<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=140756219714189&amp;ev=PageView&amp;noscript=1">

Clinic to Cloud Privacy Policy

(Version 2 – 20 June 2018)


This document has been prepared to underline Clinic to Clouds respects and upholds the rights to privacy protection under the Australian Privacy laws. Please read this document carefully as this Privacy Policy details how we will maintain your privacy and handle your personal information in accordance with the Australian Privacy Principles (APPs). This policy applies to all information which C2C may be provided access to or which may be collected to provide its services to you.

1. Introduction
  • We respect your privacy and acknowledge Our legal obligations as they apply to Our collection, use and disclosure of Personal Information.
  • For further information about your rights to privacy and your rights under privacy law, please visit the Office of the Australian Information Commissioner (OAIC) website at http://www.oaic.gov.au.
  • If you are a Medical Patient, before you obtain the services of a Medical Practitioner, We recommend that you find out from that Medical Practitioner how the Medical Practitioner (and if the Medical Practitioner is part of a Medical Practice, how that Medical Practice) handles Personal Information.
  • We do not endorse or monitor the privacy practices of any Medical Practitioners or Medical Practices.

2. About Clinic to Cloud

Clinic to Cloud Pty Limited (We, Our, Us) provides users of C2C with:

  • the Clinic to Cloud website platform (Platform);
  • any associated mobile websites, smartphone applications and other software that We make available for use on any device or technology platform (Applications);
  • services made available on the Platform or via the Applications (Services).
    The Platform, Applications and Services are all facilities (Facilities) developed or provided by Us or on Our behalf (other than third party applications described below in paragraph 5).

3. About this Privacy Policy
  • The purpose of this Privacy Policy is to inform you about how the Facilities can be used to process information about you. It also sets out Our policy on Our collection, use and disclosure of Personal Information.
  • This policy adheres to related policies and procedures outlined by the Department of Health.
  • This Privacy Policy is to be read in conjunction with Our Terms of Use. A copy of Our Terms of Use is available at https://www.clinictocloud.com.au/terms
  • Terms used in this Privacy Policy that are defined in Our Terms of Use have the meanings given to them in the Terms of Use. The terms “Personal Information” and “Health Information” used in this Privacy Policy have the meanings given to those terms in the Privacy Act 1988 (Cth).
  • We may update this Privacy Policy from time to time. We will post the latest version of the Privacy Policy to https://www.clinictocloud.com.au/privacy
  • If you have any questions about this Privacy Policy, please feel free to contact Us at privacy@clinictocloud.com.au or write to Us at Level 9, 70 Pitt Street SYDNEY NSW 2000.

4. No Requirement to use C2C
  • If you are a Medical Practitioner, you cannot use the Facilities without your Personal Information being recorded in the Facilities, and you cannot use the Facilities in connection with any Medical Patient without entering the Medical Patient’s Personal Information into the Facilities. If you are a Medical Patient, your Medical Practitioner will only be able to use the Facilities with respect to your Medical Issues if he or she enters your Personal Information (including Health Information) into the Facilities.
  • You do not have to use the Facilities or agree to your Personal Information being entered into the Facilities in order to get medical treatment or lodge claims with Medicare, your private health insurer or the Department of Veterans’ Affairs. However, it will not be practical for you to use the Facilities or for the Facilities to be used with respect to your Medical Issues, without your Personal Information being entered into the Facilities.
  • If you notify Us that you no longer consent to the recording of your Personal Information in the Facilities, We will delete your Personal Information from Our databases (unless and to the extent that We must retain it by law).

5. How Personal Information is entered into and used by the Facilities

The Facilities have been designed so that Personal Information may be entered into, stored and used by authorised users of the Facilities in the following ways:

  • Information you provide during registration and while completing forms on C2C – When you sign up for an Account you may be required to provide Personal Information and if you are a Medical Patient, your Medical Practitioner may ask you to complete forms using the Facilities. If you enter your Personal Information into those forms or enter it during registration for an Account, it will be held in the Facilities. That information may be used to provide you with a personalised experience while you use the Facilities.
  • Health Information – If you are a Medical Patient, your Medical Practice may use the Facilities to record consultations that Your Medical Practitioner has with you, and other Personal Information about you, including Health Information. Examples of the Health Information that may be recorded by your Medical Practice in the Facilities about you include:
    • MIMS - Medical Practitioners who hold a valid license with MIMS can access medical databases provided by MIMS via the Facilities and use MIMS to configure Prescription Alerts. In order for C2C to verify that a Medical Practitioner holds a valid license with MIMS it is necessary for the Medical Practitioner to provide the Medical Practitioner’s Medical Practice name, address and contact person name and telephone number to MIMS using C2C.
    • Medicare, Department of Veterans’ Affairs and Private Medical Insurers – The Facilities include functionality that allows Medical Practitioners to submit claims to Medicare, the Department of Veterans’ Affairs and private medical insurers (Providers) for Medical Services provided to Medical Patients who are registered with the relevant Providers. In processing a claim to a Provider, the Medical Practitioner’s name, provider number and location ID, and the relevant Medical Patient’s name and date of birth and the relevant item number are provided over C2C to the relevant Provider. This functionality is only available to Medical Practitioners registered with the relevant Providers and only with respect to Medical Patients who are able to lodge claims with the relevant Providers.
    • Speech Solutions Australasia Pty Ltd (SSA) - – The Facilities include functionality that allows Medical Practitioners to dictate consultation notes regarding medical consultations they have with Medical Patients and to use voice commands to navigate through the facilities. This functionality is only available to Medical Practitioners who have a valid license from SSA. When using this functionality, the name of the Medical Practitioner, the name of the Medical Patient and the content of all voice commands and digital dictation is provided by C2C to SSA’s server for processing. The digital audio that is transmitted to SSA’s server is not stored on SSA’s server other than during processing of audio data into text.
    •  Xero-In order to integrate a Medical Practitioner’s Account with Xero the Medical Practitioner’s name, ABN, contact details and details of the number of invoices issued by the Medical Practitioner are provided by C2C to Xero. This functionality is only available to Medical Practitioners who have a Xero account. Xero also adheres to the Privacy Act, APP as well as the General Data Protection Regulation (GDPR).
    • Information concerning your physical or mental health;
    • Notes concerning your medical symptoms diagnosis and the treatment given;
    • Specialist reports and test results;
    • Appointment and billing details;
    • Prescriptions and other pharmaceutical purchases;
    • Other information collected by your Medical Practitioner for the purposes of providing Medical Services to you (such as information about your date of birth, gender, race, sexuality, religion).
    • Third Party Applications – Our Facilities contain functionality which allows them to interface with certain third-party applications. Information collected by a third-party application provider is governed by their own privacy policies. The third-party applications currently made available through the Facilities include Stripe, Claiming.com, Healthlink, Argus, Medical Objects and My Health Record.
  • Health Information that is recorded and stored in the Facilities about you may be accessed, used or disclosed as authorised or directed by the Medical Patient or Medical Practice.

6. How We collect your Personal Information
  • C2C collects customer information and services data only by lawful and fair means. Primarily, customer information is provided to C2C by you. Customer information may also be provided to C2C from time to time, by other third parties such as your Medical Practitioner.
  • C2C collects personal information from you in a variety of ways, including when you interact with us electronically or in person, when you access our website and when we provide our services to you. We may receive personal information from third parties – for example if you are a Medical Patient and you have been registered for an account with us by your Medical Practitioner. If we do, we will protect it as set out in this Privacy Policy.
  • We store but do not collect for our own purposes or use Personal Information entered into the Facilities by Medical Patients or Medical Practices other than to verify your identity when you communicate with us, manage our database of users, to manage the collection of Member Services Charges and process inquiries, respond to requests and communicate with Medical Practices and Medical Patients about Our services.
  • Health Information is recorded and stored in the Facilities when authorised or directed by a Medical Patient or Medical Practice.
  • When you access the Facilities, the Facilities automatically record certain information in the form of server logs. These logs include your web request, your interaction with a Service, IP address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser or your Account.
  • We collect your Internet Protocol (IP) address to create an audit trail of all events that take place on C2C and to track and aggregate non-personally identifiable information, your referring website addresses, browser type and access times.
  • Some information that is requested is “optional” and some is “mandatory”. Where information is “mandatory”, you can choose not to provide the requested information, however this may mean that we will not be able to use some functionality offered by C2C.
  • We collect personal information from you directly when you interact with us electronically or in person, when you respond to surveys and when you respond to questions we ask of you.
7. How do we use your Personal Information
  • We may use the Personal Information that We collect to:
    • provide, maintain, protect, and improve the Facilities and develop new services;
    • protect Our rights or property;
    • investigate any security incident in relation to C2C
    • provide you with information
    • provide you with our services or make you aware of new services we offer.
  • We may contact you by a variety of measures including, but not limited to telephone, email, sms or mail.

8. No offshore transfer of Personal Information
  • All Personal Information entered into C2C or provided to Us is stored on secure Microsoft servers located in Australia, complying with Australian Privacy regulations.
  • We will not transfer your Personal Information that We hold to any overseas entity.

9. Disclosure of your Personal Information and onward transfer

Your Personal Information that is provided to Us or entered into the Facilities will only be provided to third parties by Us in the following limited circumstances:

  •  where it is necessary to provide you with our services
  • satisfy any applicable law, regulation, court order, legal process or enforceable governmental request;
  • enforce Our Terms of Service, including investigation of potential violations;
  • detect, prevent, or otherwise address fraud, security or technical issues;
  • to protect the copyright, trademarks, legal rights or property of C2C its customers or third parties
  • protect against harm to the rights, property or safety of Us, Our users or the public as required or permitted by law.
  • When We have your consent;
  • When We have a good faith belief that access, use, preservation or disclosure of such information is reasonably protected.

In addition, if We become involved in any or any potential merger, acquisition, or any form of sale of some or all of Our assets, We may disclose your Personal Information but will use Our best endeavours to:

  • ensure the confidentiality of any Personal Information involved in such transactions; and
  • provide notice before your Personal Information is transferred and becomes subject to a different privacy policy.

By providing us with personal information, you consent to the terms of this Privacy Policy and the types of disclosure covered by this Policy. Where we disclose your personal information to third parties, we will request that the third party follow this Policy regarding handling your personal information.


10. Information security

The Notifiable Data Breach (NDB) scheme applies to existing personal information security obligations under the Privacy Act. The NDB scheme requires Us to notify affected individuals and the Australian Information Commissioner (Commissioner), in the event of an ‘eligible data breach’ (as described in the Amendment). A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates.

  • We take physical and electronic security measures to protect against unauthorised access to or unauthorised alteration, disclosure or destruction of data. These include maintaining and regularly reviewing Our data collection, storage and processing practices and security measures including appropriate encryption and other electronic and physical security measures that We employ to guard against unauthorised access to Our servers which hold Personal Information.
  • Under APP 11.2, C2C will take reasonable steps to destroy or de-identify personal information We hold once it is no longer needed for any purpose for which it may be used or disclosed under the APPs.


11. Sensitive Information

Section 6 of the Privacy Act defines ‘personal information’ as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable. An important subset of personal information in the Privacy Act is ‘sensitive information.’ The Privacy Act affords a higher level of privacy protection to sensitive information, including health information, than to other personal information.

  • In certain circumstances we may collect sensitive information about you in order to do business with you and carry out our business activities.
  • We will only collect, use or disclose sensitive information (as that term is defined under the Privacy Act) if you voluntarily provide it to us or if you explicitly given consent to us collecting it. If you provide us with sensitive information, this will constitute your consent.
12. Accessing and updating Personal Information
  • You may access the Personal Information that is held on C2C about you by logging into your Account if you are a Medical Practitioner or a Medical Practitioner Assistant. If you are a Medical Patient We will provide you with a copy of your Personal Information held on C2C within a reasonable period following your request for such a copy, unless an exception listed in Australian Privacy Principle 12.3 applies. Medical Patients may be provided with access to some information that is stored about them on C2C where this is permitted by the Medical Practice.
  • You may also request that We delete your Personal Information that We hold. We will delete your Personal Information if it is not otherwise required to be retained by law or for legitimate business purposes.
  • Collected personal information adheres to the information life cycle, considering all stages of its life cycle, including assessing the risks associated with the collection of the personal information due to a new act, practice, change to an existing project or as part of business as usual.
  • We will destroy or de-identification personal information when it is no longer needed.
  • The customer and/or personal/sensitive information provider is responsible for current and up-dated information.


13. Changes to Privacy Policy
  • We reserve the right to amend this Privacy Policy at any time, in our sole discretion and all modifications will be effective immediately upon our posting of the modifications on our website or notice board.
14. Third party sites
  • Our site may from time to time have links to other websites not owned or controlled by us. These links are meant for your convenience only. Links to third party websites do not constitute sponsorship or endorsement or approval. Third party websites are subject to their own terms and conditions and privacy policies.
15. Legal Requirements
  • If C2C believes that the use or disclosure of customer information and/or services data is reasonably necessary for one or more enforcement related activities, it may be released to the relevant enforcement body.
  • C2C may be required to provide customer information and services data to comply with legal reporting, disclosure or other legal process requirements. C2C reserves a right to disclose any customer information and/or services data it has access to if required or authorised by law or valid order of a court or other governmental authority, or if needed to protect the health and safety of C2C employees, a customer’s employees, the general public or any other person, including the Medical Patient.
16. Complaints
  • If We receive a formal written complaint about Our privacy practices We will contact the complainant regarding his or her concerns and attempt to resolve the complaint as soon as possible.
  • If you are dissatisfied with the outcome of Our handling of your complaint, you can lodge a privacy complaint with the OAIC. For further information about the OAIC’s privacy complaint handling process, please seehttp://www.oaic.gov.au/privacy/making-a-privacy-complaint
  • If you have a complaint against Medicare, the Department of Veterans’ Affairs or another Provider, please contact them directly. We are not responsible for, and will not get involved in any dispute between you and any Provider
  • If you have a complaint against a Medical Practice, please contact the Medical Practice directly. We are not responsible for, and do not get involved in any disputes between Medical Patients and Medical Practices.

Have a question about our Privacy Policy?