you are aware of how and why we are handling your information.

Unsolicited information: If ever gpex receives personal information that we did not solicit (for example, if someone emails us personal details we didn’t request), we will determine whether that information is something we are permitted and would normally collect for our functions. If not, we will promptly and securely destroy or de-identify that information, as required by APP 4, to protect your privacy.

6. Why we use your personal information

gpex collects and uses personal information for purposes that are necessary to carry out our role as an education provider. The primary purposes for which we use your personal information include:

  • To verify your identity (for example, confirming your identity when you register or when you request access to your records).
  • To provide you with our education programs, and related services that you have requested or enrolled in. This includes enabling you to access our online learning platforms and websites and allowing us to administer your enrolment and participation.
  • To communicate with you about your enrolments, respond to your inquiries, and provide customer support.
  • To personalise and improve your experience on our websites and learning platforms (for example, remembering your preferences).
  • To monitor your progress and assess your needs (for instance, tracking your assessments and providing feedback or additional support).
  • To evaluate and improve our programs – we may use information on outcomes and feedback to conduct research, analysis and quality assurance, helping us ensure our resources s meet the needs of participants and to develop better services in the future.
  • To manage our internal operations and administration, including quality control, auditing, and record keeping.

We will not use your personal information for any purpose other than the primary purposes for which it was collected, or a related secondary purpose that you would reasonably expect, unless we have your consent or are otherwise permitted by law (in accordance with APP 6). In other words, if we ever need to use your information for a new purpose, we will only do so after explaining why and obtaining your permission, unless an exemption under the law applies.

7. Direct marketing communications

gpex does not sell your personal information or contact details to third-party marketers. We may, however, occasionally send you marketing communications about our own programs, courses, events or services that we believe could be of interest to you (for example, a newsletter or an event invitation). We will only send you marketing communications if you have provided your consent, such as by opting in to receive updates, or if you would reasonably expect to receive such communications from us in the context of our relationship (and haven’t opted out). In every marketing email or message, we send, we will provide a clear opt-out (unsubscribe) option. You can opt out of marketing communications at any time, and we will respect your choice – you will continue to receive non-marketing communications necessary for our services (for example, notices about your enrolled program or transactions).

8. Who we disclose personal information to

gpex may share your personal information with third parties in certain circumstances, to carry out our services or as required by law. Common situations include:

  • Service providers and contractors: We use trusted third parties to support our operations and deliver some education programs. This includes organisations and individuals providing services such as IT and cloud storage, website and e-learning platform hosting, data management, marketing support, and external training or assessment services. These providers are only given access to the information necessary for them to perform their functions for us, and they are required to handle your information securely and in accordance with privacy laws.
  • Professional and government bodies: If you are undertaking training or education through GPEx, we may disclose relevant personal information to organisations such as the Australian Government Department of Health and to professional accreditation bodies like the Royal Australian College of General Practitioners (RACGP) or the Australian College of Rural and Remote Medicine (ACRRM). This is done as needed to manage your training, placements, and professional accreditation, and is often a required part of program funding or oversight.
  • Other third parties at your direction: We will share your personal information with other organisations or individuals if you request or consent to it. For example, if you ask us to provide a reference or forward your course records to a potential employer or another education provider, we will do so with your permission.
  • Legal requirements and vital interests: We may disclose personal information when required or authorised by law. This includes situations like responding to valid court orders, subpoenas, or requests from government authorities (e.g. law enforcement or regulators). We may also share information if we believe it’s necessary to prevent a serious threat to someone’s life, health or safety, or to public health or safety – for instance, in an emergency.

Aside from the instances above, we do not disclose your personal information to outside organisations or third parties unless you would reasonably expect it or we have your consent. In all cases of sharing data, we adhere to the requirements of APP 6 (Use or disclosure of personal information). Also, as noted in the Direct Marketing section, we do not sell your personal information to others.

9. Cross-border disclosure of personal information

Some of our service providers (especially those offering cloud-based services or software tools) may be located overseas. This means the personal information we hold about you could be stored or processed on servers in other countries. For example, GPEx may, from time to time, use cloud or IT service providers that store data in the United States or other countries. We will only disclose personal information overseas in accordance with the Privacy Act and APP 8. We will take reasonable steps to ensure any overseas recipient protects your information to the same standard as required in Australia. We maintain contractual agreements and security measures with our international service providers to safeguard your data.

10. Use of government identifiers

gpex will not adopt or use any government-issued identifier that you may have – such as your Medicare number, Tax File Number, or driver’s licence number – as our own identifier for you, unless required or authorised by Australian law (APP 9). We may ask for certain official identifiers if needed for our services (for example, verifying your identity or eligibility for a program as required by a government funding agreement), but we will only use such information for the required purpose and will not use it to label or reference you internally.

11. How we protect and store your personal information

GPEx takes the security of personal information seriously. We have implemented physical, electronic, and administrative safeguards to protect your personal information from misuse, interference, loss, and unauthorised access, modification or disclosure (in line with APP 11):

  • Secure facilities and storage: We restrict access to our offices and filing areas. Physical files containing personal information are in secure, locked locations.
  • Digital security: Our electronic systems are protected by technical security measures such as firewalls, encryption, secure servers and databases, and unique user IDs and passwords. We also use access controls so that personal information is only available to staff who need it to perform their duties.
  • Monitoring and training: Emails sent to us are scanned by security software to protect against threats. Our staff and volunteers receive training on privacy and data protection, reflecting our commitment to safeguarding personal information.

We retain personal information for only as long as necessary for our functions or to meet our legal and contractual obligations. For example, we may need to keep certain training records for a set number of years due to funding requirements or laws. gpex maintains a Retention and Destruction Schedule that specifies how long different types of information are kept. When personal information is no longer required, we take reasonable steps to securely destroy or permanently de-identify it. We also regularly review the personal information we hold to ensure we are not keeping data we don’t need.

In the unlikely event of a data breach that risks causing serious harm (for instance, a significant loss or unauthorised access of personal data), we will respond swiftly. gpex has a data breach response plan, and if a serious breach occurs, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC) as required by law.

12. How to access your personal information

You have the right to request access to the personal information gpex holds about you. If you wish to obtain a copy of specific records or information, please contact our Privacy Officer (see Contact Us below). We will need to verify your identity before providing any data – this is to ensure we protect your information from unauthorised access.

In regular lcircumstances, we will grant you access to your information. However, the Privacy Act allows certain exceptions. For example, we may decline or limit access if granting it would unreasonably impact someone else’s privacy, if your request is frivolous or vexatious, or if another legal exception applies. If we refuse your access request, we will inform you of the reasons (unless it’s unreasonable or unlawful to do so) and outline how you can complain about the decision.

We aim to respond to access requests within a reasonable timeframe (generally within 30 days). Access to your personal information is provided free of charge by gpex, but if your request is complex and may require significant resources, we will let you know in advance if any cost applies (which would only ever be to cover reasonable administrative expenses).

13. How to correct or update your personal information

gpex is committed to maintaining the accuracy and currency of the personal information we hold (consistent with APP 10 – Data Quality). We encourage you to advise us if any of your details change or if you believe any information we have is incorrect. You can request that we correct or update your personal information at any time by contacting our Privacy Officer. We will promptly update your records and confirm the changes. If we need to verify your identity or request further detail about the desired corrections, we will let you know.

If we cannot fulfill a correction request (for example, if we disagree that the information is inaccurate, or if we are legally prevented from altering it), we will explain the reason to you in writing and inform you of how to lodge a complaint if you are not satisfied. In such cases, you also have the right to ask us to associate a statement with the record indicating that you believe the information is inaccurate or incomplete.

If you request it, and it is reasonable and practicable, gpex will also notify any third parties (to whom we have previously disclosed the information in question) about the correction so that they can update their own records. We do not charge for correcting your personal information.

14. How to make a privacy enquiry or complaint

gpex takes privacy concerns seriously, and we view complaints as an opportunity to improve. If you have a question, concern, or complaint about how we have handled your personal information, please contact us so we can address the issue.

Our aim is to resolve all privacy complaints promptly and fairly. You can contact our Privacy Officer via:

  • Email: admin@gpex.com.au
  • Written inquiry: Privacy Officer, gpex Limited, 160 Greenhill Road, Parkside SA 5063
  • Telephone: 1300 473 972

Please provide details of your concern and any relevant information. We will acknowledge your complaint within 2 business days and aim to provide a full response within 30 days. If we need more time (for complex issues), we will let you know and keep you updated on the progress.

If you are not satisfied with our response, you have the right to escalate the matter to the Office of the Australian Information Commissioner (OAIC). The OAIC can be contacted via:

  • Website: www.oaic.gov.au
  • Written inquiry: GPO Box 5218, Sydney NSW 2001
  • Telephone: 1300 363 992

We will cooperate fully with the OAIC in the resolution of any privacy complaint.

15. Contacting us and finding out more

If you have any questions, requests, or would like further information about how gpex manages personal information, please contact our Privacy Officer using the contact details above. We are happy to provide additional information or assistance as needed. You can also learn more about privacy rights and principles under Australian law by visiting the OAIC’s website or contacting the OAIC’s enquiries line (details above in Section 14). gpex’s Privacy Officer can provide you with a copy of the most current Privacy Policy on request.

16. Changes to this Privacy Policy

gpex will review and update this Privacy Policy from time to time to reflect changes in our practices or in the law. Updated versions of the Policy will be published on our websites and include a new “Last updated” date. We encourage you to check our Privacy Policy periodically to stay informed of how we are protecting your information. If you are unsure whether you are reading the latest version, or if you would like a hard copy of the Policy, please contact us and we will provide you with the most current Privacy Policy.

Continuous Professional Development

Making knowledge matter through accredited CPD partnerships with RACGP, ACRRM and CPD Australia.