Privacy & Security
Our 9 Steps to ensure your data security and confidentiality compliance.
01
All transported data is encrypted.
02
The ground floor of the main building has uniformed security guards to ensure no unauthorised entry
03
At floor level, staff enter offices through electronic security
04
All visitors are escorted whilst on the premises
05
All employees sign confidentiality and non-disclosure agreements
06
All files are transcribed in house
07
All data servers are properly password protected
08
All files are deleted once they are no longer of use
09
All PCs are hardened – email is limited, data ports are disabled and printers are not available
Access Transcription complies with the following Legislation/Regulations
Privacy Act 1988 (Australian)
Data Privacy Act of 2011 (Philippines)
National Privacy Principles 9 (Trans-border data flows)
Good Medical Practice: A Code of conduct for Doctors in Australia
The Royal Australian and New Zealand College of Radiologists – Standards of Practice for Diagnostic Radiology version 10.2
Privacy Policy
1. Introduction
Access Transcription recognises the importance of privacy and we are committed to protecting the privacy of individuals when handling personal information.
As an Australian company, we are bound by the requirements of the Australian Privacy Principles (APPs) set out under the Privacy Act 1988 (Cth). For further information, please visit the Office of the Australian Information Commissioner website (www.oaic.gov.au)
By providing us with personal information you consent to our use in accordance with this policy. Please see contact details below if you have any queries or wish to discuss this policy further.
2. Personal information that we collect and hold
We are a medical transcription service provider. We provide this service through transcription services situated in the Philippines. As such, we collect and hold personal information for transcription (audio to text). This information often includes private and confidential medical information. When doing this, sensitive information that is necessary in order for us to carry out our function properly, will be passed to us from clients.
From time to time we also collect information for the purposes of employment within the business. This can include details of your employment history, references supporting your work history and other employment related personal information.
Examples of the kinds of personal information that we handle include your name, date of birth, telephone number, street address, postal address, email address, marital status, previous and current medical history including medications.
Where you do not provide us with all or some of your personal information that we request then we may not be able to fully provide our services.
3. Clickstream data that we collect and hold
We use cookies, web beacons and other similar technologies to collect de-identified information about your visits to our website. We collect this information to improve user experiences browsing our Website.
When you visit our website we collect information about your server address, domain name, operating system, browser type, pages accessed, documents downloaded, previous visits, referring website, and visit date and time.
You may set your browser to disable cookies but some parts of our website may not function properly if cookies are disabled.
4. How we collect and hold personal information
We usually collect personal information when it is provided to us by a client that has requested services from us. For example, we collect information when we receive audio files from doctors requesting we transcribe the files from voice to text. When receiving audio files we are often also supplied other personal and sensitive information which we need in order to properly complete the service that we have been asked to perform.
Patient information including doctor voice files, demographics, reports, letters and file notes, is never held in paper-based format, rather it is held only digitally in our database. Patient information is held for ninety (90) days electronically on secure servers. After this period, the information is destroyed. No back-up copies are kept as these copies will be held by the client that engages our services. You can request an alternate period for holding patient data (including doctor voice files). If requested, data held by us will be destroyed after an agreed period (e.g. 7 days, 14 days, 30 days etc).
We also collect information supplied directly to us in our recruitment process. This occurs when you provide your resume to us to apply for a position available in the business. We may also collect your personal information from a third party or publicly available source where it is unreasonable or impracticable to collect the information directly from you. For example, we may collect your personal information from recruitment agencies and credit reference agencies.
Personal information outside of patient information can be collected in both physical and electronic storage facilities including paper-based files and computer databases.
5. How we use and disclose personal information
We disclose personal information collected to employees located in our offices in the Philippines, which can include:
-
Medical Transcriptionists
-
Medical Editors
-
Trainers
-
Quality Assurance Auditors
This information is disclosed for the purposes of performing our services where our client has authorised us to do so and only under strict privacy conditions.
We will not use or disclose personal information for any other purpose without consent except where required or authorised by law.
6. How we protect personal information
We will take all reasonable steps to protect personal information that we hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure. We use both physical and electronic security measures. For example, we use the following methods:
-
Our premises are secured by physical guarded security.
-
Our premises are secured by locked doors requiring digital authorisation for entry.
-
No data is stored overseas. Data is stored in Australia on our secure servers. These servers are properly password protected.
-
All personal computers are ‘’hardened’’, meaning all data ports are disabled and no printers are connected or available in the office environment.
-
Only management personnel have access to the internet and email on business computers containing data.
-
We require all our employees to sign confidentiality agreements as part of their employment. Employees are also trained in Access Transcription’s Policies and Procedures.
-
Data is stored on Amazon Web Services in the Sydney data centre and all data is automatically encrypted using Advanced Encryption Standard (AES) 256, a secure symmetric-key encryption standard using 256-bit encryption keys.
By providing us with personal information over the Internet you accept that such information will be transmitted at your own risk as the security of such information cannot be guaranteed.
We will not retain your personal information if we no longer need it for any purpose for which we may lawfully use or disclose it and we are not authorised or required by law to retain it.
7. Personal information access and correction
You may request us to provide you with access to any of your personal information that we hold. We may charge a fee for giving you access to your personal information upon request.
You should promptly notify us if you become aware that any of your personal information that we hold is inaccurate, out-of-date, incomplete, irrelevant or misleading.
8. Privacy Policy updates
We may update this Privacy Policy from time to time to take into account changes in our practices for the handling of personal information. We do so by publishing amended Privacy Policies on our website. You should regularly review the most recent version available online. You can contact us if you have difficulties accessing our policy.
9. Reports of Data Breaches
As we collect and handle sensitive data, the Privacy Act (Cth) requires us to assess any data breaches and report to the Office of the Australian Information Commissioner and to the individuals to whom the information relates.
A ‘data breach’ will occur where there has been unauthorised access, modification, disclosure, or other misuse or interference of sensitive data that may pose the risk of serious harm to the effected individual.
If you or someone you know suspect there has been a data breach, please contact our Privacy Officer so we can assess.
If we are unable to contact effected individuals, in compliance with Australian privacy law we will post notices on our website.
10. Our contact details
If you require access to or seek correction of any of your personal information that we hold, have any queries, or wish to make a complaint about our handling of your personal information, please contact our Privacy Officer using the contact details below:
Privacy Officer
Jennifer Reduca
Phone: 1300 717 725
Email: jennifer@accesstranscription.com.au
Address: Level 3 Lantos Place, 80 Stamford Rd, Indooroopilly Qld 4068
Postal address: PO Box 165 Indooroopilly Qld 4068
This Privacy Policy is effective as of January 2018
Under Australian privacy law, complaints relating to must first be made directly to us. If we are unable to resolve your complaint, it must then be taken to a recognised external dispute resolution scheme and, lastly, to the Office of the Australian Information Commissioner.
Version 5 updated January 2018
Privacy Procedures
1. Scope
These Privacy Procedures apply to the collection, use, disclosure, storage and handling of personal information by officers, employees, contractors and agents of Access Transcription (“we”, “us” or “our”).
2. Interpretation
In these Privacy Procedures:
-
APPs means the Australian Privacy Principles contained in the Privacy Act 1988 (Cth);
-
personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable; and
-
sensitive information means personal information about an individual’s health (including health services provided to him or her), genetics, biometrics, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, or criminal record.
3. Privacy Officer
The person appointed as our Privacy Officer is:
Jennifer Reduca (Privacy Officer)
Phone: 1300 717 725
Email: jennifer@accesstranscription.com.au
Address: Level 3 Lantos Place, 80 Stamford Rd, Indooroopilly Qld 4068
Please contact our Privacy Officer if you have any queries or require any further information about these Privacy Procedures, our Privacy Policy or the APPs.
4. Open and transparent management of Personal Information
Our Privacy Officer is responsible for implementing practices, procedures and systems relating to our functions and activities:
-
to ensure that we comply with the APPs, our Privacy Policy and these Privacy Procedures; and
-
enabling us to deal with any inquiries or complaints about our compliance with the APPs or our Privacy Policy.
Managers and supervisors are responsible for ensuring compliance with these practices, procedures and systems relating to our functions and activities.
Our Privacy Policy is available free of charge on our website. You must refer to our Privacy Officer any request to make our Privacy Policy available in any other form. Our Privacy Officer is responsible for taking reasonable steps to make our Privacy Policy available in any other form requested. Our Privacy Procedures (i.e. these documents) are not to be released to any person without express written authorisation of the Managing Director of the Access Transcription.
You must immediately refer to our Privacy Officer any complaint about our compliance with the APPs or our Privacy Policy. You must also immediately notify our Privacy Officer if you become aware of any actual or potential breach of the APPs, our Privacy Policy or these Privacy Procedures.
5. Anonymity and pseudonymity
You must give individuals the option of not identifying themselves or using a pseudonym when dealing with us in relation to a particular matter except where:
-
you have obtained prior written approval from our Privacy Officer to deal with identified individuals where required or authorised by law; or
-
it is impracticable to deal with individuals who have not identified themselves or who have used a pseudonym; or
-
where we are supplied those details by clients and have no other contact with the individual.
6. Collection of Personal Information
You must only collect personal information by lawful and fair means. You must not collect personal information about an individual unless:
-
if the information is not sensitive information – the information is reasonably necessary for one or more of our functions or activities; or
-
if the information is sensitive information – he or she consents to the collection of the information which is reasonably necessary for one or more of our functions or activities; or
-
if the information is sensitive information – the information is supplied direct by a third party who has obtained this information in the normal course of their business and you are confident that this business has properly obtained this information and is using in the manner for which it was originally intended; or
-
you have obtain prior written approval from our Privacy Officer to collect the information where required or authorised by law.
-
You must keep a written record of any consent given by an individual to the collection of his or her sensitive information which includes his or her name, the date and time consent was given and the way in which the consent was given (e.g. in person, by telephone, etc).
You must only collect personal information about an individual directly from him or her unless it is unreasonable or impracticable to do so. Where it is unreasonable or impracticable to collect personal information about an individual directly from him or her then you may collect the information from a third party, such as a client, or a publicly available source.
Where you receive any personal information that we have not solicited or have not received from clients in the ordinary course of our business then you must determine within a reasonable time whether or not we could have collected the information. If you determine that we could not have collected the personal information then you must destroy or de-identify the information as soon as reasonably practicable but only if it is lawful and reasonable to do so.
At or before the time or, if that is not practicable, as soon as practicable after, you collect personal information about an individual, you must take reasonable steps to notify him or her of (or otherwise ensure that he or she is aware of) the following matters:
-
our identity and contact details;
-
the fact that we collect or have collected the information and the circumstances of collection (except where the information was collected directly from him or her, or he or she is otherwise aware of the collection);
-
if the collection of the information is required or authorised by law – the fact that the collection is so required or authorised;
-
the purposes for which we collect the information;
-
the main consequences (if any) for him or her if we do not collect all or some of the information;
-
any other body or person to which we usually disclose information of the kind collected;
-
that our Privacy Policy contains information about how he or she may access the information which is held by us and seek the correction of such information;
-
that our Privacy Policy contains information about how he or she may complain about a breach of the APPs and how we will deal with such a complaint; and
-
whether we are likely to disclose the information to any overseas recipients.
You must not permit any third party to collect any personal information on our behalf unless you have obtained the prior written approval of our Privacy Officer of the privacy obligations applicable to the third party to ensure that we comply with the APPs, our Privacy Policy and these Privacy Procedures in respect of the handling of such personal information.
7. Use and Disclosure of Personal Information
You must not use or disclose any personal information for any purpose other than for our functions and activities unless you have obtained prior written approval from our Privacy Officer that the use or disclosure is required or authorised by law.
If we hold personal information about an individual that was collected for a particular purpose (primary purpose) then you must not use or disclose the information for another purpose (secondary purpose) unless:
-
he or she has consented to the use or disclosure of the information for the secondary purpose;
-
if the information is sensitive information – he or she would reasonably expect the use or disclosure of the information for the secondary purpose which is directly related to the primary purpose of collection;
-
if the information is not sensitive information – he or she would reasonably expect the use or disclosure of the information for the secondary purpose which is related to the primary purpose of collection; or
-
you have obtained prior written approval from our Privacy Officer to use or disclose the information for the secondary purpose where required or authorised by law.
You must keep a written record of any consent given by an individual to the use or disclosure of his or her personal information for a secondary purpose which includes his or her name, the date and time consent was given and the way in which the consent was given (e.g. in person, by telephone, etc.).
You must not disclose any personal information to a third party unless you have obtained the prior written approval of our Privacy Officer of the privacy obligations applicable to the third party to ensure that we comply with the APPs, our Privacy Policy and these Privacy Procedures in respect of the handling of such personal information.
8. Direct marketing
If we hold personal information about an individual then you must not use or disclose the information for the purpose of direct marketing except where permitted in accordance with these Privacy Procedures.
You may use and disclose personal information (other than sensitive information) about an individual for the purpose of direct marketing where he or she has:
-
consented to the use or disclosure of the information for this purpose or it is impracticable to obtain his or her consent; and
-
not requested that he or she not receive direct marketing communications from us.
If we have collected personal information (other than sensitive information) about an individual for the purpose of direct marketing directly from him or her then you may also use and disclose the information for this purpose where he or she:
-
would reasonably expect us to use or disclose the information for the purpose of direct marketing; and
-
has not requested that he or she not receive direct marketing communications from us.
You may only use and disclose sensitive information about an individual for the purpose of direct marketing where he or she has:
-
consented to such use or disclosure; and
-
not requested that he or she not receive direct marketing communications from us.
You must keep a written record of any consent given by an individual to the use or disclosure of his or her personal information for the purpose of direct marketing which includes his or her name, the date and time consent was given and the way in which the consent was given (e.g. in person, by telephone, etc).
In each direct marketing communication you must include a prominent statement that an individual may make a request not to receive direct marketing communications from us or otherwise draw his or her attention to the fact that he or she may make such a request.
You must provide a simple means by which an individual may easily request not to receive direct marketing communications from us.
If you use or disclose personal information about an individual for the purpose of direct marketing then upon request you must provide him or her with details of our source of the information unless it is impracticable or unreasonable to do so.
9. Cross-border disclosure of personal information
Before you disclose any personal information about an individual to a third party overseas recipient you must provide prior written notice to our Privacy Officer and take any steps which he or she considers to be reasonable to ensure that the overseas recipient does not breach the APPs in relation to the information unless:
-
you have obtained prior written advice from our Privacy Officer stating that he or she reasonably believes that the overseas recipient is subject to a law or binding scheme that protects the information in a substantially similar way to the way in which the APPs protect the information and the individual concerned can take action to enforce that protection;
-
the individual concerned has consented to us disclosing the information to the overseas recipient without taking such steps; or
-
you have obtained prior written approval from our Privacy Officer to disclose the information to the overseas recipient where required or authorised by law.
You must keep a written record of any consent given by an individual to the disclosure of his or her personal information to any overseas recipient which includes his or her name, the date and time consent was given and the way in which the consent was given (e.g. in person, by telephone, etc).
10. Adoption, use and disclosure of government related identifiers
You must not adopt an individual’s government related identifier as our own identifier unless you have obtained prior written approval from our Privacy Officer that the adoption of the identifier is authorised or required by law.
You must not use or disclose an individual’s government related identifier unless you have obtained prior written approval from our Privacy Officer that the use or disclosure is:
-
reasonably necessary for us to verify the identity of the individual concerned for the purposes of our functions or activities; or
-
authorised or required by law.
11. Quality of personal information
You must take reasonable steps to ensure that any personal information which you collect, use or disclose is accurate, up-to-date, complete and relevant.
12. Security of personal information
You must take reasonable steps to protect personal information that we hold from misuse, interference and loss and from unauthorised access, modification or disclosure.
You must take reasonable steps to destroy or de-identify personal information which we no longer need for any purpose for which we may use or disclose the information unless you have obtained prior written approval from our Privacy Officer that the retention of such information is required by law.
In relation to data stored on our severs at AWS in Sydney, then by default patient data (including doctor voice files) must be destroyed after 90 days of receipt of that data, unless an alternate time frame has been agreed with the provider of that data before that data is received (e.g. 7 days, 14 days, 30 days, 60 days, 90 days, 120 days).
13. Access to personal information
You must refer to our Privacy Officer any request by an individual for access to his or her personal information. Upon request, our Privacy Officer will provide an individual with access to his or her personal information that we hold unless
-
giving access would have an unreasonable impact on the privacy of other individuals;
-
the request for access is frivolous or vexatious;
-
giving access would be unlawful; or
-
denying access is required or authorised by law.
Our Privacy Officer will respond to a request by an individual for access to his or her personal information within a reasonable time.
Our Privacy Officer will give an individual access to his or her personal information in the manner he or she requests if it is reasonable and practicable to do so.
If our Privacy Officer decides not to give an individual access to his or her personal information or such access in the manner requested by him or her then our Privacy Officer will:
-
take reasonable steps to give access in a way that meets both his or her and our needs (which may involve giving access through a mutually agreed intermediary); and
-
give him or her a written notice that sets out the reasons for the decision (except to the extent that it would be unreasonable to do so) and mechanisms available to complain about the decision.
We will not charge an individual for making a request to access his or her personal information.
14. Correction of personal information
You must take reasonable steps to correct personal information about an individual that we hold to ensure, having regard to the purpose for which we hold the information, that it is accurate, up-to-date, complete, relevant and not misleading where:
-
you are satisfied that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading; or
-
he or she requests us to correct the information.
If you correct any personal information about an individual that you have previously disclosed to another organisation which is subject to the APPs and he or she requests you to notify the other organisation of the correction then you must take reasonable
steps to give that notification unless it is impracticable or you have obtained prior written advice from our Privacy Officer that it is unlawful to do so.
You must also refer to our Privacy Officer any request by an individual to correct personal information that we hold about him or her where you are not satisfied that his or her personal is inaccurate, out-of-date, incomplete, irrelevant or misleading.
If our Privacy Officer decides not to correct any personal information that we hold about an individual then our Privacy Officer will:
-
give the individual a written notice that sets out the reasons for the decision and the mechanisms available to complain about the decision; and
-
upon request take reasonable steps to associate with the information a statement apparent to users that it is inaccurate, out-of-date, incomplete, irrelevant or misleading.
You must respond to, or refer to our Privacy Officer to enable him or her to respond to, within a reasonable time a request by an individual to correct his or her personal information.
We will not charge an individual for making a request for the correction of his or her personal information or for associating a statement with the information.
15. Reporting Data Breaches
A data breach arises anytime that personal information has been lost, interfered with, accessed, modified or disclosed without authorisation.
If you become aware or suspect there has been a data breach, you must immediately notify our Privacy Officer.
As of February 2018, the Privacy Act (Cth) has imposed mandatory reporting requirements. Our Policy Officer will need to assess the incident and report as required within 30 days of the breach.
16. Privacy Officer – Data Breach reporting obligations
As of February 2018, it is mandatory under the Privacy Act (Cth) to notify the Privacy Commissioner and affected individuals in the event of a data breach that could give rise to a real risk of serious harm to the individual.
Serious harm will include serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms possible and an outcome of the data breach. To determine whether a reportable data breach has occurred, consider:
-
the kind of Information and its sensitivity;
-
whether the information is protected by any security measures and, if so, whether those security measures could be overcome
-
the person or kinds of persons (Recipients) who have obtained, or could obtain, the Information
-
whether the information was encrypted and whether the unauthorised Recipients have or could obtain the knowledge required to circumvent the security technology or methodology
-
the likelihood the unauthorised Recipients have, the intention of causing harm to any of the individuals to whom the information relates.
Reporting is not required if immediate remedial action can be effective taken prior to any serious harm occurring.
Suspicion of a data breach - Assessment
If aware of a data breach or there are grounds to suspect a data breach has occurred, the Privacy Officer is required to:
-
carry out an immediate assessment of whether there are grounds to believe that there has been a data breach; and
-
take all reasonable steps to ensure that the assessment is completed within 30 days of the event.
Reporting Requirements
Following assessment, if there has been a data breach the Privacy Officer must prepare a statement that sets out:
-
The Privacy Officer’s employer and contact details;
-
a description of the eligible data breach;
-
the kind or kinds of Information concerned
-
recommendations about the steps that individuals should take in response to the eligible data breach; and
-
the identity and contact details of any other entity that may have caused the breach.
HOW TO CONTACT THE OAIC
Telephone
1300 363 992 (local call cost, but calls from mobile and payphones may incure higher charges)
1800 620 241 (this number is dedicated for the hearning impared only, no voice calls)
Post
GPO Box 5218
Sydney NSW 2001
Facsimile - +61 2 9284 9666
Email - enquiries@oaic.gov.au
Website - www.oaic.gov.au
The Privacy Officer is then required to then take reasonable steps to notify the contents of the statement:
-
to each of the individuals to whom the relevant information relates; and
-
to each of the individuals who are at risk of the eligible data breach.
if neither of the above apply, a copy of the statement must be published on the online and reasonable steps must be taken to publicise the contents of the statement.
17. Privacy Procedure updates
We may update these Privacy Procedures from time to time. The current version of these Privacy Procedures will be available from our Privacy Officer.
These Privacy Procedures are effective as of January 2018 (version 5.0)