(last updated: 7 February 2022)
Zedmed requires that its staff comply with this policy in relation to any personal information they handle. Zedmed also uses its best endeavours to ensure that contractors comply with their obligations with respect to any personal information to which they may have access or which may be disclosed to them.
Zedmed may collect personal information from any individual with whom it may have contact, including job applicants, representatives from current and prospective suppliers and representatives from current and prospective customers.
Zedmed is a practice management software application for GPs, specialists and allied health. The application facilitates the storage and processing of a variety of information, including personal information regarding patients of our customers (Customer Data).
Zedmed can be hosted traditionally on-site at our customers’ practices or through remote / cloud hosting services provided by third parties engaged by our customers (Zedmed Hosted / On-Premise Solution). In this case, Customer Data is not collected, stored, used, processed, modified or disclosed by us, except to the extent required by permitted Zedmed employees who may access customer environments to provide the services Zedmed is contractually obliged to provide to the customer or as otherwise required by law. These services may include data migration, system configuration, maintenance and account administration.
Zedmed Cloud is the same application provided via a Software-as-a-Service model (Zedmed Cloud Solution), in other words, we host the application and all Customer Data is stored on our servers or those of third party service providers who we have engaged. The customer then accesses the Zedmed Cloud Solution over the internet. Nevertheless, as with our on-premise product, Zedmed does not access, use, process, modify or disclose Customer Data, except to the extent required by permitted Zedmed employees who may access the customer’s account to provide the services Zedmed is contractually obliged to provide to the customer or as otherwise required by law. These services may include data migration, system configuration, maintenance and account administration.
Types of personal information Zedmed collects and holds
Job applicants, contractors:
We collect certain personal information about job applicants and contractors wishing to supply products and/or services to us as well as their employees, including:
We may also collect sensitive information such as medical histories directly related to the individual’s ability to perform the inherent requirements of the position, and immunisation status where required by law or with your consent.
Customers and representatives:
We generally collect the following types of personal information regarding our customers and their representatives:
Our customers input a variety of Customer Data into the Zedmed Solutions, which may include the following types of patient information:
Our customers may also input sensitive information regarding patients, such as medical histories, racial or ethnic origin and sexual orientation.
Where the customer is using the ZedMed Hosted / On-Premise Solution, as a general rule we do not collect this Customer Data. From time to time, as Zedmed provides its services to its customers, Zedmed may gain access to or collect Customer Data for certain limited purposes. Zedmed does not hold onto such personal information for longer than reasonably necessary and uses that personal information in order to provide the services Zedmed is contracted to provide to the relevant Zedmed customer. Such services may include, but not be limited to, data migration services and training services.
In some limited cases, Zedmed may also collect Customer Data from the Solutions automatically, for example, where it is contained in screenshots attached to error reports. Zedmed does not hold onto such personal information for longer than reasonably necessary and uses that personal information in order to provide the services Zedmed is contracted to provide to the relevant Zedmed customer.
We may also collect the following information about you when you access our website:
The information we collect from visits to our website is generally anonymous (unless you specifically complete and submit a form to us using a template we make available to you via our website). We generally do not use such information to identify specific individuals. However, due to the nature of the Internet, such information may contain details which may identify a particular individual.
How we collect personal information
We only collect personal information using lawful means. We may collect personal information about an individual from a variety of sources using a variety of means, including:
Zedmed may also collect data from its website using various technologies, including ‘cookies’. A ‘cookie’ is a text file our website transmits to an individual’s browser which is stored on the individual’s computer as an anonymous tag identifying the individual’s computer (but not the individual) to us. The browser may be configured to disable cookies, but some parts of our website may not function properly (or at all) if cookies are disabled.
Except in the case of Customer Data, to the extent reasonably practicable and reasonable for us to do so, we collect personal information about an individual directly from that individual. Additionally, we will only collect personal information when we specifically ask for that information, except in circumstances where personal information is volunteered to us or otherwise supplied to us without us asking for such information.
Where Zedmed collects personal information on an unsolicited basis, Zedmed will comply with its statutory obligations in relation to such personal information.
Dealing with us anonymously and pseudonymously
In accordance with the current law, you do not need to provide us with your personal information and you may interact with us on an anonymous and pseudonymous basis. However, if you choose to interact with us in this fashion, or if you do not provide us with personal information when requested, we may be unable to provide you with all of the goods and/or services that you seek from us.
Further, we reserve the right to verify your identity as part of our response to a request to access and/or correct personal information we hold about you, or as part of our complaints-handling process. If we are unable to verify your identity, or you continue to engage with us in an anonymous or pseudonymous basis, we may be unable to satisfy your request or complete our complaints-handling process.
How does Zedmed use the personal information it collects?
As a general principle, and in accordance with Zedmed’s statutory obligations, Zedmed only uses personal information for:
With regard to Customer Data, it is the responsibility of the customer to pass this information on to the individuals concerned and obtain all necessary consents from individuals:
Zedmed may use the personal information it collects about an individual for one or more of the following purposes:
To whom may Zedmed disclose personal information?
Zedmed may disclose personal information collected from individuals to third parties but only on an as-needs basis and in order to fulfil one or more of the purposes for which the information was collected, any secondary purpose related to the primary purpose of collection, or otherwise as required or authorised by law.
Zedmed may disclose personal information to the following third parties (without limitation):
Zedmed may also disclose personal information about an individual when required by law or court order, or other governmental order or process to disclose, where Zedmed believes in good faith that the law compels us to disclose information, or where Zedmed is required to do so as a result of any obligations owed by Zedmed under a contract.
Zedmed may disclose personal information about an individual to a third party if Zedmed considers it reasonably necessary to do so in order to identify, contact or bring legal action against any third party whom Zedmed suspects or knows is causing harm to, or interference with the products or services Zedmed provides, Zedmed’s information technology systems and equipment, or Zedmed’s property.
Personal information about individuals which Zedmed has collected may be disclosed to third parties in the event its business and/or assets are sold or offered for sale, at or before the time of a merger, acquisition or sale.
When Zedmed engages third parties to provide products and/or services to Zedmed, such third parties may have access to personal information Zedmed holds about individuals. Zedmed does not authorise those third parties to use any personal information disclosed to or accessed by the third party for any purpose other than to facilitate the third party’s completion of its obligations owed to Zedmed.
Without limiting the foregoing, Zedmed may disclose individuals’ personal information to its business partners and advisors (such as auditors, financial services or insurance companies) or to its professional advisers (such as its legal and accounting advisers) for them to complete their obligations owed to Zedmed under agreements that Zedmed has entered into for the purpose of undertaking or furthering its business operations and activities.
Disclosure of personal information overseas
Where Zedmed enters into a contract with a host provider for the hosting of information for and on behalf of Zedmed, Zedmed will use all reasonable endeavours to ensure that such contract reserves for Zedmed the right to control access to the personal information and to avoid the need for the host provider to access the information it hosts for the benefit of Zedmed. All product updates, backups, disaster recovery and general maintenance is performed by Zedmed, including MIMS and ICPC updates.
Zedmed may enter into contracts for the provision of hosting services with host providers located in Europe, the USA and/or other countries as determined by Zedmed from time to time at its discretion.
Zedmed does not otherwise disclose or allow a third party located outside Australia to access the personal information Zedmed holds.
Security and retention of personal information
Zedmed takes the security of all personal information in its possession seriously. Zedmed takes reasonable steps to protect any personal information it holds from misuse, interference and loss. Zedmed also takes reasonable steps to protect the information Zedmed holds from unauthorised access, modification and disclosure.
Zedmed takes reasonable physical security measures, technology security measures and Zedmed staff are required to undertake privacy and data protection training from time to time, as part of their general obligation to respect the confidentiality and privacy of any personal information Zedmed holds.
Data is hosted and secured within ISO27001 data centres, with strict adherence to the Uptime Institute’s Tier III/IV standards including CCTV cameras monitoring each property 24/7/365 access to all facilities is controlled via an approved access list via photo and biometrics linked to an access card.
Sensitive and confidential information are stored securely using industry standard encryption measures. Which includes:
Zedmed regularly reviews and updates its physical and data security measures in light of current technologies and the requirements of applicable laws.
Zedmed only holds personal information it collects from or about an individual as long as reasonably necessary to fulfil the purpose(s) for which the information was collected, as required by law or in accordance with Zedmed’s document retention policies. When the information is no longer required to be held by Zedmed then Zedmed will take reasonable steps to destroy or de-identify the information.
Links to third party websites
Zedmed’s website may contain links to third parties’ websites, including sites maintained by other parts of the Medical One Group. Those other websites are not subject to Zedmed’s privacy policies and procedures. You will need to review those websites directly to view a copy of their privacy policies.
Zedmed does not endorse, approve or recommend the products or services provided by the operators of the relevant third-party website, and the fact that Zedmed includes links to those third-party websites should not be construed as an endorsement, approval or recommendation of either the website operator or the products or services so provided.
Accessing the personal information Zedmed holds
An individual is entitled at any time (on request to Zedmed) to access the personal information Zedmed holds about that individual.
All enquiries should be directed to Zedmed’s Privacy Officer, details of whom are set out below.
Where Zedmed receives a request to access the personal information Zedmed holds about an individual, Zedmed will comply with its statutory obligations and will respond to such an access request within a reasonable period of time.
Unless it is unlawful or impracticable for Zedmed to do so, Zedmed will generally provide access to the requested information in the manner requested.
Please note that Zedmed is entitled under the Australian Privacy Principles to charge a reasonable fee to cover the costs Zedmed incurs in providing access to the personal information held about an individual.
Additionally, Zedmed reserves the right to refuse access to an individual’s personal information Zedmed holds where any of the statutory exceptions to the access right exist in the particular circumstances. Where Zedmed refuses an access request, it will explain the reasons for refusal in writing and provide details in relation to the relevant complaint process.
Zedmed also reserves the right to request information from the individual making the access request in order to verify the identity of the individual making the request, in order to ensure that Zedmed is not inadvertently disclosing personal information to an individual not entitled to access such information.
Further, Zedmed reserves the right to redact the information made available in response to an access request, to protect the privacy of other individuals.
Quality of the personal information Zedmed holds
Zedmed takes reasonable steps to ensure that the personal information it collects, uses and discloses is accurate, complete and up-to-date.
However, the accuracy, completeness and currency of the information Zedmed holds largely depends on the accuracy of the information supplied to Zedmed or which Zedmed collects.
If at any time you discover that any information Zedmed holds about you is inaccurate, out-of-date, incomplete, irrelevant or misleading, please contact Zedmed’s Privacy Officer (details of whom are set out below) to request correction of the information. Zedmed will handle a correction request in accordance with its statutory obligations. However, as noted above, Zedmed reserves the right to verify your identity before processing a correction request.
Lodging a complaint
If you wish to make a complaint to Zedmed about how Zedmed handles the personal information collected from or about you, the complaint should be made in writing to Zedmed and addressed to the attention of Zedmed’s Privacy Officer (details of whom are set out below).
Zedmed will promptly acknowledge receipt and will endeavour to deal with the complaint and provide a response to you within a reasonable time period following receipt (generally within 30 days of receipt).
Where the complaint requires a more detailed investigation, the complaint may take longer to resolve. If this is the case, then Zedmed will endeavour to provide the complainant with progress reports.
Zedmed reserves the right to verify the identity of the individual making the complaint and to seek (where appropriate or reasonable) further information from the complainant about the circumstances of the complaint.
Where required by law, Zedmed will provide its determination on the complaint to the complainant in writing.
Zedmed reserves the right to refuse to investigate or to otherwise deal with a complaint where permitted under law, where such circumstances apply. For example, without limitation, Zedmed may refuse to investigate or to otherwise deal with a complaint if Zedmed considers the complaint to be vexatious or frivolous.
If you are not satisfied with the outcome of the complaint, then you may write to Zedmed seeking an internal review of its decision. Such internal review will be completed by an officer not previously involved in the complaint.
If you still remain dissatisfied following the outcome of the internal review, you may escalate the complaint to the Office of the Australian Information Commissioner.
How to contact Zedmed
Zedmed Pty Ltd
GPO Box 2061
Melbourne VIC 3000