Bupa Australia

Comprehensive scope statement, detailed definitions section with 13 terms, specific contact information including phone, email, postal address and website, clear effective date, and introductory section with privacy commitment. Strong navigation aids and plain language commitment evident.

Comprehensive list of 17+ specific primary purposes, detailed secondary use disclosures for marketing and research, clear consent requirements for identifiable research use, specific AI processing purposes, and multiple opt-out mechanisms including claims personalisation opt-out.

Clear effective date and version control, specific contact information for Customer Relations team, complaint handling process with progress updates, and internal audit functions disclosed. However, lacks specific review frequency commitments, change notification procedures, or named privacy officer.

Exceptionally detailed enumeration of personal information types collected (20+ specific categories), comprehensive disclosure of collection methods both direct and third-party, explicit sensitive information handling, clear consent mechanisms, and specific technical data collection practices with named third-party tools.

Detailed categories of third parties with specific named entities (Medicare, ATO, Adobe, Google, etc.), clear purposes for sharing, contractual privacy obligations for overseas recipients, and specific opt-out mechanisms for advertising networks. Strong disclosure of government and law enforcement sharing circumstances.

Limited to generic requirements for overseas recipients to 'comply with privacy laws and keep information secure' and confidential disclosure basis. Lacks specific technical safeguards, encryption details, breach notification procedures, or security certifications.

Names United States as likely destination, identifies recipient types as service providers/suppliers, requires contractual compliance with privacy laws, but lacks comprehensive adequacy mechanisms or detailed safeguard specifications beyond generic privacy law compliance.

Clear access and correction rights with reasonable timeframes, specific opt-out mechanisms for marketing and personalisation, detailed complaint handling process with OAIC escalation, multiple contact methods provided, and written notification requirements for refusals.

Good disclosure of AI applications with specific purposes (transcription, analytics, quality assurance), automated profiling for health programs, personalisation activities, and opt-out rights for claims personalisation. However, lacks details about decision logic or human review availability.

Clear age threshold of 18 consistently applied across multiple contexts, automatic direct communication when turning 18, and specific protections for claims confidentiality. However, lacks proactive parental consent mechanisms or age verification processes for initial collection.