(Version 2 – 20 June 2018)
- We respect your privacy and acknowledge Our legal obligations as they apply to Our collection, use and disclosure of Personal Information.
- For further information about your rights to privacy and your rights under privacy law, please visit the Office of the Australian Information Commissioner (OAIC) website at http://www.oaic.gov.au.
- If you are a Medical Patient, before you obtain the services of a Medical Practitioner, We recommend that you find out from that Medical Practitioner how the Medical Practitioner (and if the Medical Practitioner is part of a Medical Practice, how that Medical Practice) handles Personal Information.
- We do not endorse or monitor the privacy practices of any Medical Practitioners or Medical Practices.
About Clinic to Cloud
Clinic to Cloud Pty Limited (We, Our, Us) provides users of C2C with:
- the Clinic to Cloud website platform (Platform);
- any associated mobile websites, smartphone applications and other software that We make available for use on any device or technology platform (Applications);
- services made available on the Platform or via the Applications (Services).
The Platform, Applications and Services are all facilities (Facilities) developed or provided by Us or on Our behalf (other than third party applications described below in paragraph 5.1(c).
- This policy adheres to related policies and procedures outlined by the Department of Health.
No Requirement to use C2C
- If you are a Medical Practitioner, you cannot use the Facilities without your Personal Information being recorded in the Facilities, and you cannot use the Facilities in connection with any Medical Patient without entering the Medical Patient’s Personal Information into the Facilities. If you are a Medical Patient, your Medical Practitioner will only be able to use the Facilities with respect to your Medical Issues if he or she enters your Personal Information (including Health Information) into the Facilities.
- However, it will not be practical for you to use the Facilities or for the Facilities to be used with respect to your Medical Issues, without your Personal Information being entered into the Facilities.
- You do not have to use the Facilities or agree to your Personal Information being entered into the Facilities in order to get medical treatment or lodge claims with Medicare, your private health insurer or the Department of Veterans’ Affairs.
- If you notify Us that you no longer consent to the recording of your Personal Information in the Facilities, We will delete your Personal Information from Our databases (unless and to the extent that We must retain it by law).
How Personal Information is entered into and used by the Facilities
The Facilities have been designed so that Personal Information may be entered into and used by the Facilities in the following ways:
- Information you provide during registration and while completing forms on C2C – When you sign up for an Account you may be required to provide Personal Information and if you are a Medical Patient, your Medical Practitioner may ask you to complete forms using the Facilities. If you enter your Personal Information into those forms or enter it during registration for an Account, it will be held in the Facilities. That information may be used to provide you with a personalised experience while you use the Facilities.
- Health Information – If you are a Medical Patient, your Medical Practice may use the Facilities to record consultations that Your Medical Practitioner has with you, and other Personal Information about you, including Health Information. Examples of the Health Information that may be recorded by your Medical Practice in the Facilities about you include:
- MIMS - Medical Practitioners who hold a valid licence with MIMS can access medical databases provided by MIMS via the Facilities and use MIMS to configure Prescription Alerts. In order for C2C to verify that a Medical Practitioner holds a valid licence with MIMS it is necessary for the Medical Practitioner to provide the Medical Practitioner’s Medical Practice name, address and contact person name and telephone number to MIMS using C2C.
- Medicare, Department of Veterans’ Affairs and Private Medical Insurers – The Facilities include functionality that allows Medical Practitioners to submit claims to Medicare, the Department of Veterans’ Affairs and private medical insurers (Providers) for Medical Services provided to Medical Patients who are registered with the relevant Providers. In processing a claim to a Provider, the Medical Practitioner’s name, provider number and location ID, and the relevant Medical Patient’s name and date of birth and the relevant item number are provided over C2C to the relevant Provider. This functionality is only available to Medical Practitioners registered with the relevant Providers and only with respect to Medical Patients who are able to lodge claims with the relevant Providers.
- Speech Solutions Australasia Pty Ltd (SSA) - – The Facilities include functionality that allows Medical Practitioners to dictate consultation notes regarding medical consultations they have with Medical Patients and to use voice commands to navigate through the facilities. This functionality is only available to Medical Practitioners who have a valid license from SSA. When using this functionality, the name of the Medical Practitioner, the name of the Medical Patient and the content of all voice commands and digital dictation is provided by C2C to SSA’s server for processing. The digital audio that is transmitted to SSA’s server is not stored on SSA’s server other than during processing of audio data into text.
- Xero-In order to integrate a Medical Practitioner’s Account with Xero the Medical Practitioner’s name, ABN, contact details and details of the number of invoices issued by the Medical Practitioner are provided by C2C to Xero. This functionality is only available to Medical Practitioners who have a Xero account. Xero also adheres to the Privacy Act, APP as well as the General Data Protection Regulation (GDPR).
- Information concerning your physical or mental health;
- Notes concerning your medical symptoms diagnosis and the treatment given;
- Specialist reports and test results;
- Appointment and billing details;
- Prescriptions and other pharmaceutical purchases;
- Other information collected by your Medical Practitioner for the purposes of providing Medical Services to you (such as information about your date of birth, gender, race, sexuality, religion).
- Third Party Applications – Our Facilities contain functionality which allows them to interface with certain third-party applications. Information collected by a third-party application provider is governed by their own privacy policies. The third-party applications currently made available through the Facilities are as follows:
How We collect and use your Personal Information
- C2C collects customer information and services data only by lawful and fair means. Primarily, customer information is provided to C2C by you. Customer information may also be provided to C2C from time to time, by other third parties such as your Medical Practioner.
- We do not collect or use Personal Information entered into the Facilities by Medical Patients or Medical Practices other than to manage our database of users, to manage the collection of Member Services Charges and process inquiries, respond to requests and communicate with Medical Practices and Medical Patients about Our services.
- We do not collect Health Information recorded in the Facilities.
- When you access the Facilities, the Facilities automatically record certain information in the form of server logs. These logs include your web request, your interaction with a Service, IP address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser or your Account.
- We collect your Internet Protocol (IP) address to create an audit trail of all events that take place on C2C and to track and aggregate non-personally identifiable information, your referring website addresses, browser type and access times.
- We may use the Personal Information that We collect to:
- provide, maintain, protect, and improve the Facilities and develop new services;
- protect Our rights or property;
- investigate any security incident in relation to C2C
No offshore transfer of Personal Information
- All Personal Information entered into C2C or provided to Us is stored on secure Microsoft servers located in Australia, complying with Australian Privacy regulations.
- We will not transfer your Personal Information that We hold to any overseas entity.
Information sharing and onward transfer
Your Personal Information that is provided to Us or entered into the Facilities will only be provided to third parties by Us in the following limited circumstances:
- satisfy any applicable law, regulation, legal process or enforceable governmental request;
- enforce Our Terms of Service, including investigation of potential violations;
- detect, prevent, or otherwise address fraud, security or technical issues; or
- protect against harm to the rights, property or safety of Us, Our users or the public as required or permitted by law.
- When We have your consent;
- When We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to:
In addition, if We become involved in any or any potential merger, acquisition, or any form of sale of some or all of Our assets, We may disclose your Personal Information but will use Our best endeavours to:
- ensure the confidentiality of any Personal Information involved in such transactions; and
The Notifiable Data Breach (NDB) scheme applies to existing personal information security obligations under the Privacy Act. The NDB scheme requires Us to notify affected individuals and the Australian Information Commissioner (Commissioner), in the event of an ‘eligible data breach’ (as described in the Amendment). A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates.
- We take physical and electronic security measures to protect against unauthorised access to or unauthorised alteration, disclosure or destruction of data. These include maintaining and regularly reviewing Our data collection, storage and processing practices and security measures including appropriate encryption and other electronic and physical security measures that We employ to guard against unauthorised access to Our servers which hold Personal Information.
- Under APP 11.2, C2C will take reasonable steps to destroy or de-identify personal information We hold once it is no longer needed for any purpose for which it may be used or disclosed under the APPs.
Section 6 of the Privacy Act defines ‘personal information’ as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable. An important subset of personal information in the Privacy Act is ‘sensitive information.’ The Privacy Act affords a higher level of privacy protection to sensitive information, including health information, than to other personal information.
- In certain circumstances we may collect sensitive information about you in order to do business with you and carry out our business activities.
- We will only collect sensitive information (as that term is defined under the Privacy Act) if you voluntarily provide it to us or if you explicitly given consent to us collecting it. If you provide us with sensitive information, this will constitute your consent.
Accessing and updating Personal Information
- You may access the Personal Information that is held on C2C about you by logging into your Account if you are a Medical Practitioner or a Medical Practitioner Assistant. If you are a Medical Patient We will provide you with a copy of your Personal Information held on C2C within a reasonable period following your request for such a copy, unless an exception listed in Australian Privacy Principle 12.3 applies.
- You may also request that We delete your Personal Information that We hold. We will delete your Personal Information if it is not otherwise required to be retained by law or for legitimate business purposes.
- Collected personal information adheres to the information life cycle, considering all stages of its life cycle, including assessing the risks associated with the collection of the personal information due to a new act, practice, change to an existing project or as part of business as usual.
- We will destroy or de-identification personal information when it is no longer needed.
- The customer and/or personal/sensitive information provider is responsible for current and up-dated information.
If C2C believes that the use or disclosure of customer information and/or services data is reasonably necessary for one or more enforcement related activities, it may be released to the relevant enforcement body.
C2C may be required to provide customer information and services data to comply with legal reporting, disclosure or other legal process requirements. C2C reserves a right to disclose any customer information and/or services data it has access to if required by law or valid order of a court or other governmental authority, or if needed to protect the health and safety of C2C employees, a customer’s employees, or the general public.
- If We receive a formal written complaint about Our privacy practices We will contact the complainant regarding his or her concerns and attempt to resolve the complaint as soon as possible.
- If you are dissatisfied with the outcome of Our handling of your complaint, you can lodge a privacy complaint with the OAIC. For further information about the OAIC’s privacy complaint handling process, please seehttp://www.oaic.gov.au/privacy/making-a-privacy-complaint
- If you have a complaint against Medicare, the Department of Veterans’ Affairs or another Provider, please contact them directly. We are not responsible for, and will not get involved in any dispute between you and any Provider
- If you have a complaint against a Medical Practice, please contact the Medical Practice directly. We are not responsible for, and do not get involved in any disputes between Medical Patients and Medical Practices.