1 PURPOSE OF OUR POLICY
(a) Healthcare practitioners from a range of disciplines (Practitioners) to upload and share instructional videos, images and other content (Exercises) with their patients and clients (Patients).
(b) Practitioners to create and edit exercise and rehabilitation programmes (Exercise Programmes) for their Patients;
(c) Practitioners to send Exercise Programmes to Patients and monitor Patient progress;
(d) Patients can view Exercises, follow Exercise Programmes and log their progress;
(e) Practitioners and Patients (together Users) to communicate with each other;
In order to achieve the above requires Users to create, store and edit electronic health records on the Personal and Health Information of the Patient (EHR).
(a) Providing the system and services that TrackActive offers; and
(b) The normal day-to-day operations of our business.
(a) the right to be informed about the collection and use of your personal data
(b) the right of access to your personal data and any supplementary information
(c) the right to have any errors in your personal data rectified
(d) the right to have your personal data erased
(e) the right to block or suppressing the processing of your personal data
(f) the right to move, copy or transfer your personal data from one IT environment to another
(g) the right to object to processing of your personal data in certain circumstances, and
(h) rights related to automated decision-making (i.e. where no humans are involved) and profiling (i.e. where certain personal data is processed to evaluate an individual).
2 WHO AND WHAT THIS POLICY APPLIES TO
2.2 We handle Personal Information of adults and children in our own right and also for and on behalf of our customers and users.
2.5 If, at any time, an individual provides Personal Information or other information about someone other than himself or herself, the individual warrants that:
(a) With respect to Personal Information about a child, they are that child’s “responsible person” as defined in the Privacy Act (namely a parent or guardian); and/or
(b) They have that person’s consent to provide such information for the purpose specified.
3 THE INFORMATION WE COLLECT
3.1 In the course of business it is necessary for us to collect Personal Information where we have a legitimate interest, pursuant to contract or with your consent. This information allows us to identify who an individual is for the purposes of our business, share Personal Information when asked of us, contact the individual in the ordinary course of business and transact with the individual.
3.2 We use a service called PORT to ensure that we collect and manage your personal data transparently, fairly and securely. In general terms, we collect the following data:
(a) data we have collected from you
(b) the basis on which we are holding it (e.g. because you gave us consent)
(c) what we will do with it
(d) how long we will hold it for
(e) where it is stored
(f) who it might be shared with
(g) your rights in relation to the data, and
(h) information on how you can access and manage this data.
3.3 Without limitation, the specific type of information we may collect is:
(a) Health Information. We may collect information for an EHR about the health, injuries, disability, health services, medical histories, prescriptions, allergies and other information about an individual defined as “health information” in the Privacy Act;
(b) Personal Information. We may collect personal details such as an individual’s name, location, date of birth, nationality, family details and other information defined as “Personal Information” in the Privacy Act that allows us to identify who the individual is;
(c) Contact Information. We may collect information such as an individual’s email address, telephone number, third-party usernames, residential, business and postal address and other information that allows us to contact the individual;
(d) Financial Information. We may collect financial information related to an individual such as any bank or credit card details used to transact with us and other information that allows us to transact with the individual and/or provide them with our services;
(e) Statistical Information. We may collect information about an individual’s online and offline preferences, habits, movements, trends, decisions, associations, memberships, finances, purchases and other information for statistical purposes; and
(f) Digital / Device Information. We may collect your IP address and device-specific information, such as the hardware model, operating system version, advertising identifier, unique application identifiers, unique device identifiers, browser type, language, wireless network, and mobile network information (including the mobile phone number); and
(g) Information an individual sends us. We may collect any personal correspondence that an individual sends us, or that is sent to us by others about the individual’s activities.
4 HOW INFORMATION IS COLLECTED
4.1 Most information will be collected in association with an individual’s use of TrackActive, an enquiry about TrackActive or generally dealing with us. However we may also receive Personal Information from sources such as advertising, an individual’s own promotions, public records, mailing lists, contractors, staff, recruitment agencies and our business partners. In particular, information is likely to be collected as follows:
(a) Registrations/Subscriptions. When an individual registers or subscribes for a service, list, account, connection or other process whereby they enter Personal Information details in order to receive or access something, including a transaction;
(b) Accounts/Memberships. When an individual submits their details to open an account and/or become a member with us;
(c) Supply. When an individual supplies us with goods or services;
(d) Contact. When an individual contacts us in any way;
(e) Access. When an individual accesses us physically we may require them to provide us with details for us to permit them such access. When an individual accesses us through the internet we may collect information using cookies (if relevant – an individual can adjust their browser’s setting to accept or reject cookies) or analytical services; and/or
(f) Cookies/Pixel Tags. Cookies and pixel tags enable us respectively to analyse your use of website and send email messages in a format customers can read and they tell us whether mail has been opened.
4.2 As there are many circumstances in which we may collect information both electronically and physically, we will endeavour to ensure that an individual is always aware of when their Personal Information is being collected.
4.3 Where we obtain Personal Information without an individual’s knowledge (such as by accidental acquisition from a client) we will either delete/destroy the information, or inform the individual that we hold such information, in accordance with the Australian Privacy Principles.
5 WHEN PERSONAL INFORMATION IS USED & DISCLOSED
5.1 The primary reason Personal Information is used or disclosed is to share EHRs with Practitioners. We will never use Personal Information in TrackActive for any other purpose than making the individual’s EHR available to authorised Practitioners. We will never use the information in an EHR for any marketing or commercial purposes, and we maintain all Health Information in the strictest confidence.
5.2 In general, the primary principle is that we will not use any Personal Information other than for the purpose for which it was collected other than with the individual’s permission. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted.
5.4 It is necessary for us to disclose an individual’s Personal Information to third parties in a manner compliant with the Australian Privacy Principles in the course of our business, which includes:
(a) Sharing of EHRs. We may release the Personal Information in EHRs to authorised Practitioners, by giving them access to the EHR in TrackActive.
5.5 We will not separately sell an individual’s Personal Information to unrelated third parties under any circumstances without your express consent.
5.6 Information is used to enable us to operate our business, especially as it relates to an individual. This may include:
(a) The provision of goods and services between an individual and us;
(b) Verifying an individual’s identity;
(c) Communicating with an individual about:
i Their relationship with us;
ii Our goods and services;
iii Our own marketing and promotions to customers and prospects;
iv Competitions, surveys and questionnaires;
(d) Investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of any of our terms and conditions or that an individual is or has been otherwise engaged in any unlawful activity; and/or
(e) Carrying out regulatory checks and meeting our obligations to our regulators;
(f) As required or permitted by any law (including the Privacy Act).
5.7 There are some circumstances in which we must disclose an individual’s information:
(a) As part of a sale (or proposed sale) of all or part of our business;
(b) Where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a governmental authority should be made aware of; and/or
(c) As required or permitted by any law (including the Privacy Act).
5.9 Notwithstanding anything to the contrary in this Agreement, nothing shall restrict us from collecting, analysing, using and sharing any User Content on an aggregated and anonymous basis. You consent to such use of aggregated and anonymised data.
6 HOW & WHERE DATA IS STORED
6.1 The data that we collect from you may be transferred to, and stored outside of Australia and/or the European Economic Area (EEA) (as applicable) including with third parties. Personal information may also be transferred, processed and stored outside Australia and/or the EEA for data processing. By submitting your personal data, you agree to this transfer, processing and/or storage.
6.2 We utilise third-party service providers to process information host or transmit a Patient’s EHR, communicate with an individual and to store Personal Information about them. Such services we currently use include:
(a) Amazon Web Services: operated by Amazon Web Services Inc. (a company incorporated in the United States of America) that host TrackActive on servers that may be located in Australia, The United States of America and/or the United Kingdom; and
(b) Mandrill: operated by The Rocket Science Group LLC, (a company incorporated in the United States of America) for email services.
(c) Mixpanel: who provide us with business and web analytics services.
(d) Helpscout: who provide us with helpdesk software and related services.
(e) MailChimp: who provide us with email services.
(f) Stripe: who provide payment processing services.
(g) Our subsidiaries and related companies in Australia (under this Policy) and Poland (EEA).
6.3 Any such information shall be processed on terms which are substantially the same as those under the GDPR and/or subject to the protection of the EU-U.S. Privacy Shield (to learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov/list).
6.4 You may choose to link your account with a third party (such as Facebook, LinkedIn, Twitter or Google+) to our services to enable certain functionality, which allows us to obtain information from those accounts (including your profile picture, friends or contacts). We are not responsible for the privacy practices of third parties. The information we may obtain from those services often depends on your settings or their privacy policies. We recommend that you read the privacy policies of third party service providers so you can understand the manner in which your personal information will be handled by these providers.
6.5 We will retain data for the period necessary to fulfil the purposes outlined in this Policy unless a longer retention period is required or permitted by law. Whilst the retention vary according to the type of record, in respect of certain EHR in Australia and the United Kingdom we allow for 8 years from (i) the date of last treatment for adult records and (ii) for children eight years after their 18 birthday or until 25 years of age. In certain circumstances we may be legally required to maintain records indefinitely.
7 CONSENT TO COLLECTION OF DATA
7.1 An individual may opt to not have us collect their Personal Information. This may prevent us from offering them some or all of our services and may terminate their access to some or all of the services they access with or through us. They will be aware of this when:
(a) Opt In. Where relevant, the individual will have the right to choose to have information collected and/or receive information from us; or
(b) Opt Out. Where relevant, the individual will have the right to choose to exclude himself or herself from some or all collection of information and/or receiving information from us. An individual may revoke their consent at any time, and the decision to opt out will be made through the same media which allowed the individual to opt in.
7.2 If an individual believes that they have received information from us that they did not opt in or out to receive, they should contact us on the details below.
8 THE SAFETY & SECURITY OF PERSONAL INFORMATION
8.2 We will take all reasonable precautions to protect an individual’s Personal Information from unauthorised access. This includes appropriately securing our physical facilities and electronic networks.
8.4 TrackActive uses SSL encryption to store and transfer Personal Information. Despite this, the security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. We also help keep your data secure: by carrying out regular penetration testing, by following internal policies of best practice and training for staff, by encrypting personal data. Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, Personal Information where the security of information is not within our control.
8.5 We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual’s Personal Information to in accordance with this policy or any applicable laws). The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies.
8.6 If an individual suspects any misuse or loss of, or unauthorised access to, their Personal Information, they should let us know immediately.
8.7 We are not liable for any loss, damage or claim arising out of another person’s use of the Personal Information where we were authorised to provide that person with the Personal Information.
8.8 In the unlikely event of a criminal breach of our security we will inform the relevant regulatory body within 72 hours and, if your personal data were involved in the breach, we shall also inform you.
9 HOW TO ACCESS AND/OR UPDATE INFORMATION
9.1 Users of TrackActive can update their Personal Information from within their TrackActive account or profile.
9.2 Subject to the Australian Privacy Principles, an individual has the right to request from us the Personal Information that we have about them, and we have an obligation to provide them with such information within 28 days of receiving their written request.
9.3 If an individual cannot update its own information, we will correct any errors in the Personal Information we hold about an individual within 7 days of receiving written notice from them about those errors.
9.4 It is an individual’s responsibility to provide us with accurate and truthful Personal Information. We cannot be liable for any information that is provided to us that is incorrect.
9.5 We may charge an individual a reasonable fee for our costs incurred in meeting any of their requests to disclose the Personal Information we hold about them if such a request is manifestly unfounded or excessive. We reserve the right to clarify the specific information your request relates to.
9.6 Information will be provided within one month of receipt of the request.
10.2 We use the following cookies:
(a) Strictly necessary cookies. These are cookies that are required for the operation of TrackActive. They include, for example, cookies that enable you to log into secure areas of TrackActive.
(b) Analytical/performance cookies. They allow us to recognise and count the number of visitors, track views of content and to see how users move around TrackActive when they are using it. This helps us to improve the way TrackActive works, for example, by ensuring that users are finding what they are looking for easily.
(c) Functionality cookies. These are used to recognise you when you return to TrackActive or when you have logged into TrackActive already. This enables us to personalise our content for you, greet you by name and remember your preferences.
(d) Tracking cookies. These enable us to track use of content from TrackActive (on third party services, such as posts on social media networks), in accordance with your third party settings.
(e) Targeting cookies. These cookies record your visit to TrackActive, the pages you have visited and the links you have followed. We will use this information to make TrackActivemore relevant to your interests. We may also share this information with third parties for this purpose.
11 YOUR RIGHTS, COMPLAINTS AND DISPUTES
11.1 You have the right to object to:
(a) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
(b) direct marketing; and
processing for purposes of scientific/historical research and statistics
unless we hold legitimate grounds for processing or the processing is for the establishment, exercise or defence of legal claims.
11.2 If an individual has an objection or complaint about our handling of their Personal Information, they should address their complaint in writing to the details below.
11.3 You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your data infringes the GDPR.
11.4 If we have a dispute regarding an individual’s Personal Information, we both must first attempt to resolve the issue directly between us.
11.5 If we become aware of any unauthorised access to an individual’s Personal Information which is likely to result in a high risk for the rights and freedoms of the data subjects we will inform the individual without undue delay after becoming aware of it once we have established what was accessed and how it was accessed.
12 CONTACTING INDIVIDUALS
12.1 From time to time, we may send an individual important notices, such as changes to our terms, conditions and policies. Because this information is important to the individual’s interaction with us, they may not opt out of receiving these communications.
13 CONTACTING US
13.1 All correspondence with regards to privacy should be addressed to:
Data Protection Officer
Active Health Tech Ltd
191 Wood Ln
London W12 7FP
You may contact the Data Protection Officer by email in the first instance.
14 ADDITIONS TO THIS POLICY
Start your free 30 day trial now
Discover what TrackActive can do for you and your patients with a no risk, 30 day, free trial.