Otago Clinical Audit (we, our or us in this Privacy Policy) is committed to maintaining the privacy of the information of its customers and other users of its software and services (Software and Services). We also take seriously the need to maintain the privacy of the medical information we collect and hold from time to time in connection with the Software and Services.
This Privacy Policy describes how we collect, use, store and distribute information about identified or identifiable persons (Personal Information), and other data. It describes the purposes for which we may use, disclose or hold such Personal Information and other data.
Information that we collect
During the course of our relationship with our customers and other users of our Software and Services, or the use of those Software and Services, we may collect the following information:
- We may collect personal details from customers and other users during the course of their establishing and maintaining an account or user profile with us in connection with any Software and Services, such as customer names, user names, passwords, addresses, email addresses and phone numbers, and payment details.
- We will collect patient data as a result of that patient data being inputted into the Software and Services, or otherwise being supplied by the relevant health organisation customer. See the “Patient Data” section of this Privacy Policy for more details of the types of patient data we collect, and what we do with that patient data.
- We may collect other data that is inputted or uploaded by users into the Software and Services. This may include organisation staff details and other administrative information.
- We may collect other Personal Information and data during the course or as a result of a customer's relationship with us, including where necessary to enable us to provide products and services to that customer or to respond to requests for further information.
How we use Personal Information and other data
We will use, disclose and hold Personal Information and data collected by us for the following purposes:
- to enable us to provide the Software and Services for the benefit of customers and users
- to provide technical support and administration services in relation to the Software and Services
- to establish and maintain any user or customer account held with us
- to complete sales transactions, including where necessary to calculate the fees due from a customer, to prepare and process invoices for those fees, and as otherwise necessary for billing and payment purposes
- to respond to queries or requests from customers and users for additional information or support
- to provide any after-sales service required by a customer or user
- to maintain our records
- to keep customers informed about products, services, events, promotions or any other marketing activities, but only to the extent permissible under applicable laws, and subject to any other restrictions contained in this Privacy Policy
- for product development or research purposes
- to evaluate customer satisfaction and the performance of marketing activities.
Patient Data
During the course of providing the Software and Services we will collect information about patients who have been admitted or referred to the relevant health organisation customer of our Software and Services. This information may include (without limitation) the patient's name and contact details, their mental status, details of their next of kin, information about their general practitioner, demographic information, patient notes, laboratory results, and other clinical information (together the Patient Data).
Patient Data will usually be stored on the servers of the relevant health organisation customer. However, we may also need from time to time to access, use, disclose and hold Patient Data.
- We may retrieve aggregated patient admission data from the Software and Services in order to invoice the relevant health organisation customer for its use of the Software and Services. We do not include in our invoices any patient-identifying information, and all patient admission data held on our systems for such purpose will be anonymised.
- Our developers and ICT service providers may need to access Patient Data as necessary to provide support and maintenance services, or other services on behalf of the relevant health organisation customer.
- We may also send Patient Data to Binational Colorectal Cancer Audit (BCCA), the Australian Council on Healthcare Standards (ACHS), and the New Zealand Blood Service (NZBS).
- Both BCCA and ACHS are based in Australia.
- BCCA uses Patient Data for the clinical audit of the surgical practices of Australian and New Zealand surgeons for the purpose of quality assurance. The audit also works towards creating a large dataset to be used for research and quality improvement purposes, with the aim of advancing knowledge and understanding of treatment for colorectal cancer. For more details about how BCCA keeps Patient Data secure see here
- ACHS is a not-for-profit organisation dedicated to improving quality in health care, and works with health care professionals, consumers, and government and industry stakeholders to develop and continually review health standards. For more details of ACHS's privacy practices see here
- In the case of Patient Data to be sent to ACHS, we also send the patient's NHI number to the New Zealand Blood Service (NZBS), who will notify us if the patient has received a blood transfusion. For more details of NZBS's privacy and data practices see here
- In providing Patient Data to BCCA, ACHS and NZBS, we act as an intermediary for our health organisation customers.
- We may also access, use, process and disclose Patient Data to the extent necessary to provide customised reports or data sets to the relevant health organisation customer at the request of that customer.
- We may retain copies of the Patient Data on our systems, but these systems are only accessible by our employees and ICT service providers.
We will not use or disclose Patient Data for any purpose not permitted under this Privacy Policy, without the consent of the relevant health organisation customer.
We may disclose who our organisation customers are
We may disclose information to third parties about which organisations are our customers for the Software and Services, unless we have agreed with those organisations not to do so.
Lawful basis for processing Personal Information
We will always make sure that we have a lawful basis for the processing of Personal Information.
In particular, we may need to process Personal Information to pursue our legitimate business interests. This includes to enable us to provide the Software and Services for the benefit of users and customers. In claiming legitimate business interests to process Personal Information, we will balance those legitimate business interests against the interests of the data subjects – which may in some cases override our legitimate business interests.
Cookies
The Software and Services may use cookies. “Cookies” are small text files that are placed on computers, devices or browsers used to access websites, software, apps or other internet content. The Software and Services may use cookies to remember information about a user's personal preferences and user settings for the Software and Services, to analyse traffic and trends, and to generally understand the behaviours of people who use the Software and Services.
Our cookies will only use information about a user's personal preferences and user settings so that the Software and Services will remember the user's details next time the user visits.
A user of the Software are Services may be able to change the settings on the device that they use to access the Software and Services in order to reject or limit the use of cookies, but this may reduce the functionality of the Software and Services.
Statistical data that we collect
During the use of the Software and Services by any person we may collect statistical data about such use, such as the date, time and length of use, the locations on the Software and Services that the user visits, and information about the device the user is using to access the Software and Services.
We may use and disclose such statistical data for the following purposes:
- to measure the effectiveness of any services or features provided via the Software and Services
- to identify user behaviour and user trends on the Software and Services
- to maintain and optimise the technical performance, operation and security of the Software and Services
- to assist in resource planning.
Business acquisition
We may transfer Personal Information and other data to another entity in connection with a sale of our business or assets, or a merger or consolidation or restructuring of our business or company, or any other transaction in which a third party acquires ownership of any rights in the Software and Services.
If we transfer any Personal Information or other data in such circumstances, we will ensure that such Personal Information and other data remain protected and that the recipient of that Personal Information and other data agrees to be bound by privacy practices and obligations that are consistent with our own under this Policy.
Disclosure of information to third-parties
We will not use Personal Information or other data, or disclose Personal Information or other data to third parties, except:
- to the extent reasonably necessary to achieve any of the purposes described in this Privacy Policy, or
- where we reasonably believe that such use or disclosure is required or expressly permitted under any applicable law.
Holding Personal Information
We will not hold any Personal Information and other data for longer than is reasonably required for the purposes for which we may lawfully use that Personal Information or data.
Following any such period, we will delete such Personal Information, or mask or anonymise such Personal Information so that it can no longer be used to identify any individual.
Security
We will use all reasonable endeavours to effect and maintain adequate security measures to safeguard Personal Information and other data we hold from loss or unauthorised access, use, modification or disclosure.
Transfer of Information
We may transfer the information described in this Privacy Policy to or from other countries where necessary to enable us to operate the Software and Services, and to supply any products or services ordered by a customer.
In particular, we may transfer Patient Data to BCCA and ACHS, based in Australia. See the “Patient Data” section of this Privacy Policy for more details of the circumstances in which we may transfer Patient Data to BCCA and ACHS.
The European Commission has recognised New Zealand and the United States (limited to the Privacy Shield framework) as providing adequate protection for the personal data of European Union subjects.
We will ensure that appropriate safeguards are in place as prescribed by the European Union's General Data Protection Regulation (GDPR), before we transfer any Personal Information of any European Union subjects to any data processor based in any country that the European Commission has not recognised as providing adequate protection for the personal data of European Union subjects.
Use of third-party websites
If a user of the Software and Services accesses any third-party websites via a link from any of the Software and Services, that user will leave the Software and Services. By accessing these links the user is not covered by the policies relating to the Software and Services. We are not responsible for the content of any third-party websites, or their use of a user's Personal Information or other data.
Customer privacy practices
We have no control over the privacy practices of health organisations customers for the Software and Services. In particular, we cannot control what such health organisations may do with the information users input or upload into the Service, or the information that is provided to such health organisations in connection with the Software and Services. It is the responsibility of any person providing Personal Information or other data to such health organisation to ensure that the organisation has appropriate privacy practices in place that protect that Personal Information or data from misuse and unauthorised disclosure.
Your rights to access, correct and delete Personal Information
You have rights to information about your Personal Information that we collect and process. This information includes:
- details of the Personal Information that we collect and process, including the categories of Personal Information concerned, and purposes of any processing
- the recipients or categories of recipient to whom the Personal Information have been or will be disclosed
- where possible, the envisaged period for which the Personal Information will be stored, or, if not possible, the criteria used to determine that period
- where your Personal Information is not collected from you, any available information as to the source of that Personal Information.
You also have the right to request from us the rectification or erasure of your Personal Information, to request from us the restriction of processing of your Personal Information, and to object to our processing of your Personal Information.
If you want to access, correct or seek the erasure of your Personal Information or data, please contact us (see below) and we will tell you how to make a request and if any charges will apply.
Amendments to the Privacy Policy
We may amend this Privacy Policy from time to time. Any such amendments will be effective immediately, unless we state otherwise. We will take reasonable steps to notify users of any such amendments.
A customer's or user's continued use of the Software and Services after any such notice will constitute acceptance of any amendments or revisions to this Privacy Policy.
You should periodically review this Privacy Policy for the latest information about our privacy practices.
Who we are
Otago Clinical Audit is a part of the University of Otago. Our full contact details are:
PO Box 56
Dunedin 9054
New Zealand
Tel +64 3 470 9850
Email clinical.audit@otago.ac.nz