Privacy Policy | Peak Health by Cloud9

1. About This Policy

This Privacy Policy explains how Cloud9 Peak Health Pty Ltd (ABN 50 695 716 324), trading as Peak Health by Cloud9 ("we", "us", "our"), collects, holds, uses, and discloses your personal information, including sensitive health information.

Our principal place of business is [To be inserted prior to launch].

We are bound by the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) ("Privacy Act"), including the Notifiable Data Breaches (NDB) scheme under Part IIIC of that Act. We are also subject to applicable state and territory health records legislation.

A copy of the Australian Privacy Principles may be obtained from the website of the Office of the Australian Information Commissioner at www.oaic.gov.au.

2. What Personal Information We Collect

"Personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information is true or not. "Sensitive information" is a subset of personal information that includes health information and receives additional protections under the Privacy Act.

We may collect the following categories of personal information:

Identifying and contact information

Full name, date of birth, and gender
Residential and postal address
Phone number and email address
Emergency contact details
Proof of identity documents (e.g. driver licence, passport)

Proof of identity information, and where necessary proof of identity documents, may be collected for identity verification, clinical safety, billing, prescribing, dispensing or legal compliance purposes. Where possible, we verify identity without retaining copies of identity documents unless retention is required or reasonably necessary.

Health and clinical information

Clinical diagnoses and presenting concerns
Consultation notes and clinical assessments
Pathology and laboratory results
Prescribing history and current medications
Referral correspondence (to and from other practitioners)
Health questionnaire and intake form responses
Allergies, adverse reactions, and contraindications
Care plans and treatment plans
Medical history, including family medical history where relevant

Telehealth consultation metadata

Date, time, and duration of each consultation
Name of the consulting practitioner
Mode of consultation (video or phone)
Technical connection information (for troubleshooting purposes only)

Financial and billing information

Medicare number and Individual Healthcare Identifier (IHI)
Private health fund membership details
Department of Veterans' Affairs (DVA) details, if applicable
Payment card or bank details (processed securely by our payment provider)
Billing and transaction records

Government identifiers and healthcare identifiers

We may collect and use Medicare numbers, Individual Healthcare Identifiers and other government-related identifiers only where reasonably necessary and authorised for healthcare, billing, claiming, identity matching, My Health Record, prescribing, pathology, pharmacy, audit or legal compliance purposes. We do not use Medicare numbers, Individual Healthcare Identifiers or other government identifiers as our general patient account number unless required or authorised by law.

Website and technical information

IP address and browser type
Pages visited and time spent on our website
Cookie and analytics data (see our Cookie Policy for details)

Information about other people

If you provide personal information about another person, such as an emergency contact, family member, parent, guardian, carer or authorised representative, you must have authority to do so where required. We may use that information for the purposes described in this policy. Where reasonable and practicable, we will take steps to notify that person about our handling of their information.

3. How We Collect Your Information

We collect personal information directly from you wherever reasonably practicable. This includes information you provide when you:

Complete a health questionnaire or intake form
Attend a telehealth consultation (video or phone)
Communicate with us by email, phone, or through our website
Book an appointment through our online booking system
Make a payment for our services

We may also collect information from third parties, including:

Your referring general practitioner or other treating practitioners
Pathology and diagnostic service providers
Compounding pharmacies fulfilling prescriptions
Medicare, the Department of Health, or private health insurers
Your nominated emergency contact or authorised representative

Collection notice (APP 5)

At or before the time we collect your personal information, we will take reasonable steps to notify you of the following:

Purpose: We collect your personal and health information for the primary purpose of providing clinical care and related health services (see Section 4 for further detail).
Consequences of not providing: If you choose not to provide certain information, we may not be able to provide you with the full range of our health services. In some cases, we may be unable to provide care safely without accurate and complete health information.
Third parties: We may disclose your information to the types of third parties listed in Section 7 of this policy.
Legal requirements: Some of the information we collect is required by law, including under the Health Practitioner Regulation National Law, the Therapeutic Goods Act 1989 (Cth), Medicare legislation, and state and territory health records legislation.
Access and correction: You may request access to, or correction of, your personal information as described in Section 13 of this policy.
Complaints: If you wish to make a complaint about our handling of your personal information, the process is described in Section 14.

4. Why We Collect, Hold, Use, and Disclose Your Information

Primary purposes

We collect and use your personal information for the following primary purposes:

Providing clinical care, including medical consultations, assessments, and follow-up
Prescribing, where deemed medically appropriate by your clinician
Coordinating your care with other healthcare providers (e.g. your GP, pharmacists, pathology providers)
Managing your appointments and clinical records
Processing payments and managing billing, including Medicare and health fund claims
Communicating with you about your health care, including appointment reminders and follow-up
Verifying your identity for clinical safety and legal compliance

Secondary purposes

We may also use your information for secondary purposes that are directly related to the primary purpose and reasonably expected, including:

Internal quality improvement and clinical governance activities
Compliance with legal and regulatory obligations (e.g. AHPRA reporting, TGA adverse event reporting)
De-identified data for aggregated service evaluation and planning
Training and professional development of our clinical team (using de-identified information only)
Responding to lawful requests from regulatory bodies or courts

We will not use or disclose your personal information for a secondary purpose unless you would reasonably expect us to, you have given consent, or we are required or authorised to do so by law.

5. Anonymity and Pseudonymity

Under APP 2, individuals have the option of dealing with us anonymously or by using a pseudonym where practicable.

However, due to the nature of the health services we provide, it is generally impracticable for us to deal with individuals who have not identified themselves. Accurate identification is required to:

Ensure the safety and continuity of clinical care
Maintain accurate medical records and avoid clinical errors
Comply with our legal and professional obligations under applicable health legislation, including practitioner registration requirements
Meet the requirements of Medicare and private health insurance billing
Fulfil prescribing, dispensing, identity verification, pharmacy, medicines safety and record-keeping obligations under applicable Commonwealth, state and territory laws, including medicines and poisons legislation, Medicare and PBS requirements, therapeutic goods requirements where applicable, and professional standards

If you are making a general (non-clinical) enquiry, you may do so without identifying yourself. We will inform you if identification becomes necessary to proceed with your request.

6. Unsolicited Personal Information

From time to time, we may receive personal or health information that we did not solicit. Where we receive unsolicited personal information, we will:

Promptly assess whether the information is of a kind we could have collected under our standard collection practices and in accordance with the APPs
If we could have collected the information, handle it in accordance with this policy
If we could not have collected the information, destroy or de-identify it as soon as practicable, provided it is lawful and reasonable to do so

We will not use or disclose unsolicited personal information until we have completed this assessment.

7. Disclosure to Third Parties

We may disclose your personal and health information to the following types of third parties, where necessary for the purposes outlined in this policy:

Healthcare providers

Compounding pharmacies that dispense prescribed medications
Pathology and laboratory service providers
Your referring general practitioner or other treating practitioners
Hospitals or emergency services, where clinically necessary

Government and regulatory bodies

Medicare and Services Australia
Private health insurers (with your consent, for claims processing)
The Therapeutic Goods Administration (TGA), medicine sponsors, pharmacies, manufacturers, pathology providers, state or territory medicines regulators, the Australian Health Practitioner Regulation Agency (AHPRA), National Boards or other regulators where required or authorised by law, including for suspected adverse reactions, product-quality issues, pharmacovigilance, mandatory notifications, investigations or legal compliance
State and territory health departments, as required by law
The Office of the Australian Information Commissioner (OAIC), in relation to data breach notifications

Service providers and platforms

Cloud storage and hosting providers that store clinical and business records
Telehealth video conferencing platform providers
Email and communication platforms used to correspond with you
Payment processors that handle billing transactions
Appointment scheduling and practice management software providers
IT support and cybersecurity service providers

Legal and professional

Our professional advisors, including lawyers and accountants, where necessary
Courts, tribunals, or regulatory bodies, where required by law or court order
Professional indemnity insurers, in relation to claims or potential claims

We will not sell, rent, or trade your personal information to any third party for marketing purposes.

Direct marketing

We will not use your health information or other sensitive information for direct marketing unless you have expressly consented. We may send administrative and clinical communications relating to your care, such as appointment reminders, follow-up instructions, pathology reminders, safety notices and important service updates.

Marketing communications, including newsletters, product updates, programme information or promotional offers, will only be sent where permitted by law and will include a simple unsubscribe or opt-out option. We will not use your health information to target advertising, build marketing profiles or conduct remarketing without your express consent.

8. Cross-Border Data Transfer

Some of the cloud-based services we use to operate our practice may process or store data on servers located outside Australia. This may include:

Video conferencing platforms used for telehealth consultations
Email and communication services
Cloud hosting and data storage platforms
Payment processing systems
Practice management and scheduling software

Where your personal information is transferred overseas, we take reasonable steps to ensure that the overseas recipient handles your information in accordance with the APPs, including by:

Selecting service providers that maintain data security standards comparable to, or exceeding, Australian requirements
Reviewing the privacy and security policies of our service providers
Entering into contractual arrangements that require compliance with Australian privacy standards where practicable
Preferring providers that offer data residency in Australia where available and appropriate

Some service providers may store, process or access personal information outside Australia, including in the United States, United Kingdom, European Union, and other jurisdictions where our technology providers operate. We take reasonable steps before disclosing personal information overseas, including privacy, security and contractual due diligence, and we remain accountable for overseas disclosures where required by the Privacy Act. You may contact our Privacy Officer for current information about specific countries.

9. Data Security

We take reasonable steps to protect the personal information we hold from misuse, interference, loss, and from unauthorised access, modification, or disclosure. Our security measures include:

Encryption of data in transit (TLS/SSL) and at rest, where supported by our systems
Role-based access controls, so that only authorised personnel can access personal and health information relevant to their role
Multi-factor authentication for access to clinical and business systems
Regular staff training on privacy, confidentiality, and information security obligations
Secure password policies and regular review of user access permissions
Use of reputable, enterprise-grade cloud platforms with documented security certifications
Regular review of our security practices and response to emerging threats

Secure destruction

When personal information is no longer needed for any purpose for which it may be used or disclosed under the APPs, and we are not required by law to retain it, we will take reasonable steps to destroy or permanently de-identify the information. This includes secure deletion of electronic records and secure destruction of any physical records.

10. Cookies, Analytics and Tracking Technologies

We may use cookies, analytics and similar technologies to operate our website, understand website use, improve our services and maintain website security.

Because our website relates to health services, website activity may reveal sensitive health interests. We do not use third-party tracking pixels, remarketing tags or advertising cookies in a way that collects or discloses sensitive health information without express consent.

Where non-essential cookies, analytics tools, tracking pixels or advertising technologies are used, we will provide appropriate notice and consent options. You may manage cookie preferences through our cookie banner, browser settings or other tools we make available.

Further details, including the types of cookies used, purposes, providers, overseas disclosures and opt-out options, are set out in our Cookie Policy.

11. Retention of Clinical Records

We are required by law to retain clinical records for minimum periods. The applicable retention periods include:

Adult patients: Clinical records must be retained for a minimum of 7 years from the date of last contact or last entry in the record.
Patients who were minors: Clinical records must be retained until the patient reaches 25 years of age, or for 7 years from the date of last contact, whichever is later.

These obligations arise under state and territory health records legislation, professional registration standards, and the Health Records and Information Privacy Act 2002 (NSW) or equivalent legislation in your jurisdiction.

Different types of records may be subject to different retention periods. For example, records relating to controlled substances or certain notifiable conditions may have longer mandatory retention periods under specific legislation. Financial records are retained in accordance with the requirements of the Australian Taxation Office.

At the end of the applicable retention period, records will be securely destroyed or permanently de-identified in accordance with our data security practices.

12. Notifiable Data Breaches

Under Part IIIC of the Privacy Act 1988 (Cth), we are required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals when we have reasonable grounds to believe that an eligible data breach has occurred. An eligible data breach arises where there is unauthorised access to, unauthorised disclosure of, or loss of personal information that is likely to result in serious harm to any individual to whom the information relates.

In the event of a suspected data breach, we will:

Conduct a prompt assessment to determine whether the breach is an eligible data breach
Where we have reasonable grounds to suspect that an eligible data breach may have occurred, take all reasonable steps to complete an assessment within 30 calendar days after becoming aware of those grounds
If we have reasonable grounds to believe that an eligible data breach has occurred, notify the OAIC and affected individuals as soon as practicable
Take reasonable steps to contain the breach and mitigate any harm

Breach notifications will include:

The identity and contact details of our organisation
A description of the data breach
The types of personal information involved
Recommendations about the steps that affected individuals should take in response to the breach

13. Access to and Correction of Your Information

Right of access (APP 12)

You have the right to request access to the personal information we hold about you. To request access, please contact our Privacy Officer using the details in Section 19 of this policy.

We will respond to your access request within 30 days. In order to protect your information, we may require you to verify your identity before releasing any records.

We will not charge a fee for making an access request. However, we may charge a reasonable administrative fee for providing copies of records (e.g. photocopying, postage, or staff time involved in compiling records). We will inform you of any applicable fee before proceeding.

Exceptions to access

In limited circumstances, we may refuse access to your information. This may include situations where:

Providing access would pose a serious threat to the life, health, or safety of any individual
Providing access would unreasonably impact the privacy of another individual
The request is frivolous or vexatious
The information relates to existing or anticipated legal proceedings and would not be discoverable in those proceedings
Providing access would be unlawful, or denying access is required or authorised by law

If we refuse access, we will provide you with written reasons for the refusal and information about how to make a complaint.

Right of correction (APP 13)

You have the right to request that we correct any personal information we hold about you that is inaccurate, out of date, incomplete, irrelevant, or misleading. We will respond to correction requests within 30 days.

If we correct information that we have previously disclosed to a third party, we will take reasonable steps to notify that third party of the correction, unless it is impracticable or unlawful to do so.

If we refuse a correction request, we will provide written reasons and you may request that a statement of the correction sought be associated with the information.

14. Complaints

If you believe we have breached our obligations under the Australian Privacy Principles or handled your personal information inappropriately, you are entitled to make a complaint.

Internal complaint process

Lodge your complaint: Contact our Privacy Officer using the details in Section 19. Please provide as much detail as possible about your concern, including dates, the information involved, and the outcome you are seeking.
Acknowledgement: We will acknowledge receipt of your complaint within 5 business days.
Investigation and response: We will investigate your complaint and provide you with a written response within 30 days of receipt. If we need more time to investigate, we will let you know and provide a revised timeframe.

External escalation

If you are not satisfied with our response, or if we have not responded within 30 days, you may escalate your complaint to:

Office of the Australian Information Commissioner (OAIC):
Website: www.oaic.gov.au
Phone: 1300 363 992
Your state or territory Health Complaints Commissioner: You may also lodge a complaint with the Health Complaints Commissioner (or equivalent body) in your state or territory if your complaint relates to the handling of health information.

15. Limits of Confidentiality

We treat all personal and health information as confidential. However, there are circumstances where we are required or authorised by law to disclose information without your consent. Confidentiality is not absolute, and disclosure may be necessary in the following circumstances:

Serious and imminent risk of harm: Where we reasonably believe that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health, or safety of any individual, or to public health or safety.
Mandatory reporting of child protection concerns: All Australian states and territories have mandatory reporting laws that require certain professionals to report suspected child abuse or neglect to the relevant child protection authority.
AHPRA practitioner reporting obligations: Under the Health Practitioner Regulation National Law, registered health practitioners have mandatory reporting obligations in relation to notifiable conduct by other practitioners, including where a practitioner's practice poses a risk to the public.
Court orders and legal proceedings: Where we are compelled to produce records by a court order, subpoena, or other lawful process.
Coronial investigations: Where information is required by a coroner in the course of an investigation.
Communicable disease reporting: Where notification of certain communicable diseases is required under state or territory public health legislation.

Where we are required to disclose information without your consent, we will limit the disclosure to the minimum information necessary for the purpose.

16. Telehealth Services

Our clinical services are primarily delivered via telehealth, including video and phone consultations. This section explains how your information is handled in the telehealth context.

Nature of telehealth

Telehealth consultations involve the delivery of healthcare services remotely using secure communication technology. All telehealth consultations are conducted in real time (synchronous) by a registered health practitioner.

Before and during telehealth consultations, we may take steps to verify your identity, confirm who is present, explain the clinician's role, explain relevant billing and technology arrangements, and confirm whether telehealth is clinically appropriate. If telehealth is not clinically appropriate, your clinician may recommend in-person review, referral, urgent care or another pathway.

Information transmitted during telehealth

During a telehealth consultation, the following information may be transmitted:

Audio and video data during the consultation
Information you share verbally or visually during the session
Documents, images, or health records you share via the platform
Technical metadata such as connection timestamps and session duration

Recording policy

We do not routinely record telehealth consultations (audio or video). If recording is ever required for a specific clinical or legal purpose, we will obtain your explicit consent before any recording takes place. Clinical notes from each consultation are recorded in your medical file in the same manner as an in-person consultation.

Security of telehealth data

Our telehealth platform uses encryption to protect data transmitted during consultations. We select platforms that meet industry standards for healthcare data security. However, no technology is completely secure, and we cannot guarantee the security of data transmitted over the internet.

Consent to telehealth

By booking and attending a telehealth consultation with us, you consent to the delivery of healthcare services via telehealth, including the collection and transmission of your personal and health information through our telehealth platform. You may withdraw your consent to telehealth at any time by contacting us.

17. Digital Tools, AI and Automated Support

We may use digital tools to support intake, booking, administration, documentation, patient communications and clinical workflow. We do not use automated tools to make final clinical prescribing decisions without review by an appropriately registered and authorised practitioner.

If we use AI transcription, AI scribing, clinical decision-support tools, automated screening tools or similar technologies, we will notify patients where required, obtain consent where required, assess privacy and security risks, and ensure clinical outputs are reviewed by the practitioner before being relied on for clinical care.

18. My Health Record

We do not currently access or upload information to My Health Record. If this changes, we will update this policy and implement the required access, security and patient-notification procedures.

19. Contact Us

If you have any questions about this Privacy Policy, wish to make an access or correction request, or would like to lodge a complaint, please contact our Privacy Officer:

Email: [email protected]
Phone: 0447 999 929
Post: Privacy Officer, Cloud9 Peak Health Pty Ltd, [To be inserted prior to launch]

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The updated version will be published on our website with a revised "Last updated" date. We encourage you to review this page periodically to stay informed about how we protect your information.

Where a change is material, we will take reasonable steps to notify you (for example, by email or by a notice on our website) before the change takes effect.