Last Updated: 29 March 2023
1.
Background
(a) Smartsoft Pty Ltd ACN 008 110 558 (Smartsoft, We, Our, Us and other similar terms) takes all reasonable steps to implement processes and procedures for the responsible management of Personal Information.
(b) We have implemented this Privacy Policy in accordance with the Australian Privacy Principles (APP) and other data protection rules to be open and transparent about how We collect, hold, disclose and use Personal Information, including in respect of Subscribers, End Users, Clients and others.
(c) This Privacy Policy also applies to all Personal Information collected by Smartsoft in the course of providing services to Our Subscribers and End Users regardless of its source and forms part of Our Agreement with a Subscriber.
(d) In this Privacy Policy
Act means Privacy Act 1988.
Agreement means an agreement between Us and a Subscriber under which the Subscriber and its End Users are licensed by Us to use the Software.
Article means an article in the GDPR.
Client means a client, customer or patient of the Subscriber whose Personal Information is added to PracSuite by the Subscriber or its End Users.
Client Data means Personal Information and/or Sensitive Information of a Client which is entered into the Software by the Subscriber or its End Users and which is used, accessed or disclosed by the same via the Software in the course of that Subscriber or its End User using the Software including to provide the Client with health services. Such Client Data may include the Clients' Medicare details, health information and medication use.
End User means a person authorised by the Subscriber to access and use the Software under an Agreement.
GDPR the General Data Protection Regulation being Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
GDPR UK means the general data protection regulation of the United Kingdom made under the Data Protection Act 2018.
PracSuite means Our PracSuite practice management software.
Personal Information means information (including an opinion) about an individual whose identity is apparent or can reasonably be ascertained from the information whether true or not, and whether or not recorded in a material form.
Subscriber means a person who enters into an Agreement with Us for the Subscriber and its End Users to use the Software.
Sensitive Information has the meaning given by the Act and includes Personal Information that relates to an individual's racial or ethnic origins, religious beliefs or affiliations, trade association, trade union membership, sexual orientation, criminal record and information as to an individual's health or biometric information.
Software means PracSuite or any of Our other software.
Website means all of the pages located and accessible on Our website with the domain www.pracsuite.com.
You or Your means any natural person (including a Subscriber, End User or Client) in respect of which we collect, hold, disclose or use Personal Information.
2.
Collection
2.1 Collection of Personal Information about Subscribers and End Users
(a) We collect Personal Information:
- when Subscribers and their End Users interact with Us online, over the phone, by email, in person, or through other means of communication;
- to assist Subscribers with the provision of services and to provide any related assistance or for other purposes requested by such communication;
- so as to provide access to and support of Our Software; and
- if you are a Client, indirectly from a Subscriber or its End Users from their entering of Client Data into the Software (see section 7 below for details).
(b) The type of Personal Information We collect includes names, addresses, telephone numbers, email, and any additional information provided to Us by the Subscriber as we reasonably require.
(c) When We have telephone conversations with End Users, including those regarding sales, help desk and service requests, We may make audio recordings of those telephone conversations for quality and training purposes.
(d) Where End Users contact Us on behalf of the Subscriber, the information provided often contains Personal Information about End Users employed by the Subscriber, their position, the employer and employees' contact details. In those circumstances, certain employment information is collected.
(e) Some of Our Subscribers provide credit and debit card details, bank account details or details about other payment facilities which contain Personal Information. Where We process regular payments on behalf of these Subscribers, We store this financial data.
(f) Personal Information will be collected directly from End Users together with information provided to us by an End User's authorised Subscriber.
2.2 Device Information and Cookies
(a) When You visit Our Website, We may collect certain information about Your device, including details about Your Web browser, IP address, time zone, and some of the cookies installed on Your device. Additionally, as You browse our Website We collect information about the individual Web pages You view, what Websites or search terms referred You, and information about how You interact with Us online.
(b) We collect device information using the following technologies:
- "Cookies" are data files placed on Your device or computer which may include a unique identifier, which is necessary for End Users to accept for the Software to function; and
- "Log files" which track actions occurring on the Website, and collect data including Your IP address, browser type, internet service provider, referring/exit pages, and date/time stamps; and
- "Web beacons", "tags", and "pixels" are electronic files used to record information about how You browse Websites.
(c) Please note that We do not alter Our Websites' data collection and use practices when We see a Do Not Track signal from Your browser.
(d) Through Our use of Google Analytics, the cookie-generated information about Your use of the Website (including Your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information to evaluate Your use of our Website, compile reports on Website activity for Website operators and provide other services relating to Website activity and internet usage.
(e) Google may also transfer this information to third parties where required to do so by law or where such third parties process the information on Google's behalf.
(f) You may refuse the use of cookies by selecting the appropriate settings on Your browser, however if You do, You may not be able to use the full functionality of Our Software. Note however that End Users must enable cookies for the Software to operate.
(g) We do not collect Personal Information or associate the information collected via cookies, web beacons, tags, log files or pixels with other Personal Information We collect from Our general-purpose Website.
(h) However, if You are an End User of the Software, cookies and other audit files will collect information about how You access and use these services. This information will be associated with Your username and other Personal Information.
3.
Consent
By agreeing to this Privacy Policy, the Subscriber and each End User give Us consent to use their Personal Information for the purpose of providing the Subscriber and End Users with access to PracSuite.
By using Our Website, You consent to processing data about You by Google in the manner described in Google's Privacy Policy and for the purposes set out above. You can opt out of Google Analytics if You disable or refuse the cookie, disable JavaScript, or use the opt-out service provided by Google.
4. Use and Disclosure of Your Personal Information
4.1 General Use
We use Personal Information collected as part of Our business operations, primarily associated with providing Software and related services to Subscribers and End Users. Examples of when Your Personal Information may be used include:
(a) informing You about Our services;
(b) providing You with the services
requested;
(c) administration needs in relation to providing Subscribers with service, including managing Your Account;
(d) dealing with requests, enquiries or complaints and other related activities;
(e) providing access to Our practice Software and the members' area of Our Website;
(f) notifying You via SMS and/or email about factual information relating to You, including:
-
billing information if You are a Client of a Subscriber; and
-
notifications issued by Our Software if You are a Client of a Subscriber, which we do on the Subscriber's instructions via their operation and use of the Software;
(g) marketing Our services generally; and
(h) as permitted by law (including as set out below); and
(i) Us providing your Personal Information to Our contractors, agents and service providers (for example, information technology contractors) but only (a) for the purpose of providing services to You, (b) as necessary to facilitate the operation of our business, and/or (c) for the purpose of storing your Personal Information; or
(j) to Our professional advisers but only so they can advise Us in respect of the same or in respect of a dispute with You.
We may also use Personal Information for purposes, as would be reasonably expected by You, in connection with those activities described above. However, We will not use Your Personal Information for purposes other than as described in this Privacy Policy or any other agreement We have with You unless
(a) You consent to that use; or
(b) we are expressly allowed to do so by the APPs or the Privacy Act or other laws including where such use or disclosure is (i) required under Australian law or by a court order, (ii) is in Our belief is reasonably necessary to the activities of any enforcement body, or (iii) is required to prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
4.2 Direct Marketing
Where You have elected to be included on Our mailing list or to receive other electronic communications, We may use Your contact details to send You those communications. To opt out of receiving marketing material, You may contact Us via the details below or select the "unsubscribe" link provided in that communication.
5. Accessing Your
Information
Upon Your request and after satisfying Ourselves of Your identity, We will provide access to the Personal Information We hold about You except in certain prescribed circumstances. These include, where:
(a) We believe giving access would pose a serious threat to the life, health or safety of any individual or to public health or public safety;
(b) giving You access would be unlawful;
(c) granting access would have an unreasonable impact on the privacy of other individuals;
(d) the request for access is frivolous or vexatious;
(e) there are anticipated legal proceedings; or
(f) as otherwise allowed under clause 12.3 of the APPs.
6. Updating Your Information
(a) We take reasonable steps to ensure the Personal Information We collect, use and disclose is accurate, complete and up-to-date. You have a right to correct incorrect information at any time and may do so by contacting Us using the details provided below.
(b) If You become aware Your information is no longer accurate, complete or up-to-date, please contact Us.
7. Client Data
This section sets out some specific information as to Clients and Client Data.
(a) (Collection): We only indirectly collect Your Client Data by the Subscriber or its End Users using our Software to enter Client Data as part of the Subscriber or its End Users using the Software and providing health services to You. As such, the Subscriber or its End User is responsible for obtaining your consent to the collection of your Client Data and as to the use and disclosure of your Client Data via their use of the Software.
(b) (Holding, Use and Disclosure): While we will hold Your Client Data (via our Software), subject to this Privacy Policy, the use and disclosure of the Client Data are made by the Subscriber, or its End Users use of the Software. In this regard, We, via our Software, process Your Client Data as part of the functionality of the Software and the use of the same by the Subscriber or its End Users. As such, the Subscriber or its End Users are responsible for obtaining your consent to the disclosure and use they make of Your Client Data via their use of the Software.
(c) (Sensitive Information) We do not collect Sensitive Information or Sensitive Personal Information, as defined in Article 9 of the GDPR or the corresponding provision of the GDPR UK. From time to time, however, we may be asked for support from a Subscriber or its End Users regarding their use of the Software. As a result, we may need to access Sensitive Information or Sensitive Personal Information about a Client. In such circumstances we will only use the Sensitive Information or Sensitive Personal Information for providing such support. We note that Subscribers and End Users are obligated under the Act and the APPs and, if applicable under the GDPR or GDPR UK, to obtain your consent as a Client before they provide Us with any Personal and Sensitive Information or Sensitive Personal Information which they collect and enter into Our Software.
(d) (Off-Shore Transfers): Our Software enables a Subscriber and its End Users to disclose Client Data to various overseas entities as part of the functionality and use of Our Software. If You are a Client, we recommend you obtain and review the Subscriber's privacy policy regarding the potential disclosure of Client Data by the Subscriber and the User made by their use of Our Software.
(e) (Subscribers Privacy Policies): Our Agreement with a Subscriber requires the Subscriber to obtain the consent of Clients for the collection, disclosure and use of Client Data by the Subscriber in respect of their use of Our Software. We recommend that a Client obtains and reviews the Subscriber's privacy policy in this regard.
8. Offshore Transfers
8.1 To Australia
The Personal Information We collect may be transferred to Australia out of the EU and to countries including the United States, where it is processed by third-party providers of cloud-based services, who assist Us in manage promotional material, email, office administration, enterprise resource planning services and integrate with Our Software. Smartsoft relies solely on reputable service providers including, Amazon Web Services, Microsoft and Oracle and others, as required to provide these services.
8.2 Out of Australia
In order to continue providing services to You (including the Software services), We may be required from time to time to disclose Personal Information We collect to third-party contractors or service providers outside of Australia. Where we are required to provide such third parties with Personal Information, we will take such reasonable steps as necessary to:
- ensure that the overseas recipient does not breach the APPs (other than APP 1) in relation to the Personal Information received; or
- satisfy ourselves that the overseas recipient of Personal Information is (1) subject to a law or binding scheme that shall protect the Personal Information in a way that is substantially similar to the APPs and (2) there are mechanisms that You can access to take action to enforce that protection of the law or binding scheme.
If you are a Client, see section 8 above regarding transferring or using your Client Data via the Subscriber or its End Users use of Our Software.
9. Anonymity and Use of Pseudonyms
In general, You are not required to provide Personal Information to us. However, if you wish to receive information about our services or help desk services, You acknowledge that it may not be practical for You to Use a pseudonym or otherwise not identify Yourself and that We may require You to provide certain Personal Information . If you do not provide some or all of the Personal Information requested, we may be unable to provide you with some or all of the services you request. You are required to provide true and accurate details when requesting the provision of services or engaging with Our help desk.
10. How We Secure Your Data
We take commercially reasonable steps to protect the Personal and Sensitive Information We hold from misuse, loss and unauthorised access, modification or disclosure, including by:
(a) maintaining and keeping Our systems up to date;
(b) using secure servers protected from unauthorised access, modification or disclosure;
(c) encrypting Our data;
(d) where possible, using two-factor authentication and encouraging the users of Our practice management software to make use of this feature;
(e) using secure sockets layer (SSL) encryption to transfer data across public networks, such as the internet;
(f) implementing IP barring features to protect against cyber security threats;
(g) barring access from geographic locations, including Brazil, China, Hungary, Italy, Romania, North Korea, Russia, Taiwan, Turkey and other countries which are high-risk zones for cybercrimes;
(h) providing Our clients with time-barring features in Our practice management software, which assists them in guarding against unauthorised out-of-hours data access,
(i) relying on reputable service providers;
(j) entering into written contracts with Our clients and suppliers, which include obligations of confidence and compliance with privacy laws; and
(k) limiting the collection of Your Personal Information to that which We reasonably require.
11. Data Retention
(a) If We hold Personal Information and We do not need that information for any purpose, We will take reasonable steps to destroy or de-identify that information, in accordance with the APPs, the GDPR or the GDPR UK (whichever is applicable), unless We are prevented from doing so by law.
(b) By way of example, under Australian law, financial records, such as those relating to financial transactions, must be retained for 7 years after the transactions associated with those records are completed.
(c) You may request us in writing to remove Your Personal Information, and where permitted, We will do so per the APPs, the GDPR and/or the GDPR UK (as applicable). Where we receive a request for the erasure of Personal Information, we issue corresponding erasure requests to Our integration partners wherever possible.
12. Use of De-Identified Data
The data We collect may have analytical value to Us and other third parties, including government agencies. We reserve the right to process and distribute information We collect through Our services. However, We will only distribute data that which has been de-identified. De-identified data will not include Personal Information such as Your name, address, phone number, email address or other information which would reasonably allow You to be identified.
13. Additional Rights Under the GDPR and GDPR UK
(a) This clause applies if the GDPR or the GDPR UK applies to our dealings with you, including because we provide services to you and you reside in the European Union (in respect of the GDPR) or the United Kingdom (in respect of the GDPR UK).
(b) Where the GDPR applies, (a) we confirm that we will comply with our obligations under the same, (b) you have all of the additional rights set out in the GDPR as well as the rights set out in the rest of this Privacy Policy. Where the GDPR applies to our dealing with, you any provision in this Privacy Policy which is contrary to the GDPR will be deemed not to apply.
(c) We will store your Personal Information for (a) the period we require it to provide services to you and generally for a period of seven (7) years after the end of our engagement in respect of such services, and (b) any longer period which the law or good business practise requires.
(d) Where you have consented to the processing and use of your Personal Information under Article 6.1(a) or 9(2)(a), you may withdraw such consent at any time.
(e) You have a right to require us to erase your Personal Information as allowed under Article 17, including where (a) the Personal Information is no longer necessary for the purposes for which it was collected, or (b) you withdraw your consent, and there are no legal grounds for the continued use or processing of the Personal Information by us.
(f) You have a right to obtain from us a restriction on the use and processing of your Personal Information as set out in Article 18 where (a) you contest the accuracy of your Personal Information, (b) the use or processing is unlawful, you oppose the erasure of the Personal Information and request we restrict the use of the same instead, or (c) we no longer need the Personal Information, but you require the same for the exercise or defence of a legal claim.
(g) Where you have consented to the processing and use of your Personal Information under Articles 6.1(a) or 9(2)(a) and the processing of your Personal Information is carried out by automatic means, you have a right (a) to receive your Personal Information in a structured, commonly used and machine-readable format, and (b) to transmit that Personal Information to another person or entity without hindrance from us.
(h) You have a right to obtain from us without undue delay the rectification of inaccurate Personal Data concerning you.
(i) Subject to the restrictions in Article 14(5), where we do not collect the Personal Information from you, we will provide you with the information required under Article 14(1) and 14(2) within the time required by Article 14(3).
(j) Where we provide services to you, the provision of Personal Information will be a contractual obligation so we can provide the services and, where applicable, meet any statutory obligations.
(k) If at any time the GDPR requires us to have a data protection officer, then the person specified by Us will be our Data Privacy Officer as specified at the end of this Privacy Policy.
(l) We will transfer your Personal Information outside of the European Union where you have expressly consented in writing, or it is necessary for the performance of a contract with you (e.g. so we can provide services to you). We note the European Union recognises New Zealand and Canada as being countries outside of the European Union, which offer an adequate level of data protection for the purposes of the GDPR. However, currently, Australia is not recognised by the European Union as being a country outside the European Union that offers an adequate level of data protection for the purposes of the GDPR.
(m) You have a right to receive and obtain from us confirmation as to whether or not Personal Information concerning you is held or being used or processed by us, and if so, (a) the purposes of the use and processing, (b) the categories of Personal Information concerned, (c) the recipients or categories of recipients to whom your Personal Data has been disclosed including recipients in third countries, (d) where possible, the envisaged period we will store your Personal Information, or if this is not possible, the criteria we use to determine that period, (e) your right to request we rectify or erase your Personal Information or restrict the use and processing of your Personal Information (see other paragraphs of this clause as to details of your rights in respect of these matters), (f) information as to your rights to lodge a complaint with the independent public authority in the country in the European Union in which you reside, (g) where we do not collect your Personal Information from you, any available information as to the source of the same, and (h) the existence of automated decision making (including profiling) and meaningful information as to the logic involved, as well as the significance and envisaged consequences of such processing and use for you.
(n) Where the GDPR UK applies clauses 13(b) to (m) above will apply with references in the same to (a) GDPR being a reference to GDPR UK, (b) Articles being to the relevant provisions of the GDPR, and (c) references to the European Union being to the United Kingdom.
14. Complaints Procedure
Smartsoft is a customer service-oriented business. If You believe that We have breached our Privacy Policy, you can make a complaint by emailing or writing to Us (see below for our contact details). We will attempt to complete our investigation and resolve Your complaint within 14 days from the date you lodge your complaint. If We think it will take longer to resolve your complaint, we will inform You. If We do not resolve Your complaint to Your satisfaction or You are dissatisfied with the action We have taken, You can make a complaint to the Office of the Australian Information Commissioner. For further information about how to do this, please contact the Office of the Australian Information Commissioner on 1300 363 992 or visit www.oaic.gov.au.
The Office of the Australian Information
Commissioner
GPO Box 5218
Sydney, NSW 2001
Telephone: 1300 363 992 (within Australia)
Telephone: +61 2 9284 9749 (outside Australia)
Website: https://www.oaic.gov.au/about-us/contact-us
Alternatively, if You are an EU or UK resident or citizen, You may contact Your local supervisory authority.
15. Contacting Us
For more information about Our privacy practices, if You have questions, or if You would like to make a complaint, please contact Us using the details provided below:
Privacy Officer
Smartsoft Pty Ltd ACN 008 110 558
107 Flinders Street
Adelaide, SA 5000
Australia
Email: privacy@smartsoft.com.au
16.
Amendments
This privacy policy is published on Our Website and may be updated from time to time at Our discretion. By continuing to use Our Website or otherwise continuing to subscribe to Our services or deal with Us (including as a Subscriber or End User), You accept this privacy policy as it applies from time to time. You may request a hard copy of this policy at any time.