Practice Cloud Privacy Policy

This Practice Cloud Privacy Policy (Privacy Policy) describes how Pen CS Pty Ltd (ABN 75 606 033 112) (we, our, us) manages Personal Information about individuals whose data is collected, held, transferred, disclosed or otherwise processed by us in respect of the provision of the Practice Cloud SaaS platform (Practice Cloud), as well as the steps that we take to secure the Personal Information.  

Practice Cloud is a cloud-hosted health intelligence platform, primarily used by medical practices (each, a Practice) and their personnel (each, an End User), to create reports and programs based on clinical and financial data about their patients (each, a Patient) in order to optimise Practice efficiency and facilitate better Patient and population health outcomes.

We are committed to complying with our privacy obligations in accordance with all applicable data protection and privacy laws, including the Australian Privacy Principles (APPs) contained in Schedule 1 of the Privacy Act 1988 (Cth) (Privacy Act) and the Health Privacy Principles (HPPs) contained in Schedule 1 of the Health Records and Information Privacy Act 2002 (NSW), Schedule 1 of the Health Records Act 2001 (Vic), and the privacy principles contained in Schedule 1 of the Health Records (Privacy and Access) Act 1997 (ACT) (PPs) (together, the Privacy Laws).

If we decide to change this Privacy Policy, we will post the updated version on this webpage. Our policy is to always be open and transparent about our privacy practices.  

1. What is Personal Information?

1. In this Privacy Policy, the term Personal Information includes “personal information” as that term is defined in the Privacy Act, “personal health information” as that term is defined in the Health Records (Privacy and Access) Act 1997 (ACT) and “health information” as that term is defined under both the Health Records and Information Privacy Act 2002 (NSW) and the Health Records Act 2001 (Vic).

2. The term “personal information” is defined in the Privacy Act to mean information or an opinion about an identified individual, or an individual who is reasonably identifiable,

1. whether the information or opinion is true or not; and
2. whether the information or opinion is recorded in a material form or not.

 

3. The “personal health information” of a consumer is defined in the Health Records (Privacy and Access) Act 1997 (ACT) to mean any personal information, whether or not recorded in a health record:

1. relating to the health, an illness or a disability of the consumer; or
2. collected by a health service provider in relation to the health, an illness or a disability of the consumer.

4. The term “health information” is defined in both the Health Records and Information Privacy Act 2002 (NSW) and the Health Records Act 2001 (Vic) to mean personal information that is:

1. information or an opinion about an individual’s physical or mental health or disability, their express wishes about the future provision of health services to them or a health service provided or to be provided to them; or
2. other personal information collected to provide, or in providing a health service; or
3. other personal information about an individual’s intended or actual donation of their body parts, organs or body substances; or
4. other personal information that is genetic information about an individual arising from a health service provided to the individual in a form that is or could be predictive of the health (at any time) of the individual or of a genetic relative of the individual; or
5. healthcare identifiers,

but does not include health information that is prescribed as exempt health information for the purposes of the above Acts.

2. Consents

5. Each Practice and their End Users using Practice Cloud are required to comply with all applicable Privacy Laws.

6. We rely on the Practices that use Practice Cloud to obtain all relevant privacy consents and authorisations from their Patients required by law, in order for the Personal Information that is entered into Practice Cloud to be collected, disclosed, held and otherwise processed by us. We require each Practice to obtain each of their Patient’s consent in accordance with Privacy Laws prior to us collecting, holding and/or processing any Personal Information about those Patients. We also rely on each Practice to ensure that all Personal Information about their Patients that is collected and held by us is accurate, up to date, complete, relevant and not misleading.

7. We encourage Practices to ensure that their Patients are familiar with their privacy policies so that their Patients can understand how the Practice will collect, use, hold, disclose and otherwise process Personal Information about them, including via Practice Cloud.

3. How we collect Personal Information

8. Our policy is to not collect Personal Information by means that are unfair or unreasonably intrusive in the circumstances. We only collect Personal Information that is necessary to provide the functionality of Practice Cloud and to otherwise operate our business.

9. We collect Personal Information about End Users, Patients and other individuals (Other Individuals) in connection with Practice Cloud in the following ways:

1. when the Practice creates new End User accounts on Practice Cloud or provides us with Personal Information;  
2. when an End User uploads, inputs or enters Personal Information about Patients and/or other individuals into Practice Cloud;
3. when an End User contacts us for technical support in respect of Practice Cloud;
4. when it is transmitted to us via an API in accordance with our obligations to do so pursuant to a contract with a Practice;
5. when it is voluntarily disclosed to us (such as via telephone, questionnaires, e-mail and online forms); and
6. when Practices enter into a contract with us.

10. We do not collect Personal Information directly from Patients. Each Practice is responsible for the lawful collection of their Patient’s Personal Information. We acquire a Patient’s Personal Information from an End User of the Practice when they upload, input or enter it into Practice Cloud.

4. The types of Personal Information that we collect and hold

11. We collect Personal Information from Practices and End Users of Practice Cloud.

12. We collect the following types of Personal Information:

7. Personal Information about Patients:  All information, including Personal Information that is entered into Practice Cloud by End Users about Patients, is stored and held in systems managed by us. The types of personal information that we collect and hold about Patients may include names, addresses, telephone numbers, email addresses, next of kin details, Medicare number and health insurance details, details of health services provided to them, medical history, family medical history, examination results, height, weight, age, other body and health measurements, prescriptions, medical recommendations, advice and treatment protocols.

8. Personal Information about End Users: We collect Personal Information about End Users when the Practice creates new End User accounts on Practice Cloud. The types of Personal Information that we collect about End Users may include first and last names, date of birth, email addresses, phone numbers, address, associated Practice name, associated Practice address, professional registration service provider number, billing information, time and date of telehealth calls and health professional type (i.e. general practitioner, surgeon, etc). Credit card details are not held by us but are held by payment gateway providers that we use. Other than the last 4 digits of a credit card, all other credit card information is not held by, or accessible to, us.

9. Personal Information about Other Individuals: We collect and hold Personal Information about Other Individuals that is entered into Practice Cloud by End Users, including Patient next of kin details and Patient family medical history. We also collect and hold Personal Information about Other Individuals that is provided to us, including about Practice personnel involved in negotiating a contract with us.  

5. How we use personal information

13. We use Personal Information that we collect and process, in the following ways:

Category	How we use and process that Personal Information	Why we collect the Personal Information
Personal information about Patients	As required to provide and support the functionality of Practice Cloud.   In order to store Patient Personal Information in databases and systems in our hosting environments at third-party data centres. To provide technical support in respect of Practice Cloud to End Users. Backing up and restoring data that includes Patient Personal Information. When conducting research and development of Practice Cloud and its functionality. To carry out security audits, investigate security incidents and implement security processes and procedures in connection with Practice Cloud.	Necessary for our legitimate interests (in order to operate and grow our business, administer and allow Practices to use Practice Cloud, and to enable us to operate our IT systems and networks, manage our hosting environments and ensure the successful delivery of our services). To comply with our legal and statutory obligations. Required in order to determine which Privacy Law applies to the individual.
Personal information about End Users	As required to provide and support the functionality of Practice Cloud.   To manage a Practice’s subscription and use of Practice Cloud. To provide technical support services to End Users. To send newsletters and other communications to End Users about Practice Cloud, events and education opportunities, and to market our products and services to them. Backing up and restoring data that includes End Users’ Personal Information. To carry out security audits, investigate security incidents and implement security processes and procedures  in connection with Practice Cloud. To communicate with End Users about their access and use of Practice Cloud. To handle complaints about or from End Users.	Performance of our agreements with Practices. Necessary for our legitimate interests (in order to operate and grow our business, in order to administer and allow End Users to access and use Practice Cloud, and to enable us to operate our IT systems and networks, manage our hosting environments and ensure the successful delivery of our products and services).   Required to identify End Users who use Practice Cloud and to identify persons who request technical support or wish to exercise their rights under the Privacy Laws to access and/or correct their Personal Information. Compliance with our legal obligations. Required in order to determine which Privacy Law applies to the individual.
Personal information about Other Individuals	As required to provide and support the functionality of Practice Cloud.   To issue invoices to Practices and to enforce the payment obligations of Practices. In order to store Personal Information provided about Other Individuals in databases and systems in our hosting environments at third-party data centres. Backing up and restoring data that includes Personal Information provided about Other Individuals. When conducting research and development of Practice Cloud and its functionality. To carry out security audits, investigate security incidents and implement security processes and procedures.	Necessary for our legitimate interests (in order to operate and grow our business, and to enable us to operate our IT systems and networks, manage our hosting environments and ensure the successful delivery of our services). To comply with our legal and statutory obligations. Performance of our agreements with Practices, including for billing purposes, so that we can issue invoices. Required in order to determine which Privacy Law applies to the individual.

6. De-identified data analysis

14. Personal Information may also be de-identified by us and used for statistical analysis. All such data is not held in a form that could reasonably be expected to identify an individual, and is therefore, not Personal Information for the purposes of the Privacy Laws.

15. We use de-identified information to help us review, enhance and improve Practice Cloud (for statistical or research purposes) and to develop case studies and marketing materials without identifying any individual.

7. How we hold and secure Personal Information

16. We hold and store Personal Information that we collect in our offices, computer systems and third-party owned and operated hosting facilities.

 

17. In particular:

1. we engage hosting facilities operated by reputable hosting providers;
2. Personal Information that is provided to us via email is held on our servers or those of our cloud-based email providers, which has restricted access security protocols;
3. we use third-party owned cloud-based customer relationship management (CRM) and marketing platform providers to hold Personal Information about Practices that enter into agreements with us to use Practice Cloud;
4. Personal Information is held on computers and other electronic devices in our offices and at the premises of our personnel; and
5. we hold Personal Information that is provided to us in hard copy in files and folders in secure locations.

18. We take reasonable steps to protect Personal Information that we hold using such security safeguards as are reasonable in the circumstances to take against loss, unauthorised access, modification and disclosure and other misuse and to implement technical and organisational measures to ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information transmitted, stored or otherwise processed by us.

19. We:

1. only use reputable hosting providers to host Personal Information;
2. implement passwords and access control procedures, anti-virus, firewall and security controls for email and other applicable computer software and systems;
3. maintain files, in both hardcopy and electronic form, at our offices and other access-controlled premises;
4. operate online records managements systems on secure networks;
5. regularly perform security testing;
6. regularly carry out security audits of our systems which seek to find and eliminate any potential security risks in our electronic and physical infrastructure as soon as possible;
7. maintain physical security measures in our buildings and offices such as visitor access management, cabinet locks, surveillance systems and alarms to ensure the security of information systems (electronic or otherwise);
8. require our employees, agents, contractors and subcontractors to comply with the privacy and confidentiality provisions in their employment and subcontractor agreements that we enter into with them;
9. use SSL encryption on our systems;
10. have a Data Breach Response Plan in place;
11. have data backup archiving and disaster recovery processes in place;
12. if appropriate in the circumstances taking into account the state of the art, the costs of implementation and the nature, scope, content and purpose of the processing, we will encrypt Personal Information; and
13. with respect to Personal Information that we no longer require or where we are otherwise required to destroy it under applicable law, we ensure that such Personal Information is securely destroyed and/or de-identified.

8. Disclosure of Personal Information

20. We will disclose Personal Information to our employees, officers, professional advisors, suppliers, agents, contractors, subcontractors and/or related entities who assist us in the delivery and performance of Practice Cloud. We ensure that they are aware of their information security responsibilities, are appropriately trained to meet those responsibilities and have entered into agreements that require them to comply with privacy and confidentiality obligations that apply to Personal Information that we provide to them.

21. We only disclose Personal Information that we collect to third parties as follows:

14. in order to host databases that are integrated into Practice Cloud, we engage reputable hosting providers who host those databases on our behalf;
15. when performing contracts, we may outsource certain obligations to third-party contractors in accordance with our contractual rights (such as hosting, software development and other professional services). Professional services carried out by them may require access to an individual’s Personal Information. We ensure that all staff and contractors are aware of their information security responsibilities, are appropriately trained to meet those responsibilities and have entered into agreements which require them to comply with privacy and confidentiality obligations that apply to the Personal Information that we provide to them;
16. when providing information to our legal, accounting or financial advisors or insurers, or to our debt collectors for debt collection purposes or when we need to obtain their advice, or where we require their representation in relation to a legal dispute;
17. where a person provides written consent to the disclosure of their Personal Information;
18. where it is brought to our attention that specific Personal Information needs to be disclosed to protect the safety or vital interests of any person;
19. if we are contacted by any person who represents to us that they are an End User, for security purposes, we will only discuss the Personal Information that we hold about them with them if they identify themselves accurately and truthfully;
20. to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution, and punishment of offences;
21. for the enforcement of a law imposing a pecuniary penalty;
22. for the conduct of proceedings before any court or tribunal (being proceedings that have been commenced or are reasonably in contemplation); or
23. where required by law.

9. Third party websites and platforms

22. Practice Cloud may include links to third-party websites. Our linking to those websites does not mean that we endorse or recommend them. We do not warrant or represent that any third-party website operator complies with applicable Privacy Laws. You should consider the privacy policies of any relevant third-party website prior to sending Personal Information to them.

10. Interacting with us without disclosing Personal Information

23. If you do not provide us with your Personal Information, you can only have limited interaction with us. For example, you can browse our website without providing us with Personal Information, such as the pages that generally describe Practice Cloud or our products that we make available, and our Contact page. However, when you submit a form on our website, or become an End User on Practice Cloud or you otherwise enter into a business relationship with us, we need to collect Personal Information from you in order to identify who you are, so that we can provide you with Practice Cloud, and for the other purposes described in this Privacy Policy.
24. You have the option of not identifying yourself or using a pseudonym when contacting us to enquire about our products and/or services, but not if you wish to actually procure and/or use Practice Cloud. It is not practical for us to provide you with access and/or use of Practice Cloud (or any part thereof) if you refuse to provide us with your Personal Information.

11. Offshore disclosure

25. We may transfer your Personal Information to our contractors and service providers who assist us with the supply of Practice Cloud to you, and to assist us with the operation of our business generally, where we consider it necessary for them to provide that assistance. We will take reasonable steps to ensure that such overseas recipients do not breach the APPs, HPPs or PPs in relation to any Personal Information we provide to them and will comply with this Privacy Policy as it is applicable to them.
26. Such reasonable steps include ensuring our offshore service providers are subject to substantially similar laws or binding schemes as the Privacy Laws and have entered into agreements with us that require them to comply with privacy, confidentiality and data protection obligations that apply to the Personal Information that we provide to them.
27. Provided that we comply with the Privacy Laws, we may transfer your Personal Information to our offshore service providers who may be located outside Australia. Our offshore and overseas contractors and service providers are currently located within Australia.

12. How to access and correct personal information held by us

28. End Users who wish to access and correct the Personal Information held by us about them should contact us using our contact details set out below. Prior to contacting us or submitting a request for access to correct any Personal Information held about them, End Users can update their Personal Information by logging into their account on Practice Cloud, where such functionality is available. However, we encourage you to contact us in any event and we would be happy to assist you.  

29. If you are a Patient or an Other Individual, and you wish to access or correct the Personal Information held by us, then in the first instance you should contact the Practice that collected your Personal Information. End Users can access and correct Personal Information about any Patient or Other Individual that End Users of a Practice have entered into Practice Cloud. Alternatively, any Patient or Other Individual whose Personal Information is held by us in connection with Practice Cloud should contact us using our contact details set out below.

30. It is our policy to retain Personal Information in a form that permits identification of any person only as long as is necessary for the purposes for which the Personal Information was collected; and for any other related, directly related or compatible purposes if and where permitted by applicable Privacy Laws. We will only process Personal Information that you provide to us for the minimum length of time permitted by applicable Privacy Laws and only thereafter for the purposes of deleting, deidentifying or returning that Personal Information to you (except where we also need to retain the information in order to comply with our legal obligations, or to retain the data to protect your or any other person's vital interests).

31. We retain Personal Information held in connection with Practice Cloud as follows:

1. an End User’s Personal information will be held while they hold a current account on Practice Cloud and thereafter for a period of 7 years, for tax purposes;
2. a Patient’s Personal Information will be held while the Practice of the Patient is party to an agreement with us for the access and use of Practice Cloud and thereafter for a period of 30 days, after which time it will be automatically deleted or de-identified; and
3. We will keep Personal Information for longer periods than specified above, where we are required to retain the Personal Information under applicable Privacy Laws, for example, where required for the purposes of litigation.

32. As an alternative to deleting Personal Information, we may elect to de-identify it where permissible by law. We will de-identify certain types of Personal Information for the purpose of improving Practice Cloud and for provision to third parties for research purposes.  

33. Where you require Personal Information to be returned, it will be returned to you at that time, and we will thereafter delete all then remaining existing copies of that Personal Information in our possession or control as soon as reasonably practicable thereafter, unless applicable Privacy Laws requires us to retain the Personal Information, in which case we will notify you of that requirement and only use such retained Personal Information for the purposes of complying with those applicable laws.

34. We will handle all requests for access to Personal Information without unreasonable delay or expense, and in accordance with our statutory obligations. We may require payment of a reasonable fee by any person who requires access to their Personal Information that we hold, except where such a fee would be contrary to applicable law. We will not charge you for the making of any such request. We will endeavour to provide a response to any request for access to Personal Information within 3 business days from the time a request is made.

13. How to contact us regarding your privacy rights

35. Any person who wishes to contact us for any reason regarding our privacy practices or the Personal Information that we hold about them, or make a privacy complaint, may contact us using the following details:
    
    Pen CS Privacy Officer
    Email: privacy@pencs.com.au 
    Address: 301 Catherine Street, Leichhardt NSW 2040, Australia.
    Tel: 02 9506 3200

36. We will use our best endeavours to resolve any privacy complaint with the complainant within a reasonable time frame given the circumstances. This may include working with the complainant on a collaborative basis or otherwise resolving the complaint.

37. If the complainant is not satisfied with the outcome of a complaint or they wish to make a complaint about a breach of the APPs, they may refer the complaint to the Office of the Australian Information Commissioner, which can be contacted using the following details:
    
    Telephone: 1300 363 992
    Email: enquiries@oaic.gov.au
    Address: GPO Box 5218, Sydney NSW 2001, Australia.

38. If the complainant is not satisfied with the outcome of a complaint or they wish to make a complaint about a breach of any of the HPPs or PPs, they may refer the complaint to the relevant Commission in their jurisdiction:

NSW: Information and Privacy Commission

Telephone: 1800 472 679

Email: ipcinfo@ipc.nsw.gov.au

Vic: Health Complaints Commissioner

Telephone: 1300 582 113

Online form: https://hcc.vic.gov.au/make-complaint 

ACT: ACT Human Rights Commission

Telephone: 02 6205 2222

Email: hrcintake@act.gov.au