2. How we collect personal information and types of personal information we collect
We collect and store personal information, including your name, postal address, contact numbers, billing and payment information (such as credit card details), your professional qualification, your continuing professional development (CPD) information and deidentified patient information (which may include sensitive information such as health information).
We collect this information in numerous ways, including:
(a) when you register on and visit our CPD System, including when you submit information through our online forms;
(b) when you send us an inquiry, email or contact us;
(c) when administering any part of our services;
(d) customer satisfaction or feedback enquiries; and
(e) from publicly available or other sources, such as our business partners.
Where you do not wish to provide us with your personal information, we may not be able to provide you with requested goods or services.
3. Our purpose for handling your personal information
As a general rule, we only process personal information for purposes that would be considered relevant and reasonable in the circumstances.
We collect, hold, use and disclose personal information to:
(a) offer and provide you with our products and services, including the CPD System which tracks and manage your CPD information and deidentified patient information;
(b) manage and administer the CPD System and other services we provide you, including account keeping procedures;
(c) communicate with you regarding our products and services;
(d) comply with our legal and regulatory obligations; and
(e) otherwise to manage our business.
Our CPD System stores personal information for 7 years to comply with the CPD requirements of the Medical Board of Australia.
We may disclose your personal information to third parties who provide us with technical and support services or our professional advisers, where permitted under the Privacy Act. This may include sending personal information outside of Australia, such as to Stream Interactive Limited in New Zealand. We do not otherwise disclose your personal information to third parties unless required by law or instructed by you to supply the relevant College with the CPD hours completed by you in any given year.
4. Direct Marketing
We will not disclose your personal information to third parties for marketing purposes without your consent.
5. Access to and Correction of Personal Information
Subject to the Privacy Act, you have the right to access and correct the personal information that we hold about you at any time. You may also request that we delete your personal information.
We may seek to recover from you reasonable costs incurred for providing you with access to any of the personal information about you held by us.
We are not obliged to correct any of your personal information if we do not agree that it requires correction and may refuse to do so. If we refuse a correction request, we will provide you with a written notice stating our reasons for refusing.
6. Collection of Deidentified Patient Information
The deidentified patient information we collect may include but is not limited to medical diagnoses, treatment history and other related information. We ensure that all patient information collected is deidentified in accordance with the Privacy Act and APPs, so that individuals cannot be identified from the information.
7. Purpose of Collection of Deidentified Patient Information
The purpose of collecting deidentified patient information is to provide you with our products and services (including the CPD System). We may use this information and/or provide aggregated deidentified patient information and data to third parties for the purposes of:
(a) enabling insight into treatment patterns;
(b) improving healthcare and clinical practices and patient outcomes;
(c) enabling the development of research, studies, statistical analyses, modelling and reports;
(d) enhancing medical knowledge through publication of journals, articles and/or other materials.
It is not possible to identify individuals from the aggregated deidentified patient information or data.
8. Use and Disclosure of Deidentified Patient Information
9. Deidentification of Patient Information
We take reasonable steps to ensure that the patient information we collect is deidentified in accordance with the Privacy Act and APPs. This means that the information is stripped of any identifying information, such as names, addresses, or other personal information, so that individuals cannot be identified from the information.
You must take all reasonable steps to ensure that any patient personal information submitted to our CPD System has been appropriately deidentified and is used solely for purposes of complying with your CPD obligation, developing patient treatment patterns or pathways and/or to improve healthcare outcomes. Where required by the Privacy Act and APPs, you must obtain a patient's consent prior to entering their personal information or sensitive information (such as their health information) into the CPD System.
10. Protection of personal information and security measures
We take reasonable steps to protect the personal information we hold from misuse, interference, loss, unauthorised access, modification or disclosure. We maintain appropriate security measures, including firewalls and secure servers, and procedures to protect your personal information.
11. Overseas transfers of personal information
We will hold personal information electronically on our CPD System, in cloud storage, and in some cases, on third party servers, which may be located overseas (such as New Zealand).
By providing your personal information to us:
(a) you consent to the storage of your personal information on overseas servers;
(b) you consent to us disclosing your personal information to any overseas recipients for purposes necessary or useful in the course of operating our business; and
(c) you agree that APP 8.1 will not apply to such disclosures.
For the avoidance of doubt and unless otherwise provided by law, in the event that an overseas recipient breaches the APPs, that entity will not be bound by, and you will not be able seek redress under, the Privacy Act.
12. Compliance with Australian Privacy Laws
We comply with the APPs and the Privacy Act. This includes our obligations to:
• manage personal information in an open and transparent way;
• collect personal information only for lawful purposes that are reasonably necessary;
• ensure that personal information we hold is accurate, up-to-date, and complete;
• use and disclose personal information only for the purposes for which it was collected or as required by law;
• protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure;
• provide individuals with access to their personal information and the ability to correct or delete it;
13. Contact Us
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
Telephone: 1300 363 992
The last update to this document was May 2023.