Data & Privacy Policy
The information that we collect and hold
If you are a customer we only collect and hold information about you which you give to us.
When you apply for one of our services, the information that you supply is stored on secure servers in a data centre which is ISO 27001 certified and of Tier 3 standard.
Your personal information (name, address, email) is held and used in accordance with the Commonwealth Privacy Act 1988. We use this data to deliver the service that you have purchased from us.
We will contact you regarding any survey that you have purchased from us. Once complete, we may contact you about repeating this survey (or a related one).
We do not contact you about any of our services unless you are an existing, registered customer.
When do we remove personal information?
Whenever you ask us to.
When it is no longer needed to fulfil our services to you (see below ‘How long do we hold your personal information for?)
When our Data Controller requests that we delete it.
How long do we hold your personal information for?
If you are a customer
It depends how long you need it for. We only hold personal information (name, contact details and other non-sensitive details) where necessary. For example, when you repeat a survey with us, we provide previous scores from earlier survey(s). We therefore hold your personal data according to survey cycle durations.
(If you request that we remove your personal data from our database and records we will do so immediately).
If you contact us
We keep a record of the correspondence for as long as the correspondence is active or for 3 months (whichever is shorter). Securely archived emails are kept for up to 4 years.
Email and information-sharing with you
We do not email (send or receive) sensitive data.
We use Microsoft Exchange (Office365), which is cloud-based and stored in ISO27001 certified centres.
Survey Data Protection
Anonymous Surveys
The following RACGP Code of Practice statements are therefore adhered to: That patients are made aware that the information that they give will be used and what it will be used for. That patients are aware that they have a choice as to whether or not they give information.
The survey material and guidance we supply allows for these patient requirements to be met.
The questionnaires do not identify any patient. If a patient has written a comment on the questionnaire which may identify them, this comment is either excluded or anonymised by trained CFEP processors.
Data Protection of your colleague feedback
Colleague feedback is reported back to the applicant. We only share reports with those third parties requested by the applicant. These third parties are given access to reports in order for the applicant to meet the obligations and principles of revalidation and appraisal (for example, reports can be supplied to an appraiser or supporting medical colleague or college).
The only other circumstance in which we would share a report with a third party is if we were legally obliged to do so.
General Privacy and Security
CFEP has ISO 27001 information security and ISO 9001 data quality certification.
No personal information is used or kept by CFEP for the secondary purpose of audit or service evaluation. Anonymous survey data are held to contribute to aggregate data used as part of a wider analysis of overall trends and benchmarks. Analysis is at a ‘high’ level of (for example) region or type of clinical service.
No personal details (name, email address, postal address, phone number – business details included), will be exchanged between CFEP and any other party without the explicit permission being sought and received from that data subject.
Personal data is not transferred to a country or territory outside of Australia without the express permission or request of the data subject, or in the data subject’s vital interests, or unless necessary for legal reasons.
There are no automated decisions made by us with respect to your personal data.
There are rare occasions where a patient may specifically ask that an issue is addressed to a general practice or other organisation (for example, where a patient sends an email or letter to CFEP). Where this is the case, if appropriate we ask the patient for consent in order for the information in the letter to be forwarded. The patient correspondence is then deleted or shredded.
CFEP will report any data breaches to the Australian Information Commissioner within 72 hours.
CFEP is obliged to keep any information it receives confidential at all times and is required to comply with the Commonwealth Privacy Act 1988 and the common law duty of confidence. This applies to any members of CFEP staff who have access to patient information.
All members of staff sign a confidentiality agreement and are bound by this agreement under their Terms of Employment.
Once entered or scanned, all paper questionnaires are securely destroyed by a reputable organisation in compliance with current Australian and New Zealand standards.
All data (survey results) are generated within the CFEP office only.
Very confidential information comes under a single management resource, whereby only one member of staff may release information to a customer.
Your rights
You can find out what information we hold about you, and ask us not to use any of the information we collect. Please feel free to contact us.
You have the right to withdraw your consent at any time, and can delete your account (and any data we hold about you) using the built-in tools on the site. You can also request a copy of any and all data that we hold about you. You also have the right to lodge a complaint with the Office of the Australian Information Commissioner if you feel that your rights have not been upheld.
Where you have given consent for us to use your personal information, you can withdraw that right at any time.
If at any point you believe the personal information we hold on you is incorrect, you want us to correct or delete that information, or you no longer want us to hold that information or contact you, you can exercise your rights under law. These rights include:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
For more information about your personal data rights please visit the Office of the Australian Information Commissioner website.
Changes to this Policy