<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=140756219714189&amp;ev=PageView&amp;noscript=1">

Clinic to Cloud Privacy Policy

(Version 3 – 11 March 2020)

Security

This document has been prepared to underline Clinic to Clouds respects and upholds the rights to privacy protection under the Australian Privacy laws. Please read this document carefully as this Privacy Policy details how we will maintain your privacy and handle your personal information in accordance with the Australian Privacy Principles (APPs). This policy applies to all information which C2C may be provided access to or which may be collected to provide its services to you.

Privacy Policy – Clinic to Cloud
About Clinic to Cloud and this Privacy Policy
Clinic to Cloud Pty Ltd (ABN 60 601 566 849) (C2C, we, us or our) offers a clinical and practice management system, to manage all aspects of the clinical interaction, including patient booking, payment and claims management, patient consultation record keeping, and other practice management functions.
 
We provide a software-as-a-service system (System) through which we host applications, websites and software and make these available for medical practitioner, practice, and patient use via the cloud.
 
C2C is committed to protecting the privacy and confidentiality of your personal information.
 
This privacy policy (this Policy) explains how we will collect, use, disclose, store, and protect personal information collected from you. This Policy also describes the way in which you may access or correct the personal information we hold about you, and how to contact us if you have any complaints in relation to your privacy.
 
We will handle your personal information in accordance with applicable privacy and health records laws, including the Privacy Act 1988 (Cth) and its Australian Privacy Principles (APPs), and the Health Records and Information Privacy Act 2002 (NSW) and its Health Privacy Principles (HPPs).
 
 
What is 'personal information’?

This Policy applies to our handling of personal information. ‘Personal information’ means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not and whether the information is recorded in a material form or not.

 Personal information includes ‘sensitive information’, which is a particular type of personal information. Sensitive information includes identifying health information about you (such as details of your health and medical history or the health services you have received). Sensitive information also includes information about racial or ethnic origin, political opinions or associations, religious or philosophical beliefs, and sexual orientation or practices.

 
Why do we collect your personal information?

We may collect personal information from you so that we can provide our services to you, or where this is otherwise necessary for our functions or activities, including provision of the System. In particular, we will collect the personal information of medical practitioners and patients, to enable you to use the System.

We collect patient and/or medical practitioner personal information:

  • to allow medical practitioners to use the System to help manage patient care, including to:

    • dictate, review and send letters;

    • utilise clinical decision support tools;

    • access and manage health data;

    • capture and upload images; or

    • use our other practice management functions;

  •  to allow patients to use the System to:

    • book and manage appointments;

    • make payments; or

    • view clinical information; and

  • to enable us to respond to any queries or complaints.

You are not required to disclose your personal information to us. However, if you do not provide the information requested, you may not be able to use the System effectively.

What types of personal information do we collect?

We may collect the following personal information from medical practitioners (and other medical practice staff):
  • your name and your role at the medical practice at which you practise (or work);
  • the name, address, and phone number of the medical practice at which you practise (or work); and
  • your Medicare provider number and location ID.
We may also collect the following personal information about patients, either directly from the patient, or from the patient’s medical practitioner or practice via the System:
  • name, date of birth, postal address, email address and telephone numbers;
  • health and medical history, including your symptoms, medications, and any previous diagnosis and treatment given to you;
  • occupation and employment details, religion, country of birth, indigenous status and racial or ethnic origin, where relevant to the services your doctor provides to you;
  • Medicare number or concession card details, if relevant;
  • private health fund and private health insurance cover details, if relevant; and
  • payment and billing details.

We may collect personal information from individuals who are not medical practitioners or patients, such as job applicants, service providers or contractors, to enable us to work or transact with them. This may include personal information provided through job applications, proposals and contracts.

 

How do we collect your personal information?
We will collect your personal information in a lawful and fair way and in a manner that is not unreasonably intrusive.
 
We will only collect your personal information where you have consented, or otherwise in accordance with the law.
 
If you are a medical practitioner (or work at a medical practice), we will collect your personal information directly from you through your interactions with the System.
 
If you are a patient, we will either collect your personal information directly from you or from your medical practitioner or practice through their interactions with the System.
 
If you are a job applicant, contractor or service provider, we may collect your personal information from third parties such as your referees and through required screening checks such as a police check.
 
When we collect your personal information, we will as soon as is practicable take reasonable steps to notify you of the details of the collection (including notifying you through this Policy), such as the purposes for which the information was collected, the organisations (if any) to which the information will be disclosed, and also notify you that this Policy contains details on how you may access or correct your information, or raise any complaints.
 
How do we use your personal information?

If you are a medical practitioner or patient we generally use your personal information for the following main purposes:

  • to provide you with access to and use of the System, including the applications, websites and software hosted by the System;
  • to provide support for the use of the System;
  • to provide you with information regarding the System and other C2C services;
  • to respond to your questions or complaints; or
  • to maintain and improve the System and our services, including to request your participation in a quality improvement activity (such as a survey) or research.

If you are a job applicant, service provider or contractor, we may use your personal information to manage our relationship with you.

We may also use your personal information for purposes which are permitted under the applicable privacy laws, which include:

  • where we use your information for purposes which are directly related to the main purpose for which we collected it, in circumstances where you would reasonably expect us to use your information for these purposes; or
  • where we reasonably believe that use of your information is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and it is unreasonable or impracticable to obtain your consent.

Do we disclose your personal information to others?

We respect the privacy of your personal information and we will take reasonable steps to keep it confidential and protected.

The System has integrations with third-party software and systems (third-party vendors) to enable:

  • dictation by medical practitioners;
  • payments for services and claiming of benefits from Medicare, private health funds and other benefit providers;
  • secure encrypted messaging services, for example, to message patients, and to transfer pathology and other test results to your medical practitioner;
  • secure cloud storage of information (in Australia); and
  • other practice management functions.

We may need to disclose personal information to these third-party vendors to the limited extent required to enable and support these integrated functions.
We will not otherwise disclose your personal information to third parties unless you have consented, or we are otherwise permitted or required to do so by law. This may include disclosure of your personal information in the following circumstances:

  • disclosure to comply with our legal obligations, including, but not limited to, where we are required to provide information under a subpoena or Court order or other mandatory reporting requirements under law;
  • to communicate with the Office of the Australian Information Commissioner if you make a privacy complaint; or
  • where we are otherwise authorised or permitted to do so under law, including:
    • where we disclose your information for purposes which are directly related to the main purpose for which we collected it, in circumstances where you would reasonably expect us to disclose your information for these purposes;
    • where we reasonably believe that disclosure of your information is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety, and it is unreasonable or impracticable to obtain your consent; or
    • where this is reasonably necessary for the establishment, exercise or defence of any legal claim.

If you are a job applicant, service provider or contractor, we may disclose your personal information to manage our relationship with you. 

Will we transfer your personal information overseas?

We generally do not transfer personal information overseas.

In the event that we need to disclose personal information overseas, we will comply with the requirements of the Privacy Act 1988 (Cth) and the Health Records and Information Privacy Act 2002 (NSW) when disclosing personal information outside of New South Wales and overseas.

We will only disclose your personal information overseas if:

  • you have provided your prior consent; or
  • the receiving person or organisation is subject to a law, binding scheme or binding contract that provides substantially similar protection to the APPs which you can access and enforce; or
  • if the disclosure is otherwise required or authorised by law.

We will in all cases take reasonable steps to ensure that any such recipient of your personal information does not breach the APPs and HPPs.

 

Direct marketing

If C2C intends to engage in any marketing communications, we may send you such communications in accordance with any previous consent you have provided or any marketing communication preferences that you have notified to us, and in accordance with the requirements under the Privacy Act 1988 (Cth) and the Spam Act 2003 (Cth).

 If you have previously agreed to receive such marketing communications, but no longer wish to receive such marketing communications you can contact us using our contact details set out below to modify your preferences, or you can simply opt-out of such communications using the instructions or opt-out link provided in the marketing communication sent to you.

 

How can you access and correct your personal information?

You have a right to seek access to, and correction of the personal information we hold about you.

Authorised users of the System can log into their account and access the personal information held by C2C about them.

You may also request access to the personal information that we hold about you, using our contact details set out below. In certain circumstances, we may refuse to allow you access to your personal information where this is authorised by the law, such as where providing access would have an unreasonable impact on the privacy of other individuals, providing access would pose a serious threat to the life or health of any person or to public health or safety, or giving access would be unlawful.

If you believe that the personal information we hold about you requires correction (for example, because the information is inaccurate, out-of-date, incomplete, irrelevant or misleading), you may request that the information be corrected using our contact details set out below.

If we refuse your request for access or correction, we will provide you with reasons for the refusal in writing, and details about how you may complain about the decision.

 

How do we protect your personal information?

We take reasonable steps to protect personal information we hold about you from misuse, interference and loss, and from unauthorised access, modification or disclosure.

We use physical and technological security measures to protect the personal information we hold.

We may hold your personal information in a number of ways including electronically and in physical format.

We use a secure third-party cloud storage provider with servers located in Australia.

We also use secure third-party messaging software and SMS messaging services, which are encrypted.

 When your personal information is no longer required to be retained under law (and in the case of your health information, the information has been retained for the required periods under the HPPs) we will take steps to securely destroy the information or to ensure that the information is permanently de-identified.

 

Quality of the personal information we hold
 
We take reasonable steps to ensure that the personal information we collect, use and disclose is accurate, up-to-date, complete, relevant and not misleading. You can assist us in keeping your personal information accurate by informing us of any updates to your personal information using our contact details below.
 
Data breaches

We are required to comply with mandatory ‘notifiable data breach’ scheme (the NDB scheme) under the Privacy Act 1988 (Cth). The NDB scheme applies when an ‘eligible data breach’ of personal information occurs.

An ‘eligible data breach’ occurs when:

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation holds; and
  • this is likely to result in serious harm to one or more individuals; and
  • the organisation has not been able to prevent the likely risk of serious harm with remedial action.
An organisation may take remedial steps to prevent the likelihood of serious harm occurring for any affected individuals after a data breach has occurred, in which case, the data breach is not an ‘eligible data breach’.

Where we have reasonable grounds to believe that we have experienced an eligible data breach (and remedial action cannot be used), we will promptly notify affected individuals and the Office of the Australian Information Commissioner about the breach in accordance with the Privacy Act 1988 (Cth).

 

The Clinic to Cloud website and cookies

We may collect your personal information through your interactions with the System and via the C2C website at www.clinictocloud.com.

We will deal with any personal information collected via the C2C website in accordance with this Policy and the law.

We also collect data through our use of ‘cookies’ and other internet technologies.

Cookies are small data files which are stored on your device’s browser. Cookies are stored in order for your internet browser to navigate a website. Cookies will not identify you, but they do identify your internet service provider and browser type.

We will not use cookies to collect your identifying personal information. The cookies may collect statistical information about your visit to the C2C website (such as the pages you visit on the website) in order to remember your preferences and allow you to navigate the website more easily.

The default setting of most internet browsers is to accept cookies automatically, but you can choose whether to allow cookies through your browser settings.

 We also collect your IP address to create an audit trail of events that take place on the C2C website and to track and aggregate non-identifiable information, your referring website addresses, browser type and access times.

 If we provide links through the C2C website or System to third-party websites, plug-ins and applications, we are not responsible for the content, privacy policy and practices of the third-party organisation. You should familiarise yourself with the privacy policies of any such third parties. 

 

Privacy related questions and complaints
We respect your privacy and we take all complaints and concerns regarding privacy very seriously.

If you have any questions about privacy-related issues, or wish to complain about a breach of your privacy or the handling of your personal information by us, you may lodge your question or complaint in writing to C2C by using the contact details below. We will respond to you as soon as possible, but no later than 30 days from receipt of your question or complaint.


If you are not satisfied with our response, or if you do not wish to raise a question or complaint with us directly, you may wish to contact:

  • the Office of the Australian Information Commissioner. See www.oaic.gov.au; or

  • the New South Wales Health Care Complaints Commission. See www.hccc.nsw.gov.au.

 

Our contact details for privacy related issues

If you would like to contact us regarding any privacy matters, including where:

  • you would like to request access to or correction of your personal information;
  • you have a complaint or concern regarding your privacy; or
  • you would like further information about this Policy,

please contact us using the following details:

  • Email address: privacy@clinictocloud.com.au; or
  • Web form: www.clinictocloud.com/contact-us; or
  • Telephone number: (02) 8705 5808; or
  • Address: Clinic to Cloud (Attn: Privacy Officer), Level 9, 70 Pitt Street, Sydney, NSW 2000.
Updates to this Policy

We may update this Policy from time to time. We will notify you about any changes to this Policy through our website at www.clinictocloud.com, and we will make the most current version of the Policy available when you receive services from us, or on your request.

Have a question about our Privacy Policy?