This Practice Cloud Privacy Policy (Privacy Policy) describes how Pen CS Pty Ltd (ABN 75 606 033 112) (we, our, us) manages Personal Information about individuals whose data is
collected, held, transferred, disclosed or otherwise processed by us in
respect of the provision of the Practice Cloud SaaS platform (Practice Cloud), as well as the steps that we take to secure the Personal
Information.
Practice Cloud is a cloud-hosted health intelligence platform,
primarily used by medical practices (each, a Practice) and their personnel (each, an End User), to create reports and programs based on clinical and financial data
about their patients (each, a Patient) in order to optimise Practice efficiency and facilitate better
Patient and population health outcomes.
We are committed to complying with our privacy obligations in
accordance with all applicable data protection and privacy laws,
including the Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act) and the Health Privacy Principles (HPPs) contained in Schedule 1 of the Health Records and Information Privacy Act 2002 (NSW), Schedule 1 of the Health Records Act 2001 (Vic), and the privacy principles contained in Schedule 1 of the Health Records (Privacy and Access) Act 1997 (ACT) (PPs) (together, the Privacy Laws).
If we decide to change this Privacy Policy, we will post the updated
version on this webpage. Our policy is to always be open and transparent
about our privacy practices.
-
What is Personal Information?
-
In this Privacy Policy, the term Personal Information includes “personal information” as that term is
defined in the Privacy Act, “personal health information”
as that term is defined in the Health Records (Privacy and Access) Act 1997 (ACT) and “health information” as that term is
defined under both the Health Records and Information Privacy Act 2002 (NSW) and the Health Records Act 2001 (Vic).
-
The term “personal information” is defined in the Privacy
Act to mean information or an opinion about an identified individual,
or an individual who is reasonably identifiable,
-
whether the information or opinion is true or not; and
-
whether the information or opinion is recorded in a material form or
not.
-
The “personal health information” of a consumer is
defined in the Health Records (Privacy and Access) Act 1997 (ACT) to mean any personal information, whether or not recorded
in a health record:
-
relating to the health, an illness or a disability of the consumer;
or
-
collected by a health service provider in relation to the health, an
illness or a disability of the consumer.
-
The term “health information” is defined in both the Health Records and Information Privacy Act 2002 (NSW) and the Health Records Act 2001 (Vic) to mean personal information that is:
-
information or an opinion about an individual’s physical or
mental health or disability, their express wishes about the future
provision of health services to them or a health service provided or
to be provided to them; or
-
other personal information collected to provide, or in providing a
health service; or
-
other personal information about an individual’s intended or
actual donation of their body parts, organs or body substances;
or
-
other personal information that is genetic information about an
individual arising from a health service provided to the individual in
a form that is or could be predictive of the health (at any time) of
the individual or of a genetic relative of the individual; or
-
healthcare identifiers,
but does not include health information that is prescribed as exempt
health information for the purposes of the above Acts.
- Consents
-
Each Practice and their End Users using Practice Cloud are required
to comply with all applicable Privacy Laws.
-
We rely on the Practices that use Practice Cloud to obtain all
relevant privacy consents and authorisations from their Patients
required by law, in order for the Personal Information that is entered
into Practice Cloud to be collected, disclosed, held and otherwise
processed by us. We require each Practice to obtain each of their
Patient’s consent in accordance with Privacy Laws prior to us
collecting, holding and/or processing any Personal Information about
those Patients. We also rely on each Practice to ensure that all
Personal Information about their Patients that is collected and held
by us is accurate, up to date, complete, relevant and not
misleading.
-
We encourage Practices to ensure that their Patients are familiar
with their privacy policies so that their Patients can understand how
the Practice will collect, use, hold, disclose and otherwise process
Personal Information about them, including via Practice Cloud.
-
How we collect Personal Information
-
Our policy is to not collect Personal Information by means that are
unfair or unreasonably intrusive in the circumstances. We only collect
Personal Information that is necessary to provide the functionality of
Practice Cloud and to otherwise operate our business.
-
We collect Personal Information about End Users, Patients and other
individuals (Other Individuals) in connection with Practice Cloud in the following ways:
-
when the Practice creates new End User accounts on Practice Cloud or
provides us with Personal Information;
-
when an End User uploads, inputs or enters Personal Information about
Patients and/or other individuals into Practice Cloud;
-
when an End User contacts us for technical support in respect of
Practice Cloud;
-
when it is transmitted to us via an API in accordance with our
obligations to do so pursuant to a contract with a Practice;
-
when it is voluntarily disclosed to us (such as via telephone,
questionnaires, e-mail and online forms); and
-
when Practices enter into a contract with us.
-
We do not collect Personal Information directly from Patients. Each
Practice is responsible for the lawful collection of their
Patient’s Personal Information. We acquire a Patient’s
Personal Information from an End User of the Practice when they
upload, input or enter it into Practice Cloud.
-
The types of Personal Information that we collect and hold
-
We collect Personal Information from Practices and End Users of
Practice Cloud.
-
We collect the following types of Personal Information:
-
Personal Information about Patients: All information, including Personal Information that is
entered into Practice Cloud by End Users about Patients, is stored and
held in systems managed by us. The types of personal information that
we collect and hold about Patients may include names, addresses,
telephone numbers, email addresses, next of kin details, Medicare
number and health insurance details, details of health services
provided to them, medical history, family medical history, examination
results, height, weight, age, other body and health measurements,
prescriptions, medical recommendations, advice and treatment
protocols.
-
Personal Information about End Users: We collect Personal Information about End Users when the
Practice creates new End User accounts on Practice Cloud. The types of
Personal Information that we collect about End Users may include first
and last names, date of birth, email addresses, phone numbers,
address, associated Practice name, associated Practice address,
professional registration service provider number, billing
information, time and date of telehealth calls and health professional
type (i.e. general practitioner, surgeon, etc). Credit card details
are not held by us but are held by payment gateway providers that we
use. Other than the last 4 digits of a credit card, all other credit
card information is not held by, or accessible to, us.
-
Personal Information about Other Individuals: We collect and hold Personal Information about Other Individuals
that is entered into Practice Cloud by End Users, including Patient
next of kin details and Patient family medical history. We also
collect and hold Personal Information about Other Individuals that is
provided to us, including about Practice personnel involved in
negotiating a contract with us.
-
How we use personal information
-
We use Personal Information that we collect and process, in the
following ways:
Category
|
How we use and process that Personal Information
|
Why we collect the Personal Information
|
Personal information about Patients
|
-
As required to provide and support the functionality of
Practice Cloud.
-
In order to store Patient Personal Information in databases and
systems in our hosting environments at third-party data
centres.
-
To provide technical support in respect of Practice Cloud to
End Users.
-
Backing up and restoring data that includes Patient Personal
Information.
-
When conducting research and development of Practice Cloud and
its functionality.
-
To carry out security audits, investigate security incidents
and implement security processes and procedures in connection
with Practice Cloud.
|
-
Necessary for our legitimate interests (in order to operate and
grow our business, administer and allow Practices to use
Practice Cloud, and to enable us to operate our IT systems and
networks, manage our hosting environments and ensure the
successful delivery of our services).
-
To comply with our legal and statutory obligations.
-
Required in order to determine which Privacy Law applies to the
individual.
|
Personal information about End Users
|
-
As required to provide and support the functionality of
Practice Cloud.
-
To manage a Practice’s subscription and use of Practice
Cloud.
-
To provide technical support services to End Users.
-
To send newsletters and other communications to End Users about
Practice Cloud, events and education opportunities, and to
market our products and services to them.
-
Backing up and restoring data that includes End Users’
Personal Information.
-
To carry out security audits, investigate security incidents
and implement security processes and procedures in
connection with Practice Cloud.
-
To communicate with End Users about their access and use of
Practice Cloud.
-
To handle complaints about or from End Users.
|
-
Performance of our agreements with Practices.
-
Necessary for our legitimate interests (in order to operate and
grow our business, in order to administer and allow End Users to
access and use Practice Cloud, and to enable us to operate our
IT systems and networks, manage our hosting environments and
ensure the successful delivery of our products and services).
-
Required to identify End Users who use Practice Cloud and to
identify persons who request technical support or wish to
exercise their rights under the Privacy Laws to access and/or
correct their Personal Information.
-
Compliance with our legal obligations.
-
Required in order to determine which Privacy Law applies to the
individual.
|
Personal information about Other Individuals
|
-
As required to provide and support the functionality of
Practice Cloud.
-
To issue invoices to Practices and to enforce the payment
obligations of Practices.
-
In order to store Personal Information provided about Other
Individuals in databases and systems in our hosting environments
at third-party data centres.
-
Backing up and restoring data that includes Personal
Information provided about Other Individuals.
-
When conducting research and development of Practice Cloud and
its functionality.
-
To carry out security audits, investigate security incidents
and implement security processes and procedures.
|
-
Necessary for our legitimate interests (in order to operate and
grow our business, and to enable us to operate our IT systems
and networks, manage our hosting environments and ensure the
successful delivery of our services).
-
To comply with our legal and statutory obligations.
-
Performance of our agreements with Practices, including for
billing purposes, so that we can issue invoices.
-
Required in order to determine which Privacy Law applies to the
individual.
|
-
De-identified data analysis
-
Personal Information may also be de-identified by us and used for
statistical analysis. All such data is not held in a form that could
reasonably be expected to identify an individual, and is therefore,
not Personal Information for the purposes of the Privacy Laws.
-
We use de-identified information to help us review, enhance and
improve Practice Cloud (for statistical or research purposes) and to
develop case studies and marketing materials without identifying any
individual.
-
How we hold and secure Personal Information
-
We hold and store Personal Information that we collect in our
offices, computer systems and third-party owned and operated hosting
facilities.
-
In particular:
-
we engage hosting facilities operated by reputable hosting providers;
-
Personal Information that is provided to us via email is held on our
servers or those of our cloud-based email providers, which has
restricted access security protocols;
-
we use third-party owned cloud-based customer relationship management
(CRM) and marketing platform providers to hold Personal Information
about Practices that enter into agreements with us to use Practice
Cloud;
-
Personal Information is held on computers and other electronic
devices in our offices and at the premises of our personnel; and
-
we hold Personal Information that is provided to us in hard copy in
files and folders in secure locations.
-
We take reasonable steps to protect Personal Information that we hold
using such security safeguards as are reasonable in the circumstances
to take against loss, unauthorised access, modification and disclosure
and other misuse and to implement technical and organisational
measures to ensure a level of protection appropriate to the risk of
accidental or unlawful destruction, loss, alteration, unauthorised
disclosure of, or access to, Personal Information transmitted, stored
or otherwise processed by us.
- We:
-
only use reputable hosting providers to host Personal Information;
-
implement passwords and access control procedures, anti-virus,
firewall and security controls for email and other applicable computer
software and systems;
-
maintain files, in both hardcopy and electronic form, at our offices
and other access-controlled premises;
-
operate online records managements systems on secure networks;
-
regularly perform security testing;
-
regularly carry out security audits of our systems which seek to find
and eliminate any potential security risks in our electronic and
physical infrastructure as soon as possible;
-
maintain physical security measures in our buildings and offices such
as visitor access management, cabinet locks, surveillance systems and
alarms to ensure the security of information systems (electronic or
otherwise);
-
require our employees, agents, contractors and subcontractors to
comply with the privacy and confidentiality provisions in their
employment and subcontractor agreements that we enter into with
them;
-
use SSL encryption on our systems;
-
have a Data Breach Response Plan in place;
-
have data backup archiving and disaster recovery processes in
place;
-
if appropriate in the circumstances taking into account the state of
the art, the costs of implementation and the nature, scope, content
and purpose of the processing, we will encrypt Personal Information;
and
-
with respect to Personal Information that we no longer require or
where we are otherwise required to destroy it under applicable law, we
ensure that such Personal Information is securely destroyed and/or
de-identified.
-
Disclosure of Personal Information
-
We will disclose Personal Information to our employees, officers,
professional advisors, suppliers, agents, contractors, subcontractors
and/or related entities who assist us in the delivery and performance
of Practice Cloud. We ensure that they are aware of their information
security responsibilities, are appropriately trained to meet those
responsibilities and have entered into agreements that require them to
comply with privacy and confidentiality obligations that apply to
Personal Information that we provide to them.
-
We only disclose Personal Information that we collect to third
parties as follows:
-
in order to host databases that are integrated into Practice Cloud,
we engage reputable hosting providers who host those databases on our
behalf;
-
when performing contracts, we may outsource certain obligations to
third-party contractors in accordance with our contractual rights
(such as hosting, software development and other professional
services). Professional services carried out by them may require
access to an individual’s Personal Information. We ensure that
all staff and contractors are aware of their information security
responsibilities, are appropriately trained to meet those
responsibilities and have entered into agreements which require them
to comply with privacy and confidentiality obligations that apply to
the Personal Information that we provide to them;
-
when providing information to our legal, accounting or financial
advisors or insurers, or to our debt collectors for debt collection
purposes or when we need to obtain their advice, or where we require
their representation in relation to a legal dispute;
-
where a person provides written consent to the disclosure of their
Personal Information;
-
where it is brought to our attention that specific Personal
Information needs to be disclosed to protect the safety or vital
interests of any person;
-
if we are contacted by any person who represents to us that they are
an End User, for security purposes, we will only discuss the Personal
Information that we hold about them with them if they identify
themselves accurately and truthfully;
-
to avoid prejudice to the maintenance of the law by any public sector
agency, including the prevention, detection, investigation,
prosecution, and punishment of offences;
-
for the enforcement of a law imposing a pecuniary penalty;
-
for the conduct of proceedings before any court or tribunal (being
proceedings that have been commenced or are reasonably in
contemplation); or
-
where required by law.
-
Third party websites and platforms
-
Practice Cloud may include links to third-party websites. Our linking
to those websites does not mean that we endorse or recommend them. We
do not warrant or represent that any third-party website operator
complies with applicable Privacy Laws. You should consider the privacy
policies of any relevant third-party website prior to sending Personal
Information to them.
-
Interacting with us without disclosing Personal Information
-
If you do not provide us with your Personal Information, you can only
have limited interaction with us. For example, you can browse our
website without providing us with Personal Information, such as the
pages that generally describe Practice Cloud or our products that we
make available, and our Contact page. However, when you submit a form
on our website, or become an End User on Practice Cloud or you
otherwise enter into a business relationship with us, we need to
collect Personal Information from you in order to identify who you
are, so that we can provide you with Practice Cloud, and for the other
purposes described in this Privacy Policy.
-
You have the option of not identifying yourself or using a pseudonym
when contacting us to enquire about our products and/or services, but
not if you wish to actually procure and/or use Practice Cloud. It is
not practical for us to provide you with access and/or use of Practice
Cloud (or any part thereof) if you refuse to provide us with your
Personal Information.
-
Offshore disclosure
-
We may transfer your Personal Information to our contractors and
service providers who assist us with the supply of Practice Cloud to
you, and to assist us with the operation of our business generally,
where we consider it necessary for them to provide that assistance. We
will take reasonable steps to ensure that such overseas recipients do
not breach the APPs, HPPs or PPs in relation to any Personal
Information we provide to them and will comply with this Privacy
Policy as it is applicable to them.
-
Such reasonable steps include ensuring our offshore service providers
are subject to substantially similar laws or binding schemes as the
Privacy Laws and have entered into agreements with us that require
them to comply with privacy, confidentiality and data protection
obligations that apply to the Personal Information that we provide to
them.
-
Provided that we comply with the Privacy Laws, we may transfer your
Personal Information to our offshore service providers who may be
located outside Australia. Our offshore and overseas contractors and
service providers are currently located within Australia.
-
How to access and correct personal information held by us
-
End Users who wish to access and correct the Personal Information
held by us about them should contact us using our contact details set
out below. Prior to contacting us or submitting a request for access
to correct any Personal Information held about them, End Users can
update their Personal Information by logging into their account on
Practice Cloud, where such functionality is available. However, we
encourage you to contact us in any event and we would be happy to
assist you.
-
If you are a Patient or an Other Individual, and you wish to access
or correct the Personal Information held by us, then in the first
instance you should contact the Practice that collected your Personal
Information. End Users can access and correct Personal Information
about any Patient or Other Individual that End Users of a Practice
have entered into Practice Cloud. Alternatively, any Patient or Other
Individual whose Personal Information is held by us in connection with
Practice Cloud should contact us using our contact details set out
below.
-
It is our policy to retain Personal Information in a form that
permits identification of any person only as long as is necessary for
the purposes for which the Personal Information was collected; and for
any other related, directly related or compatible purposes if and
where permitted by applicable Privacy Laws. We will only process
Personal Information that you provide to us for the minimum length of
time permitted by applicable Privacy Laws and only thereafter for the
purposes of deleting, deidentifying or returning that Personal
Information to you (except where we also need to retain the
information in order to comply with our legal obligations, or to
retain the data to protect your or any other person's vital
interests).
-
We retain Personal Information held in connection with Practice Cloud
as follows:
-
an End User’s Personal information will be held while they hold
a current account on Practice Cloud and thereafter for a period of 7
years, for tax purposes;
-
a Patient’s Personal Information will be held while the
Practice of the Patient is party to an agreement with us for the
access and use of Practice Cloud and thereafter for a period of 30
days, after which time it will be automatically deleted or
de-identified; and
-
We will keep Personal Information for longer periods than specified
above, where we are required to retain the Personal Information under
applicable Privacy Laws, for example, where required for the purposes
of litigation.
-
As an alternative to deleting Personal Information, we may elect to
de-identify it where permissible by law. We will de-identify certain
types of Personal Information for the purpose of improving Practice
Cloud and for provision to third parties for research purposes.
-
Where you require Personal Information to be returned, it will be
returned to you at that time, and we will thereafter delete all then
remaining existing copies of that Personal Information in our
possession or control as soon as reasonably practicable thereafter,
unless applicable Privacy Laws requires us to retain the Personal
Information, in which case we will notify you of that requirement and
only use such retained Personal Information for the purposes of
complying with those applicable laws.
-
We will handle all requests for access to Personal Information
without unreasonable delay or expense, and in accordance with our
statutory obligations. We may require payment of a reasonable fee by
any person who requires access to their Personal Information that we
hold, except where such a fee would be contrary to applicable law. We
will not charge you for the making of any such request. We will
endeavour to provide a response to any request for access to Personal
Information within 3 business days from the time a request is made.
-
How to contact us regarding your privacy rights
-
Any person who wishes to contact us for any reason regarding our
privacy practices or the Personal Information that we hold about them,
or make a privacy complaint, may contact us using the following
details:
Pen CS Privacy Officer
Email: privacy@pencs.com.au
Address: 301 Catherine Street, Leichhardt NSW 2040,
Australia.
Tel: 02 9506 3200
-
We will use our best endeavours to resolve any privacy complaint with
the complainant within a reasonable time frame given the
circumstances. This may include working with the complainant on a
collaborative basis or otherwise resolving the complaint.
-
If the complainant is not satisfied with the outcome of a complaint
or they wish to make a complaint about a breach of the APPs, they may
refer the complaint to the Office of the Australian Information
Commissioner, which can be contacted using the following details:
Telephone:
1300 363 992
Email: enquiries@oaic.gov.au
Address: GPO Box 5218, Sydney NSW 2001, Australia.
-
If the complainant is not satisfied with the outcome of a complaint
or they wish to make a complaint about a breach of any of the HPPs or
PPs, they may refer the complaint to the relevant Commission in their
jurisdiction:
NSW: Information and Privacy Commission
Telephone: 1800 472 679
Email: ipcinfo@ipc.nsw.gov.au
Vic: Health Complaints Commissioner
Telephone: 1300 582 113
Online form: https://hcc.vic.gov.au/make-complaint
ACT: ACT Human Rights Commission
Telephone: 02 6205 2222
Email: hrcintake@act.gov.au