Privacy Policy

ZEDMED PTY LTD COLLECTION STATEMENT

ZEDMED PTY LTD PRIVACY POLICY

Zedmed Pty Ltd ABN 77 093 859 315 of 25-27 QV Terrace, Melbourne (“Zedmed”, “we”, “us”, “our”) complies with the Australian Privacy Principles (“APPs”), which are part of the Privacy Act 1988 (Cth) (“Act”). Zedmed recognises and acknowledges that the protection of individuals’ privacy is important and required under the Act. This privacy policy explains how:

  • Zedmed protects the privacy of personal information Zedmed collects;
  • Zedmed may use such information and to whom such information may be disclosed; and
  • individuals can access and correct the personal information Zedmed holds, lodge complaints with Zedmed in respect of alleged breaches of privacy or to make any related enquiry.

Zedmed reserves the right (at its discretion) to modify, amend or replace this privacy policy from time to time. The modified, amended or replaced policy will be posted by Zedmed to its website in place of the older privacy policy and notified to customers.

Scope

Zedmed requires that its staff comply with this policy in relation to any personal information they handle. Zedmed also uses its best endeavours to ensure that contractors comply with their obligations with respect to any personal information to which they may have access or which may be disclosed to them.

Zedmed may collect personal information from any individual with whom it may have contact, including job applicants, representatives from current and prospective suppliers and representatives from current and prospective customers.

Zedmed Solutions

Zedmed is a practice management software application for GPs, specialists and allied health. The application facilitates the storage and processing of a variety of information, including personal information regarding patients of our customers (Customer Data).

Zedmed can be hosted traditionally on-site at our customers’ practices or through remote / cloud hosting services provided by third parties engaged by our customers (Zedmed Hosted / On-Premise Solution). In this case, Customer Data is not collected, stored, used, processed, modified or disclosed by us, except to the extent required by permitted Zedmed employees who may access customer environments to provide the services Zedmed is contractually obliged to provide to the customer or as otherwise required by law. These services may include data migration, system configuration, maintenance and account administration.

Zedmed Cloud is the same application provided via a Software-as-a-Service model (Zedmed Cloud Solution), in other words, we host the application and all Customer Data is stored on our servers or those of third party service providers who we have engaged. The customer then accesses the Zedmed Cloud Solution over the internet. Nevertheless, as with our on-premise product, Zedmed does not access, use, process, modify or disclose Customer Data, except to the extent required by permitted Zedmed employees who may access the customer’s account to provide the services Zedmed is contractually obliged to provide to the customer or as otherwise required by law. These services may include data migration, system configuration, maintenance and account administration.

Except for the limited circumstances outlined in this privacy policy, access to Customer Data stored in one of our solutions is controlled directly by the customer. It is the customer’s responsibility to pass on the information contained in this privacy policy and obtain all necessary consents from individuals:

  • before their personal information is collected, stored, used, processed, modified or disclosed by the customer using any Zedmed solution; and
  • to the extent that personal information may be collected, stored, used, processed, modified or disclosed by us in accordance with this privacy policy.

Types of personal information Zedmed collects and holds

For the purpose of this privacy policy, “personal information” is information or an opinion that identifies an individual or which could reasonably identify the individual, regardless of whether the information or opinion is in a material form or not. The types of personal information that Zedmed collects and holds may include, but is not limited to:

Job applicants, contractors:

We collect certain personal information about job applicants and contractors wishing to supply products and/or services to us as well as their employees, including:

  • name, pronouns, date of birth, contact details, details of next of kin or emergency contact, payment details, resumes, employment histories and qualifications, training records and competency assessments, police checks and other suitability checks.

We may also collect sensitive information such as medical histories directly related to the individual’s ability to perform the inherent requirements of the position, and immunisation status where required by law or with your consent.

Customers and representatives:

We generally collect the following types of personal information regarding our customers and their representatives:

  • name, pronouns, contact details.

Customer Data:

Our customers input a variety of Customer Data into the Zedmed Solutions, which may include the following types of patient information:

  • name, pronouns, date of birth, contact details, details of next of kin or emergency contact, payment details, Medicare number and other information relevant to the patient’s relationship with the Customer, such as communication preferences, interests and interaction history.

Our customers may also input sensitive information regarding patients, such as medical histories, racial or ethnic origin and sexual orientation.

Where the customer is using the ZedMed Hosted / On-Premise Solution, as a general rule we do not collect this Customer Data. From time to time, as Zedmed provides its services to its customers, Zedmed may gain access to or collect Customer Data for certain limited purposes. Zedmed does not hold onto such personal information for longer than reasonably necessary and uses that personal information in order to provide the services Zedmed is contracted to provide to the relevant Zedmed customer. Such services may include, but not be limited to, data migration services and training services.

Where the customer is using the Zedmed Cloud Solution, we host the application and all Customer Data is stored on our servers or those of third party service providers who we have engaged. Nevertheless, as with our on-premise product, Zedmed does not access, use, process, modify or disclose Customer Data, except to the extent required by permitted Zedmed employees who may access the customer’s account to provide the services Zedmed is contractually obliged to provide to the customer or as otherwise required by law. These services may include data migration, system configuration, maintenance and account administration. We only access Customer Data in certain limited circumstances as detailed in this Privacy Policy.

In some limited cases, Zedmed may also collect Customer Data from the Solutions automatically, for example, where it is contained in screenshots attached to error reports. Zedmed does not hold onto such personal information for longer than reasonably necessary and uses that personal information in order to provide the services Zedmed is contracted to provide to the relevant Zedmed customer.

Website:

We may also collect the following information about you when you access our website:

  • the pages viewed and the information downloaded, the IP address of the computer used to visit our website and the page from where the individual visited our website, the type of browser used and information about websites visited before the individual visited our website.

The information we collect from visits to our website is generally anonymous (unless you specifically complete and submit a form to us using a template we make available to you via our website). We generally do not use such information to identify specific individuals. However, due to the nature of the Internet, such information may contain details which may identify a particular individual.

How we collect personal information

We only collect personal information using lawful means. We may collect personal information about an individual from a variety of sources using a variety of means, including:

  • a form (either physical or online) that is completed and submitted to us;
  • a telephone, email or in-person inquiry or discussion about us, the products and/or services that we provide;
  • when an individual contacts us over the telephone, we may record the conversation for training purposes and for the purpose of improving our customer experience. We will always notify you prior to recording a telephone call.
  • mail correspondence, emails and other electronic means (including by accessing our website and the use of the “contact us” form on our website);
  • through publicly available sources of information;
  • from job applicants and staff members;
  • direct contact in the course of us providing our goods and/or services;
  • in the course of conducting market research, including customer satisfaction surveys;
  • in the course of providing our goods and/or services to our customers; and
  • from current and prospective suppliers of goods and/or services to us.

Zedmed may also collect data from its website using various technologies, including ‘cookies’. A ‘cookie’ is a text file our website transmits to an individual’s browser which is stored on the individual’s computer as an anonymous tag identifying the individual’s computer (but not the individual) to us. The browser may be configured to disable cookies, but some parts of our website may not function properly (or at all) if cookies are disabled.

Except in the case of Customer Data, to the extent reasonably practicable and reasonable for us to do so, we collect personal information about an individual directly from that individual. Additionally, we will only collect personal information when we specifically ask for that information, except in circumstances where personal information is volunteered to us or otherwise supplied to us without us asking for such information.

Where Zedmed collects personal information on an unsolicited basis, Zedmed will comply with its statutory obligations in relation to such personal information.

Dealing with us anonymously and pseudonymously

In accordance with the current law, you do not need to provide us with your personal information and you may interact with us on an anonymous and pseudonymous basis. However, if you choose to interact with us in this fashion, or if you do not provide us with personal information when requested, we may be unable to provide you with all of the goods and/or services that you seek from us.

Further, we reserve the right to verify your identity as part of our response to a request to access and/or correct personal information we hold about you, or as part of our complaints-handling process. If we are unable to verify your identity, or you continue to engage with us in an anonymous or pseudonymous basis, we may be unable to satisfy your request or complete our complaints-handling process.

How does Zedmed use the personal information it collects?

As a general principle, and in accordance with Zedmed’s statutory obligations, Zedmed only uses personal information for:

  • the primary purpose for which the information was collected;
  • a secondary purpose that is related to the primary purpose for which you would reasonably expect Zedmed to use the collected information; or
  • as otherwise permitted or authorised by law, including the Australian Privacy Principles.

Zedmed will take reasonable steps to make individuals aware of the purpose for which the information Zedmed collects may be used by notifying individuals and customers about all relevant matters before or at the time of collection, including by reference to this privacy policy.

With regard to Customer Data, it is the responsibility of the customer to pass this information on to the individuals concerned and obtain all necessary consents from individuals:

  • before their personal information is collected, stored, used, processed, modified or disclosed by the customer using any Zedmed solution; and
  • to the extent that personal information may be collected, stored, used, processed, modified or disclosed by us in accordance with this privacy policy.

Zedmed may use the personal information it collects about an individual for one or more of the following purposes:

  • to provide products and services to the individual or to a third party which may directly or indirectly benefit the individual;
  • to install, maintain, support and service products we have supplied to the individual or to a third party which may directly or indirectly benefit the individual;
  • processing transactions and administering customer accounts (including by processing of invoices, bills, statements of account and related financial matters necessary to enable us to provide products and/or services under relevant contractual arrangements);
  • addressing queries, warranty claims and resolving complaints;
  • to send information updates, marketing materials and newsletters to current and prospective customers who have consented (either expressly or impliedly) to receive such information and provided that they have not opted out of receiving such information;
  • to seek the participation of current and prospective customers (on a voluntary basis) in advertising campaigns, events, launches, customer testimonials and focus groups;
  • to initiate contact with an individual if the individual and/or his/her employer has not purchased products or services from us for an extended period of time, or otherwise has not engaged with us for an extended period of time (unless we are informed that the individual no longer wishes to be contacted by us or by anyone on our behalf);
  • to improve our products and services, our website, our other means of communicating with our current and prospective customers;
  • carrying on business as the provider of clinical and office management software and related services; and
  • to directly market our products and services to current and prospective customers.

To whom may Zedmed disclose personal information?

Zedmed may disclose personal information collected from individuals to third parties but only on an as-needs basis and in order to fulfil one or more of the purposes for which the information was collected, any secondary purpose related to the primary purpose of collection, or otherwise as required or authorised by law.

Zedmed may disclose personal information to the following third parties (without limitation):

  • Zedmed’s agents and contractors (including, for example but without limitation, its agents and contractors in order to enable them to provide products or perform services on behalf of Zedmed, or to facilitate Zedmed’s provision of products or services to its customers);
  • Zedmed’s professional advisers; and
  • related entities of Zedmed.

Zedmed may also disclose personal information about an individual when required by law or court order, or other governmental order or process to disclose, where Zedmed believes in good faith that the law compels us to disclose information, or where Zedmed is required to do so as a result of any obligations owed by Zedmed under a contract.

Zedmed may disclose personal information about an individual to a third party if Zedmed considers it reasonably necessary to do so in order to identify, contact or bring legal action against any third party whom Zedmed suspects or knows is causing harm to, or interference with the products or services Zedmed provides, Zedmed’s information technology systems and equipment, or Zedmed’s property.

Personal information about individuals which Zedmed has collected may be disclosed to third parties in the event its business and/or assets are sold or offered for sale, at or before the time of a merger, acquisition or sale.

When Zedmed engages third parties to provide products and/or services to Zedmed, such third parties may have access to personal information Zedmed holds about individuals. Zedmed does not authorise those third parties to use any personal information disclosed to or accessed by the third party for any purpose other than to facilitate the third party’s completion of its obligations owed to Zedmed.

Without limiting the foregoing, Zedmed may disclose individuals’ personal information to its business partners and advisors (such as auditors, financial services or insurance companies) or to its professional advisers (such as its legal and accounting advisers) for them to complete their obligations owed to Zedmed under agreements that Zedmed has entered into for the purpose of undertaking or furthering its business operations and activities.

Disclosure of personal information overseas

Where Zedmed enters into a contract with a host provider for the hosting of information for and on behalf of Zedmed, Zedmed will use all reasonable endeavours to ensure that such contract reserves for Zedmed the right to control access to the personal information and to avoid the need for the host provider to access the information it hosts for the benefit of Zedmed. All product updates, backups, disaster recovery and general maintenance is performed by Zedmed, including MIMS and ICPC updates.

Zedmed may enter into contracts for the provision of hosting services with host providers located in Europe, the USA and/or other countries as determined by Zedmed from time to time at its discretion.

Zedmed does not otherwise disclose or allow a third party located outside Australia to access the personal information Zedmed holds.

Security and retention of personal information

Zedmed takes the security of all personal information in its possession seriously. Zedmed takes reasonable steps to protect any personal information it holds from misuse, interference and loss. Zedmed also takes reasonable steps to protect the information Zedmed holds from unauthorised access, modification and disclosure.

Zedmed takes reasonable physical security measures, technology security measures and Zedmed staff are required to undertake privacy and data protection training from time to time, as part of their general obligation to respect the confidentiality and privacy of any personal information Zedmed holds.

Data is hosted and secured within ISO27001 data centres, with strict adherence to the Uptime Institute’s Tier III/IV standards including CCTV cameras monitoring each property 24/7/365 access to all facilities is controlled via an approved access list via photo and biometrics linked to an access card.

Sensitive and confidential information are stored securely using industry standard encryption measures. Which includes:

  • Natively, all data is encrypted at rest
  • Data in transit encryption

Zedmed regularly reviews and updates its physical and data security measures in light of current technologies and the requirements of applicable laws.

Zedmed only holds personal information it collects from or about an individual as long as reasonably necessary to fulfil the purpose(s) for which the information was collected, as required by law or in accordance with Zedmed’s document retention policies. When the information is no longer required to be held by Zedmed then Zedmed will take reasonable steps to destroy or de-identify the information.

Links to third party websites

Zedmed’s website may contain links to third parties’ websites, including sites maintained by other parts of the Medical One Group. Those other websites are not subject to Zedmed’s privacy policies and procedures. You will need to review those websites directly to view a copy of their privacy policies.

Zedmed does not endorse, approve or recommend the products or services provided by the operators of the relevant third-party website, and the fact that Zedmed includes links to those third-party websites should not be construed as an endorsement, approval or recommendation of either the website operator or the products or services so provided.

Accessing the personal information Zedmed holds

An individual is entitled at any time (on request to Zedmed) to access the personal information Zedmed holds about that individual.

All enquiries should be directed to Zedmed’s Privacy Officer, details of whom are set out below.

Where Zedmed receives a request to access the personal information Zedmed holds about an individual, Zedmed will comply with its statutory obligations and will respond to such an access request within a reasonable period of time.

Unless it is unlawful or impracticable for Zedmed to do so, Zedmed will generally provide access to the requested information in the manner requested.

Please note that Zedmed is entitled under the Australian Privacy Principles to charge a reasonable fee to cover the costs Zedmed incurs in providing access to the personal information held about an individual.

Additionally, Zedmed reserves the right to refuse access to an individual’s personal information Zedmed holds where any of the statutory exceptions to the access right exist in the particular circumstances. Where Zedmed refuses an access request, it will explain the reasons for refusal in writing and provide details in relation to the relevant complaint process.

Zedmed also reserves the right to request information from the individual making the access request in order to verify the identity of the individual making the request, in order to ensure that Zedmed is not inadvertently disclosing personal information to an individual not entitled to access such information.

Further, Zedmed reserves the right to redact the information made available in response to an access request, to protect the privacy of other individuals.

Quality of the personal information Zedmed holds

Zedmed takes reasonable steps to ensure that the personal information it collects, uses and discloses is accurate, complete and up-to-date.

However, the accuracy, completeness and currency of the information Zedmed holds largely depends on the accuracy of the information supplied to Zedmed or which Zedmed collects.

If at any time you discover that any information Zedmed holds about you is inaccurate, out-of-date, incomplete, irrelevant or misleading, please contact Zedmed’s Privacy Officer (details of whom are set out below) to request correction of the information. Zedmed will handle a correction request in accordance with its statutory obligations. However, as noted above, Zedmed reserves the right to verify your identity before processing a correction request.

Lodging a complaint

If you wish to make a complaint to Zedmed about how Zedmed handles the personal information collected from or about you, the complaint should be made in writing to Zedmed and addressed to the attention of Zedmed’s Privacy Officer (details of whom are set out below).

Zedmed will promptly acknowledge receipt and will endeavour to deal with the complaint and provide a response to you within a reasonable time period following receipt (generally within 30 days of receipt).

Where the complaint requires a more detailed investigation, the complaint may take longer to resolve. If this is the case, then Zedmed will endeavour to provide the complainant with progress reports.

Zedmed reserves the right to verify the identity of the individual making the complaint and to seek (where appropriate or reasonable) further information from the complainant about the circumstances of the complaint.

Where required by law, Zedmed will provide its determination on the complaint to the complainant in writing.

Zedmed reserves the right to refuse to investigate or to otherwise deal with a complaint where permitted under law, where such circumstances apply. For example, without limitation, Zedmed may refuse to investigate or to otherwise deal with a complaint if Zedmed considers the complaint to be vexatious or frivolous.

If you are not satisfied with the outcome of the complaint, then you may write to Zedmed seeking an internal review of its decision. Such internal review will be completed by an officer not previously involved in the complaint.

If you still remain dissatisfied following the outcome of the internal review, you may escalate the complaint to the Office of the Australian Information Commissioner.

How to contact Zedmed

If you have a query in relation to this privacy policy or wish to make a complaint, please contact:

Privacy Officer
Zedmed Pty Ltd
GPO Box 2061
Melbourne VIC 3000

Phone: 1300 933 833
Fax: +61 3 9682 8114
Email: privacy@zedmed.com.au