Last Updated: 17 October 2023
and it will apply to all the personal information then held by us.
Privacy matters to us, and we know it matters to you.
As we provide a wide range of health products and services, this involves our collecting and handling a wide spectrum of personal or personal health information. We take our data responsibilities seriously and are committed to protecting your privacy and ensuring the security and integrity of your personal or personal health information.
- are, or are employed or engaged by, one of our business customers (for example, a visiting medical officer, health practitioner or other employee or contractor of a business that acquires our products and services);
- are a patient of, or receive health services from, a health professional, business or organisation that uses our products and services and in doing so shares your information with us;
- we otherwise deal with in the course of operating our business (for example, users of our website, job applicants, employees or independent contractors).
“Applicable Privacy Laws” means any and all Applicable Privacy Laws relating to privacy and the collection, use and disclosure of Personal Information and Personal Health Information in all applicable jurisdictions where Telstra Health or their affiliates and the health professionals provide the Service, including but not limited to the Personal Information Protection and Electronic Documents Act (Canada) and/or any comparable provincial law including the Quebec’s Act respecting the protection of personal information in the private sector, CQLR c P-39.1.
“Personal information” or “PI” means information about an identifiable individual, which includes information, used alone or with other information, that can directly or indirectly be used to identify, contact, or locate a person.
“Personal health information” or “PHI” means information about an identifiable individual, that can directly or indirectly be used to identify that individual and that relates directly to the individual’s physical or mental health, including name of patient, date of birth, medical history, medical treatment, medical test results, medication list, and any other health information. PHI may be found in medical records, treatment and examination notes and communications between patients and your healthcare providers via the Platform.
I. OUR COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION
The types of information we may collect, and how we use or disclose it, will vary based on the nature of our relationship or dealings with you.
For a specific description, please select the following heading which best describes you:
1. You are, or are employed or engaged by, a business customer or healthcare provider that uses Telstra Health products or services
1.1 The type of information we collect
The standard personal information we collect might generally include details such as your name, date of birth, contact details (including address, email address and phone numbers), occupation (including credentials and specialisation), and username or password to access our products and services.
Depending on the particular product or service you use (and how you use it), we may also collect more in-depth information including:
- information about how you use our products and services;
- records of any interactions or communications you have with us, including your remote desktop connection details if we assist you by providing you with technical support;
- information that allows us to identify you for verification purposes, such as name, date of birth and email address;
- technical information about our products and services that you access;
- the location of where you use our products and services;
- certificates and identifiers, such as provider and prescriber numbers, that enable healthcare providers, organisations and their authorised users to access and use our products and services; and
- any other information that you provide to us directly, or that is provided to us by the business that employs or engages you to facilitate your use of our products and services.
1.2 How we collect it
There are four ways in which we might generally collect your personal information:
- you give it to us or we capture it when you or your representatives interact with us (for example, when you use our products, complete an application or contact form, or contact our call centres or online services for help);
- your employer/engaging business gives it to us to facilitate your use of our products and services; and
- we obtain information from outside sources like marketing mailing lists, third party integration partners, and publicly available information including professional registers.
We understand that you might not want to give us certain personal information. We can accommodate this, although it might mean that we cannot provide you with the products or services you need, or the level of service on which we pride ourselves.
1.3 How we use it
We may use your personal information for a number of purposes listed below, such as:
- administration – to properly manage the products and services we provide to you, such as by maintaining and updating our records and administering any charging or billing;
- identity verification – where appropriate, to verify your identity or to detect and prevent fraud;
- communication – to provide you with customer service, assist you with enquiries and otherwise communicate with you to enhance your experience with our products and services;
- operations – to monitor network use, quality and performance, and to operate, maintain, develop, test and upgrade our systems and infrastructure;
- improvement – to help us maintain, develop, evaluate and improve our products and services;
- direct marketing – if you have provided your consent or might otherwise reasonably expect us to do so, to enable us (and other Telstra group entities and affiliates) to promote and market health related products and services that we think will be of interest to you - we do not sell or otherwise provide personal information to unrelated third parties for their direct marketing purposes. To opt-out of this type of marketing, please follow the steps outlined in one of our marketing communications (click the unsubscribe button) or contact us using the details set out in the “How to contact us” section of this policy; and
- as otherwise authorised or required by law.
1.4 Who we might share or disclose it with
We may share your personal information with:
- service providers or third party integration partners – certain third parties that assist us to provide you with our relevant product and services (such as IT and network service providers, installation, maintenance and repair service providers, and mailing, billing and customer service providers). Where we share your information with a third party service provider, we make sure that they have first agreed to protect the privacy of your information and we require these parties to take appropriate measures to protect your personal information in accordance with Applicable Privacy Laws to protect your personal information and to restrict how they can use it;
- research partners – who assist us to engage in research and analyses to help us improve our products and services. Unless we have your consent to do this, this sharing occurs on a de-identified basis only and according to the Applicable Privacy Laws;
- your employing/engaging business – as our primary customer, we may need to share certain information with the business that employs or engages you and that has procured the relevant products and services you use;
- government and regulatory authorities – such as law enforcement and national security agencies, and other government and regulatory authorities, if such disclosures are required or authorised by law;
- advisors - third parties who assist us to manage or develop our business and corporate strategies and functions, including our corporate risk or funding functions;
- buyers or prospective buyers – for the purposes of facilitating or implementing a transfer/sale of all or part of our assets or business;
- our related entities – where appropriate for the purposes of managing our business and providing you with our products and services;
- other third parties – if the circumstances warrant such a disclosure or share (for example, if you directly request us to do so), but only where this is required or authorised by law.
2. You are a patient of, or receive health services from, a business customer or healthcare provider that uses our products and services
The type of personal information (“PI”) and personal health information (“PHI”) (collectively named “Information”) we might collect
The type of Information your health service provider might share with us can include:
- personal information – such as your name, date of birth, sex, contact details (including address, email address and phone numbers) and occupation, which information becomes “personal health information” when associated with your medical file;
- personal health and other sensitive information – while this will vary based on how your practitioner or health service provider uses our product or service, this could include your clinical and health-related information (including any relevant images and diagnostic information and medication details), information about a health service which has or is to be provided to you, information obtained via integrations with wearable medical devices, details of your nationality, racial or ethnic background and sexual preferences and practices; and
- unique identifiers – such as your patient ID, provincial insurance health card number or other health insurance authentication or your social insurance numbers.
2.1. How we collect it
We provide a wide range of technological solutions to health service providers, to assist them to operate their business (including patient administration), store and manage clinical information, analyse health data, and engage in secure messaging for the exchange of personal health information (such as diagnostic results, patient notes, referrals and prescriptions).
If we provide products or services to your health service provider (for example, a doctor, hospital, aged care provider or pathology lab), that provider might share your information with us.
Depending on the functionalities and integrations you use within the App or Platform, we may also collect some personal information and personal health information about you from third party integration partners. For example, if you use a third party ‘Biobeat’ device and access the related integration between Biobeat and our Platform or App, BioBeat Technologies Ltd may share the following personal health information about you with us (subject to your consent):
- blood pressure;
- resp rate;
- stroke volume;
- cardiac output;
- pulse rate;
- mean arterial pressure;
- pulse pressure;
- heat rate variability;
- systemic Vascular Resistance;
- one lead ECG; and
- Cardiac Index.
We have strict requirements about how we handle personal health information or other sensitive information, including to only collect it with your express consent or otherwise in accordance with all Applicable Privacy Laws and health records standards and regulations. In this regard, we rely on your health service provider to have obtained your full permission to share your information with us.
2.2 How we use it
As a general rule, we will only access or use your personal information and personal health information if it is reasonably necessary to enable any technical support that we might provide to your health service provider. However, there may also be limited circumstances where we are required to use or disclose your Information as required or authorised by law.
While we might also engage in analytical uses of certain Information (for example, to provide reports to our customers for benchmarking and other service improvement purposes), this is undertaken on an anonymised or de-identified basis only in accordance with generally accepted best practices and guidelines.
We do not use your Information for direct marketing purposes.
2.3 Who we might share or disclose it to
- our service providers – certain third parties who provide services to us, including organisations and contractors that assist us in connection with the limited purposes for which we use that personal information. Where we share your information with a third party service provider, we make sure that they have first agreed to protect the privacy of your information and we require these parties to take appropriate measures to protect your personal information in accordance with Applicable Privacy Laws and to restrict how they can use it;
- third party integration partners - depending on the functionalities and integrations you use within the App or Platform, we may also share some personal information and personal health information about you with third party integration partners. For example, if you use a third party ‘Biobeat’ device and access the related integration between Biobeat and our Platform or App, we may share the following personal health information about you with Biobeat Technologies Ltd (subject to your consent), who will store that information in Ireland: your Telstra Health identifier, device serial number of the wearable device you may use, year of birth, height, weight, systolic, diastolic and pulse readings. Before we share your personal health information, we will ask for your consent and we will conduct a privacy impact assessment and require our integration partners to take appropriate measures to protect your personal information in accordance with Applicable Privacy Laws and to restrict how they use it; and
- other third parties – if the circumstances warrant such a disclosure or share (for example, if you directly request us to do so), but only where this is required or authorised by law.
3. You are someone that we otherwise deal with in the course of operating our business (for example, users of our website, job applicants, employees or independent contractors)
3.1 The type of information we might collect or hold
The type of information we collect will ultimately depend on the nature of our dealings with you. For example, this might include:
- communications – a record of any correspondence or communication we have with you (e.g. if you make an enquiry), along with your name, contact details, and any other identifying information provided;
- if you are applying for employment or are an independent contractor – your name, contact details, date of birth, sex, professional background, expertise and qualifications, any references which are provided by third parties about you, and any other information which you provide to us or which is relevant to our assessment of your potential employment or our engagement of your services;
- information relevant to your employment with us; or
3.2 How we collect or hold it
Most personal information we collect will be received from you directly or, for employees, created by us about you. However, depending on the circumstances, it may also be collected from third parties such as recruitment agencies or our business partners and affiliates.
3.3. How we use and disclose it
We will only use or disclose your personal information for the primary purpose for which it was collected (for example, to assess your application or employment), or for any secondary purposes which you might reasonably expect and which are related to that primary purpose. Such purposes can generally be determined based on the circumstances in which the information was provided to us.
Examples of the types of third parties we might disclose your information to include:
- service providers – certain third parties that assist us to provide you with our relevant product and services (for example, IT and network service providers, or mailing operations and customer service providers). Where we share your information with a third party service provider, we make sure that they have first agreed to protect the privacy of your information and, we require these parties to take appropriate measures to protect your personal information in accordance with Applicable Privacy Laws to protect your personal information and to restrict how they can use it;
- professional referees – if you have provided us with their name and contact details within an application for employment or engagement;
- buyers or prospective buyers – if relevant for facilitating or implementing a transfer/sale of all or part of our assets or business (for example, this might occur if you are a contractor);
- our related entities; and
- other third parties – if the circumstances warrant such a disclosure or share, but only where this is required or authorised by law.
If you require more specific information in this regard, please contact us using the details provided at the end of this document.
II. HOW WE PROCESS AND STORE YOUR INFORMATION
We provide Services globally and some elements of the Services may be hosted on servers located in countries outside your home country or province. The Platform hosts personal information in Canada, United Kingdom (UK), Australia and in European Economic Area (EEA). We transfer your personal information to our subsidiaries in our group and service providers globally.
We also use service providers who may access or store other Personal Information in Canada, United Kingdom, European Union, or other jurisdictions (by example, Biobeat hosts your personal information in Ireland).
The laws applicable to the protection of personal information in such countries may be different than from those applicable in your home country or province and may permit or require disclosure of the data to the law enforcement or national security authorities. Where required by law, or where We determine there is a heightened risk to the User in transferring of their personal information outside of their province or territory, country, or region, We have implemented processes and procedures to undertake a privacy impact assessment.
For Quebec residents, Personal information and Personal Health Information will be stored at rest in the province of Quebec within a Microsoft Azure server that provides strong privacy and security commitments. Please note that it is possible that this information could be communicated outside of Québec. By example, we may store a copy of this information in the province of Toronto only for redundancy purpose and disaster recovery. Before transferring any personal information outside Quebec, we will inform individuals of this possibility through the relevant Privacy Notice and ensure that the transfer complies with relevant legal and contractual obligations by conducting a Privacy Impact Assessment.
III. HOW WE SECURE YOUR INFORMATION
We take privacy and confidentiality very seriously and take reasonable steps to maintain the security of your information and to protect it from unauthorised use and disclosure. This includes:
- Secure storage: we store all personal information and PHI in Microsoft Azure (Canada East and Canada Central regions) located in Canada. This server is ISO 27001 certified and adheres to global privacy and data protection best practices.
- End-to-End Encryption: using encrypted secure messaging for sensitive data;
- Access control: implementing monitoring and access controls to restrict who can access particular information;
- Network Security: appropriately securing our electronic networks and physical facilities, such as by using business grade firewalls for all servers, and video monitoring and onsite security staff at the data centres where servers are hosted;
- Privacy-by-design: designing our products and services with privacy in mind, including by:
- ensuring that your user account is only accessible by you (or people you have authorised);
- requiring your account to be password protected;
- enforcing a strong password policy; and
- non-reversible hashing for storage of passwords (this is a one-way function that changes a plain text to a unique code that is irreversible); and
- Audit: security auditing and reviews of our products and services – for some products, this includes penetration testing and security vulnerability testing.
While we take all precautions to protect your information, the safety and security of your information also depends on you. Where you have chosen a password for access to certain parts of our App, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
We have taken reasonable measures to prevent a breach of your personal information and PHI. In the event of a risk of injury to a person whose personal information is concerned by a confidentiality incident, we will notify you at the first reasonable opportunity of the breach (according to the Applicable Privacy Laws), immediately apply remedial measures and notify any relevant provincial or federal authority in accordance with Applicable Privacy Laws and our Incident response plan.
We retain personal information and PHI only for as long as necessary to fulfill the purposes for which this information was originally collected, unless further retention is required for legitimate legal, regulatory or professional purposes. When personal information and PHI is no longer required to be retained, we will securely destroy, erase or anonymize the information in accordance with relevant legal, regulatory and contractual requirements in accordance with our Retention policy.
We reserve the right to use anonymized data for any legitimate business purpose without further notice to you or your consent.
Some of your personal information and PHI cannot be deleted due to statutory retention requirements (for example, the minimum retention period of patient records varies by jurisdiction ranging from 10 to 34 years). For any deletion request, contact us at email@example.com, and we will let you know if we can accommodate your request.
V. OTHER IMPORTANT NOTES REGARDING OUR PRIVACY POLICIES AND PRACTICES
- Access to third party services
Some of our products and services allow you to share information with third party services or products. You should review the relevant third party terms and conditions and privacy policies before using a third party service or product. We are not responsible for these services or products.
6.1. Your Express Consent.
We will not disclose your personal information and PHI to third parties unless such disclosure is permitted by Applicable Privacy Laws or you expressly consent to the disclosure.
6.3. Withdrawal of your consent.
Your access and use of our App is completely voluntary. Where you have provided your consent to the collection, use, and transfer of your personal information, you may have the legal right to withdraw your consent under certain circumstances. To withdraw your consent, if applicable, contact us at firstname.lastname@example.org. Please note that if you withdraw your consent we may not be able to provide you with a particular product or service and you may not be able to access the App anymore. We will explain the impact to you at the time to help you with your decision.
If you no longer wish to receive certain informational or promotional emails from us, you can opt-out by using the unsubscribe button or sending us an email stating your request to email@example.com. This opt-out does not apply to information provided by us as part of a product or service purchase, service experience, or other transactions.
VII. HOW TO ACCESS OR CORRECT YOUR PERSONAL INFORMATION
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes. By law you have the right to request access to and to correct the personal information that we hold about you.
If you want to review, verify, correct, or withdraw consent to the use of your personal information you may also send us an email at firstname.lastname@example.org to request access to or correct any personal information that you have provided to us. We will send you a response by email within 30 days after receiving your request.
We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the personal information that we hold about you or make your requested changes. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal information that we hold about you, or we may have destroyed, erased, or made your personal information anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal information, we will inform you of the reasons why, subject to any legal or regulatory restrictions:
- Information protected by solicitor-client privilege.
- Information that is part of a formal dispute resolution process.
- Information that is about another individual that would reveal their personal information or confidential commercial information.
- Information contained in patients’ records: you have the right to access your patient record as detained by your healthcare professionals, including all the PHI contained therein. If you request a copy of your patient record, it may be provided to you, subject to a reasonable fee. You can request access to your patient record by contacting us. You may be temporarily denied access to your patient record if providing access would create a significant risk to your health. You will also be denied access to your patient record where disclosure would likely cause any substantial adverse effect on your physical, mental, or emotional health, or reveal personal information about a third person or the existence of such information and the disclosure may seriously harm that third person, unless the third person consents or in the case of an emergency that threatens the life, health or safety of the person concerned. We use reasonable means to ensure that information in your patient record is accurate. If you identify any inaccuracies, you can request that a note be made on the file indicating the inaccurate information.
We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect. The Management of Individual Rights Requests Procedure was developed to help manage efficiently individual rights requests in compliance with applicable legislation.
If you are concerned about our response or would like to correct the information provided, you may contact us at email@example.com or using the details in the “How to contact us” section below.
IIX. HOW TO CONTACT US
We welcome your questions, comments, and requests regarding this Policy and our privacy practices. Please contact our Chief Privacy Officer and team at :
JAMES HART, CHIEF PRIVACY OFFICER
PHONE: 1800 887 238 between 9am and 5pm Monday to Friday (except public holidays); or
We have procedures in place to receive and respond to complaints or inquiries about our handling of personal information, our compliance with this Policy, and with Applicable Privacy Laws. To discuss our compliance with this Policy please contact us at firstname.lastname@example.org.
If we are unable to respond to your request to your satisfaction, you may file a complaint with the Privacy Commissioner of your province or territory or the Privacy Commissioner of Canada.
In Quebec, the organization responsible for protecting privacy is the Commission d'accès à l'information du Québec (CAI).