1.1 CancerAid Pty Ltd ABN 75 607 610 257 (we, us or our) provides the CancerAid web & mobile system (CancerAid) to allow users diagnosed with cancer (Patients), their caregivers (Carers) and any user that a Patient has nominated to access parts of the Patient’s account, including champions, medical champions, institutions or staff members to:
a. Access generic information on the diagnosis and treatment of cancer (Cancer Information);
b. Enter information regarding the Patient’s experiences, symptoms and appointments etc.;
c. Communicate with other users;
d. Connect and share information with medical or healthcare providers, hospitals or other cancer support or research organisations (Institutions);
e. Volunteer to take part in medical research studies conducted by research organisations (Research Organisations);
f. Share information via social media; and
g. Access such other information and features, as we may make available via CancerAid from time-to-time in accordance with the CancerAid Coaching Program Terms and Conditions.
1.2 Access to the functionality outlined above relies on the Patient creating, storing and editing electronic health records which relate to the Patient’s personal and health information, which we refer to as EHR. Patients are not required to provide us with access to their EHR, however if a Patient does not provide us with access to his or her EHR, then it may affect our ability to provide a Patient with access to our services.
a. Providing the system and services that CancerAid offers; and
b. The normal day-to-day operations of our business.
2. WHO AND WHAT THIS POLICY APPLIES TO
2.2 We handle the Personal Information of adults and children in our own right and also for and on behalf of our Users.
2.5 If, at any time, an individual provides Personal Information or other information about someone other than himself or herself, the individual warrants that:
a. With respect to Personal Information about a child, they are that child’s “responsible person” as defined in the Privacy Act (namely a parent or guardian); and/or
b. They have that person’s consent to provide such information for the purpose specified.
3. THE INFORMATION WE COLLECT
3.1 In the course of providing our services, it is necessary for us to collect Personal Information. This information allows us to identify who an individual is for the purposes of our business, share Personal Information when permitted and/or required of us by law, contact the individual in the ordinary course of business and transact with the individual. Without limitation, the type of information we may collect includes:
a. Personal Information. We may collect personal details such as an individual’s name, location, date of birth, nationality, family details and other information defined as “Personal Information” in the Privacy Act that allows us to identify who the individual is;
b. Contact Information. We may collect information such as an individual’s email address, telephone & fax number, third-party usernames, residential, business and postal address and other information that allows us to contact the individual;
c. Financial Information. We may collect financial information related to an individual such as any bank or credit card details used to transact with us and other information that allows us to transact with the individual and/or provide them with our services;
d. Statistical Information. We may collect information about an individual’s online and offline preferences, habits, movements, trends, decisions, associations, memberships, finances, purchases and other information for statistical purposes; and
e. Information an individual sends us. We may collect any personal correspondence that an individual sends us, or that is sent to us by others about the individual’s activities.
3.2 We outline how we treat Personal Information that is also sensitive information below.
3.3 We may also collect Personal Information about an individual such as:
a. A User’s session and geo-location data, device and network information, statistics on app views and sessions, acquisition sources or browsing behaviour; and
b. Information about a User’s access and use of our website, including through the use of Internet cookies, Users’ communications with our website, the type of browser a User is using, the type of operating system a User is using and the domain name of a User’s Internet service provider.
4. HOW WE TREAT PERSONAL INFORMATION THAT IS ALSO SENSITIVE INFORMATION
4.1 Sensitive information is a sub-set of personal information that is given a higher level of protection under the Australian Privacy Principles. Sensitive information means information relating to a person’s racial or ethnic origin, political opinions, religion, trade union or other professional associations or memberships, philosophical beliefs, sexual orientation or practices, criminal records, health information or biometric information.
4.1 The type of sensitive information we may collect about a Patient includes EHRs, general health information, injuries, disabilities, accessed health services, medical histories, prescriptions, allergies and other information about an individual defined as “health information” in the Privacy Act.
4.3 We will not collect sensitive information about a Patient without first obtaining that Patient’s consent.
4.4 Provided a Patient consents, that Patient’s sensitive information may only be used and disclosed for purposes relating to the primary purpose for which the sensitive information was collected, including:
a. To provide the Patient with access to CancerAid and CancerAid’s functionalities, including but not limited to access to coaching, tips and guidance on exercise, diet & nutrition and mindfulness and sleep;
b. To provide coaches with background on a Patient’s medical history for the purposes of coaching the relevant Patient through the CancerAid coaching program;
c. To ensure that information available on CancerAid is relevant to the Patient;
d. To tailor any plans available to the Patient on CancerAid.
5. THE DISCLOSURE OF DISCHARGE SUMMARIES
5.1 Please note, this section only applies to Patients who are using our coaching program.
5.2 At the end of the coaching program, we will ask Patients whether they would like to provide a discharge summary to the entity (such as an insurer) (Referring Entity) which referred that Patient. A discharge summary may include information that is contained in EHRs, information regarding the Patient’s progress using CancerAid and other data obtained from the Patient when using CancerAid. Discharge summaries will only be provided to the relevant Patient’s Referring Entity and not to any other organisation.
5.3 It is the Patient’s sole choice as to whether a discharge summary is provided to a Referring Entity on completion of the coaching program and we will request the Patient’s consent to the provision of a discharge summary to the relevant Referring Entity. Providing a discharge summary allows a Referring Entity to connect the Patient with health and wellbeing programs offered by the Referring Entity.
5.4 Sensitive information may also be used or disclosed if required or authorised by law.
6. HOW INFORMATION IS COLLECTED
6.1 Most information will be collected in association with an individual’s use of CancerAid, an enquiry about CancerAid or generally dealing with us. However we may also receive Personal Information from sources such as advertising, public records, mailing lists, contractors, staff, recruitment agencies and our business partners. In particular, information is likely to be collected as follows:
a. Registrations/Subscriptions. When an individual registers or subscribes for a service, list, account, connection or other process whereby they enter Personal Information details in order to receive or access something, including a transaction;
b. Accounts/Memberships. When an individual submits their details to open an account and/or become a member with us;
c. Using CancerAid. When an individual enters personal information into CancerAid for any reason.
d. Supply. When an individual supplies us with goods or services;
e. Contact. When an individual contacts us in any way; and/or
f. Pixel Tags. Pixel tags enable us to send email messages in a format customers can read and they tell us whether mail has been opened.
6.2 As there are many circumstances in which we may collect information both electronically and physically, we will endeavour to ensure that an individual is always aware of when their Personal Information is being collected.
6.3 Where we obtain Personal Information without an individual’s knowledge (such as by accidental acquisition from a client) we will either delete/destroy the information, or inform the individual that we hold such information, in accordance with the Australian Privacy Principles.
7. WHEN PERSONAL INFORMATION IS USED & DISCLOSED
7.1 The primary reason Personal Information is used or disclosed is to share EHRs with other Users of CancerAid authorised by the Patient to view the EHR. We will never use Personal Information in CancerAid for any other purpose than making the individual’s EHR available to Users, Practitioners, Institutions, Referring Entities or Research Organisations authorised by the Patient to receive it. We will never use the information in an EHR for any marketing or commercial purposes, and we maintain all Health Information in the strictest confidence.
7.2 In general, the primary principle is that we will not use any Personal Information other than for the purpose for which it was collected, except with the individual’s consent. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted.
It is necessary for us to disclose an individual’s Personal Information to third parties in a manner compliant with the Australian Privacy Principles in the course of our business, which includes:
a. The release the Personal Information to Users, Institutions or Research Organisations authorised by the Patient; and
b. Sharing Personal Information with a Patient’s nominated medical champions as authorised by the Patient.
7.5 Information is used to enable us to operate our business, especially as it relates to an individual. This may include:
a. The provision of goods and services between an individual and us;
b. Verifying an individual’s identity;
c. Communicating with an individual about:
i. Their relationship with us;
ii. Our services;
iii. Surveys, requests for feedback and questionnaires;
iv. Research studies;
v. Investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of any of our terms and conditions or that an individual is or has been otherwise engaged in any unlawful activity; and/or
vi. As required or permitted by any law (including the Privacy Act).
7.6 There are some circumstances in which we must disclose an individual’s information:
a. As part of a sale (or proposed sale) of all or part of our business;
b. Where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority should be made aware of; and/or
c. As required by court order.
7.8 We utilise third-pay service providers to communicate with an individual and to store Personal Information about them. Such services we currently use include:
a. Amazon Web Services operated by Amazon Web Services Inc. (a company incorporated in the United States of America) that host CancerAid on servers that will be located in Australia.
b. Cloud66 operated by Cloud 66 Incorporated (a company incorporated in the United States of America) for development, deployment and maintenance of our cloud based application; and
c. SendGrid operated by SendGrid, Inc . (a company incorporated in the United States of America) for email.
8 OPTING “IN” OR “OUT”
8.1 An individual may opt to not have us collect their Personal Information. This may prevent us from offering them some or all of our services and may terminate their access to some or all of the services they access with or through us. They will be aware of this when:
a. Opt In. Where relevant, the individual will have the right to choose to have information collected and/or receive information from us; or
b. Opt Out. Where relevant, the individual will have the right to choose to exclude himself or herself from some or all collection of information and/or receiving information from us.
8.2 If an individual believes that they have received information from us that they did not opt in or out to receive, they should contact us on the details below.
9 THE SAFETY & SECURITY OF PERSONAL INFORMATION
9.2 We will take all reasonable precautions to protect an individual’s Personal Information from unauthorised access. This includes appropriately securing our physical facilities and electronic networks.
9.4 CancerAid uses client-side, transmission, and server-side encryption for all Personal Information. Despite this, the security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, Personal Information where the security of information is not within our control.
9.5 We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual’s Personal Information to in accordance with this policy or any applicable laws). The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies.
9.6 If an individual suspects any misuse or loss of, or unauthorised access to, their Personal Information, they should let us know immediately.
9.7 We are not liable for any loss, damage or claim arising out of another person’s use of the Personal Information where we were authorised to provide that person with the Personal Information.
10 HOW TO ACCESS AND/OR UPDATE INFORMATION
10.1 Users of CancerAid can update their Personal Information from within their CancerAid account or profile.
10.2 Subject to the Australian Privacy Principles, an individual has the right to request from us the Personal Information that we have about them, and we have an obligation to provide them with such information within 28 days of receiving their written request.
10.3 If an individual cannot update her or his own information, we will correct any errors in the Personal Information we hold about an individual within 7 days of receiving written notice from them about those errors.
10.4 It is an individual’s responsibility to provide us with accurate and up to date Personal Information. We cannot be liable for any information that is provided to us that is incorrect.
10.5 We may charge an individual a reasonable fee for our costs incurred in meeting any of their requests to disclose the Personal Information we hold about them.
11. COMPLAINTS AND DISPUTES
11.1 If an individual has a complaint about our handling of their Personal Information, they should address their complaint in writing to the details below.
11.2 If we have a dispute regarding an individual’s Personal Information, we both must first attempt to resolve the issue directly between us.
11.3 If we become aware of any unauthorised access to an individual’s Personal Information we will inform them at the earliest practical opportunity once we have established what was accessed and how it was accessed.
12 CONTACTING INDIVIDUALS
12.1 From time to time, we may send an individual important notices, such as changes to our terms, conditions and policies. Because this information is important to the individual’s interaction with us, they may not opt out of receiving these communications.
13 CONTACTING US
13.1 All correspondence with regards to privacy should be addressed to:The Privacy Officer
CancerAid Pty Ltd
Level 4, Chris O’Brien Lifehouse
119-143 Missenden Road, Camperdown NSW 2050, Australia
You may contact the Privacy Officer by email in the first instance.
14 ADDITIONS TO THIS POLICY