About this Policy
We are committed to the protection of your personal information in accordance with the Australian Privacy Principles set out in the Privacy Act 1988 (Cth). This Policy sets out how Medipass Solutions Pty Ltd, trading as “Medipass” ABN 21 615 345 536 and its related bodies corporate (“Medipass”, “we”, “us” and “our”) collects, holds, uses, manages and stores personal information. This Policy should be read in conjunction with, and is subject to: (i) any other privacy or collection statement that we may provide to you when we collect your personal information or provide a particular product or service; and (ii) any terms and conditions of use which govern your access to and use of each of our products and services. We may change this Policy at any time. If we make changes to this Policy we will notify you by publication on our website at https://medipass.com.au/privacy_policy/. The revised version of the Policy will be effective at the time we post it. You can check the “published date” posted at the bottom to see when the Policy was last updated.
What is personal information?
“Personal information” means information or an opinion about an identified individual or an individual who is reasonably identifiable (such as a name, address, telephone number, mobile number or e-mail address). Personal information does not include “aggregate” information, which is data we collect about the use of the Service (and which does not include information or an opinion about an identified individual or an individual who is reasonably identifiable). Our Policy does not restrict or limit our collection and use of aggregate information
Collection of personal information
We collect personal information from
- you directly or via your use of our products and services;
- medical and health providers (“Practitioners”) that use Medipass; and
- end customers/Health Fund members (“Members”) to enable us to provide our products and services.
We will only collect personal information which is reasonably necessary for, or directly related to, our functions or activities. This information may be collected either direct using our practitioner applications, member applications or indirect via integrations with medical practice management systems, Health Fund platforms or other partner services (collectively referred to as the “Service”).
Personal information provided to us
We receive and store information you enter via the Service or provide to us via a third party. If you elect to use our Service, you may also provide us or a trusted third-party provider with the financial information required to process and fulfil your transaction. The personal information you provide is used for such purposes as allowing you to book medical appointments, obtain quotes, process health claims and payments, and communicating with you about transactions. If, at any time, you provide information about someone other than yourself, you warrant that you have that person’s consent to provide such information to us for the purposes specified in this Policy.
Except as described in this Policy, we do not generally require you to disclose any sensitive information (e.g. medical diagnosis information, details of race, religious belief, sexual orientation or membership of a trade union) to us. If you do provide us with sensitive information for any reason, where appropriate, we will obtain consent from you prior to collecting, using or disclosing that information for the purpose for which you disclosed it to us, and as permitted by the Privacy Act and other relevant laws.
You may choose not to provide us with certain information, but then you may not be able to take advantage of the Service or certain features of the Services.
Types of personal information
As a Member, the types of personal information collected may include your name, birthdate, address, mobile number, e-mail address, health fund account, payment card information and financial information, that is entered via our Service.
When you make a booking, obtain a quote or process a health or payment transaction, we may communicate certain information with the selected Practitioner, your health fund and your payment card financial services organisation. We use this information as part of the health quote, health claim and payment process.
As a Practitioner, when you register for an account and use the Service, we collect the personal information you provide, such as:
- Your practice, practice business registration, company name, location, email address, phone numbers;
- Your practitioner registration details, such as medicare or health fund provider numbers, accreditation information and modality registrations; and
- Government and industry issued identification numbers to verify your identity for underwriting and identity validation purposes.
We may retrieve additional personal information about you from third parties and other verification services such as credit bureaus and accreditation bodies.
Personal information automatically collected
We receive and store certain types of information whenever you interact with Medipass. Medipass automatically receives and records information on our server logs from your browser or smartphone including your hardware model, operating system version, device identifiers, browser type, IP address, browser cookie information, and the function you requested. We also record the details of your transactions on Medipass.
When you use Medipass on a location-enabled device, we may collect and process information about your actual location. We use sensor data from your device including GPS, WiFi, Bluetooth and mobile network towers to determine your location. This data is used to search for nearby practitioners, to enable simplified appointment check-ins, to verify the location of a provided service and for fraud detection purposes.
We also collect and use information about your interactions with the Service in a manner and format that does not identify you as an individual (“non-personally identifiable information”). We may collect, use, and disclose the following types of non-personally identifiable information:
We use third-party analytics tools to help us measure traffic and usage trends for the Service. These tools collect information sent by your browser or smartphone app as part of a web or application page request, including the pages you visit, your browser add-ons, your browser’s or device’s width and height, and other information that assists us in improving the Service. We may collect and use this analytics information together with your personally identifiable information to build a broader profile of our individual members so that we can serve you better, to improve the Service and for internal business purposes. We may disclose this combined information to our third-party business partners in aggregated, anonymised form as described below.
Links to other websites
Our website also contains links to the websites of third party providers of goods and services (“Third Party websites”). If you have accessed Third Party websites through our Service and if those third parties collect information about you, we may also collect or have access to that information as part of our arrangements with those third parties.
Where you access a Third Party website from our website, cookie information, information about your preferences or other information you have provided about yourself may be shared between us and the third party.
Advertising and tracking
When you view our advertisements on a Third Party website, the advertising company uses ‘cookies’ and in some cases ‘web beacons’ to collect information such as:
- the server your computer is logged onto;
- your browser type;
- the date and time of your visit; and
- the performance of their marketing efforts.
When you access our website after viewing one of our advertisements on a Third Party website, the advertising company collects information on how you utilise our website (e.g. which pages you view) and whether you complete an online application.
We utilise “cookies” and other technologies to collect non-personally identifiable information from our website and from other websites that use our Service. Information gathered through cookies and web-server log files may include information such as the date and time of visits, the pages viewed, IP addresses, MAC address, links to/from any page, and time spent at our site.
We use cookie data to measure web traffic and usage activity on our website for purposes of monitoring, troubleshooting and improving our website and Service, to look for possible fraudulent activity, and to better understand the sources of traffic and transactions on our website and the websites of merchants that use our Service. Cookies also allow our servers to remember your account information for future visits and to provide personalized and streamlined information across related pages on our website and also across other websites or applications that use Service.
How we use the personal information we collect
We use the information collected to provide the Service, including:
- Account registration and validation
- Practitioner searches
- Appointment bookings
- Service quotes
- Appointment check-ins
- Health claims and payments processing
- Verifying your identity
- Customising the content you see on our website or app
- Providing you with our products and services
- Administering our products and services
- Processing a transaction between you and us on our website or via our app or by other means
- Developing and improving our website or app
- Contacting you
- Responding to your queries or complaints
- to improve the products and services we provide to you or to offer new products and services to you
- Complying with any legal obligations that we may have under laws that apply to our business
- Any other matters that may reasonably be expected in connection with the above matters, where we have obtained consent for other collection activities, or are otherwise required to do so by law.
We use the information we collect from the Service to provide, maintain, protect and improve the Service, to develop new services, and to protect Medipass and our users. We also use information collected from cookies and other technologies to improve your user experience and the overall quality of our Service.
When you contact Medipass, we may keep a record of your communication to help solve any issues you might be facing. We may use your email address to inform you about our Service, such as letting you know about upcoming changes or improvements.
We will ask for your consent before using information for a purpose other than those that are set out in this Policy.
Protection of privacy
Health and payments information is sensitive and our Members have an expectation of privacy and confidentiality over the data we process. We believe that our platform should be safe, secure and provide a high integrity of service. To fulfil this, we treat security, privacy and processing integrity as a high priority.
Although no data transmission can be guaranteed to be 100% secure, we take reasonable steps to ensure that your personal information is accurate, complete, up-to-date, relevant and stored securely. We also take all reasonable steps to ensure that the personal information we hold is protected from misuse, interference and loss and unauthorised access, modification or disclosure by the use of various methods including access limitation and strong encryption technology to safeguard the account registration process and sign-up information.
Although we take reasonable measures to ensure the security of personal information stored by us, we cannot guarantee that they are absolutely secure from malicious third party circumvention of security measures on our electronic resources (including our website and app), whether those resources are at any of our premises or those of our service providers.
Please note that third party recipients of personal information, including our service providers that provide the information, may have their own privacy policies and we are not responsible for their actions, including their handling of personal information. We cannot control the actions of other users with whom you share your information.
We have a variety of obligations to retain the data that you provide us, both to ensure that transactions can be appropriately processed, settled, refunded or disputed, to identify fraud, and also to comply with laws applicable to us and to our health fund partners, banking providers and payment card processors. Accordingly, even if you close your Medipass account we will retain certain information as necessary to meet our obligations. However, we will identify your account in our database as “inactive”. If any personal information that we hold is no longer required for the purpose for which it was collected and no applicable law requires us to retain that information, we will take reasonable steps to de-identify or destroy the information in accordance with applicable law.
Internal controls, security and privacy reference frameworks
Medipass maintains an internal control and risk framework which is guided by established security and privacy frameworks. Specifically, we take into consideration the following frameworks on security and privacy:
- ISO27001: an international framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.
- PCI DSS: (payment card industry data security standard) a proprietary information security standard for organisations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.
- AS4360: the joint Australia / New Zealand reference on organisational risk management.
- RACGP Standard on management of health information and privacy.
- Guidelines on privacy in the private health sector, Office of the Federal Privacy Commissioner
Medipass abides by several federal and state regulatory rules over privacy, including:
- The Australian Privacy Act of 1998; and
- Australian Privacy Principles guidelines published by the Office of the Australian Information Commissioner.
Staff education and compliance
Medipass staff are required to complete periodic security and privacy awareness training to help ensure compliance with applicable controls and identifying and reporting a data breach. Training has been formed via consultation with a Director of Privacy from a Big 4 consulting firm.
Does personal information leave Australia?
Our principal place of processing is Australia. Any sensitive information you provide to us and payments information is processed in Australia. However, we may disclose personal information to our related bodies corporate, service providers, and processing partners, such as our help desk platform, that are located outside of Australia. We may store your personal information in locations outside our direct control, for instance, on servers or databases co-located with trusted hosting providers.
Some of the third parties to whom we disclose your personal information are located outside of Australia. These countries may include the United States of America, Ireland or the United Kingdom.
We will only disclose personal information to an overseas recipient for the primary purpose for which it was collected, unless an exception applies under the Privacy Act. See “ How do we use the personal information we collect?” above.
Except in some cases where we may rely on an exception under the Privacy Act, we will take reasonable steps to ensure that such overseas recipients do not breach the Australian Privacy Principles in the Privacy Act in relation to such information.
Direct marketing involves communicating directly with you for the purpose of promoting our services or the goods or services of third party organisations. From time to time, we may use your personal information for marketing purposes (for an indefinite period, including after you cease using our services). This includes sending you updates about new products and services we are offering. When we contact you, it may be by mail, telephone, email, SMS or through any other means. When we use or disclose your personal information for the purpose of marketing, we will:
- allow you to ‘opt out’ or in other words, allow you to request not to receive further direct marketing communications of the relevant type; and
- comply with a request by you to ‘opt-out’ of receiving further communications of that type within a reasonable timeframe.
You may ask to be removed from our marketing lists for any or all types of direct marketing at any time by contacting us using the details set out below.
To the extent that we use your personal information for marketing purposes, you can unsubscribe from our direct marketing, or change your contact preferences, by contacting us (see section our contact section below) or by using the unsubscribe feature for email or SMS communications.
What Information do we share with third parties?
We will not share the personal information we collect from you through the Service with third parties, except as described in our Policy or in the provision of the Service or as otherwise disclosed to you or as permitted by law. By way of example, we share personal information with third parties as follows:
- with service providers, contractors and business partners who are working with us in connection with the operation of the Service;
- when you give us your consent to do so, including if we notify you in the Service that the information you provide will be shared in a particular manner and you provide such information;
- when we are lawfully authorized or required to do so or where doing so is reasonably necessary or appropriate to comply with the law or legal processes or to respond to legal authorities, including responding to lawful subpoenas, warrants or court orders;
- in connection with, or during negotiations of, any merger, sale of company assets, financing or acquisition, or in any other situation where personal information may be disclosed or transferred as one of the business assets of us; and
- otherwise as permitted or required by law.
Medipass does not sell or rent your personal information to marketers or third parties. Medipass may disclose personal information it collects about you to third parties for a variety of purposes in connection with providing its Service. These third parties may include our affiliates, agents, service providers, related bodies corporate, contractors, financial institutions, payment processors, health funds, verification services and credit bureaus, as well as any third parties that you have directly authorised to receive your personal information. We may share Member contact information, but not their payment or health fund account information, with Practitioners as part of appointment booking or health claim and payments transaction processing.
We may also disclose your personal information to law enforcement, government officials, or other third parties if required by law or we believe in good faith that the disclosure is necessary to prevent physical harm or financial loss, to report suspected illegal activity, or to investigate violations of our Terms of Service.
Where we disclose your personal information to third parties we will use reasonable endeavors to ensure that such third parties only use your personal information as reasonably required for the purpose we disclosed it to them and in a manner consistent with the Australian Privacy Principles under the Privacy Act.
We are not otherwise responsible for the actions of service providers or other third parties, nor are we responsible for any additional information you provide directly to any third parties. De-identified visitor information may be provided to other parties for marketing, advertising, or other uses.
Rights of users
We encourage you to update us regularly with your personal information to ensure that the information that we hold about you is up-to-date, accurate and complete. Users have the right, at any time, to know whether their personal information has been stored and can consult us to learn about their contents and origin, to verify their accuracy or to ask for them to be supplemented, cancelled, updated or corrected, or for their transformation into anonymous format or to block any data held in violation of the law, as well as to oppose their treatment for any and all legitimate reasons. Requests should be sent to us at the contact information set out above. We will provide access to that information in accordance with the Privacy Act, subject to certain exemptions which may apply. We may require that the person requesting access provide suitable identification and where permitted by law we may charge an administration fee for granting access to your personal information. We will action requests for access and correction of your personal information within 30 days.
Can I opt-out of providing personal information?
If you do not wish to have your personal information used or disclosed in a manner described in this Policy, you can contact us. However, please not that if you do so, you may not be able to access, or use, all or part of the Service. Notwithstanding this, we may still use or disclose your personal information if:
(a) we subsequently notify you of the intended disclosure and you do not object to that use or disclosure;
(b) we believe that the use or disclosure is reasonably necessary to assist a law enforcement agency or an agency responsible for government or public security in the performance of their functions;
(c) to enforce out terms and conditions;
(d) to protect our rights;
(e) to protect the safety of members of the public and users of our Service; or
(f) we are required by law to disclose the information.
What choices do you have regarding the use of your personal information?
You may “opt out” of receiving marketing or promotional emails from us by following the instructions in those emails or by emailing us at email@example.com. If you opt out, we may still send you non-promotional emails, such as emails about your accounts or our ongoing business relations.
Notification of Data Breach
An “eligible data breach” arises when either:
- there is unauthorised access or disclosure of personal information and a reasonable person would conclude that the disclosure or access is likely to result in serious harm to those individuals affected; or
- information is lost in circumstances where unauthorised access or disclosure is likely to occur and assuming that unauthorised access or disclosure were to occur, a reasonable person would conclude that the disclosure or access is likely to result in serious harm to the affected individuals.
If we become aware that there are reasonable grounds to suspect that there has been an “eligible data breach”, we will prepare a statement including:
- our identity and contact details;
- a description of the eligible data breach;
- the types of information concerned; and
- recommendations about the steps that you should take to protect yourself or mitigate harm.
We will provide this statement to the Privacy Commissioner and we will take steps to notify affected individuals directly or indirectly via a notice on our website.
Changes to policy
We reserve the right to make changes to this Policy from time to time. Please review this Policy periodically to check for updates. If any changes are material and/or retroactive, we may provide additional notice and/or an opportunity to “opt-in,” as appropriate under the circumstances. We may also advise you of changes to this Policy by emailing the revised policy to the addresses you provide us.
Questions or complaints
If you would like to access or seek correction of your personal information, or if you have complaints regarding our privacy practices, please contact our privacy officer by emailing firstname.lastname@example.org. Alternatively, you may contact us at the following address:
Medipass Solutions Pty Ltd, trading as “Medipass”
C/O PWC Freshwater Place
Southbank, VIC 3006 Australia,
We will take any privacy complaint seriously and any complaint will be assessed with the aim of resolving any issue in a timely and efficient manner. We request that you cooperate with us during this process and provide us with any relevant information that we may need.
If you are not satisfied with the outcome of our assessment of your complaint, you may wish to contact the Office of the Australian Information Commissioner via www.oaic.gov.au
This Policy was last updated on 19 March 2018.