Privacy Policy

Who we are

Our web sites and the Doctors Control Panel business are owned and operated by Doctors Control Panel Services Pty Ltd (ACN 169 938 210) and/or Doctors Control Panel Holdings Pty Ltd. (ACN 169 938 238).

This document describes our policy about our management of personal information.

We run a several websites (doctorscontrolpanel.com.au, dcpresults.com and docnotes.com.au) which are all used to enhance our primary role of supporting doctors in general practice.

Currency and updates to this policy

This version of our policy is effective 27 June 2024 and has been updated to reflect inclusion of docnotes.com.au website and associated elements. We may update this policy from time to time. Any updated policy will be published on the site – please check the site for updates from time-to-time.

Our Approach to Information Privacy

DCP (software and websites) does not collect or distribute the personal data of any patient to third parties. DCP (software and websites) does not distribute the personal data of any end user to third parties but does use identifiers of users to manage licensing and other business related functions.

For clarification, personal data may include contact information, health information and other sensitive information see below [[#What is personal data]]

We have no interest in viewing, collecting, storing or otherwise processing any such personal data.

We do not report ANY data to ANY third party.

We collect only the minimal data on users to support basic business functions such as licensing and support.

What we do

Our business is in the development and commercial sale and licensing of the Doctors Control Panel Software which allows clinicians to better manage their patient encounters for the achievement of best practice, improved patient outcomes and the delivery of business benefits.

Two non commercial ancillary functions with respect to patient data

We develop specific research software tools to for universities that do allow enrolled consenting general practice participants of specific research projects to participate in de-identified data collection. This process involves rigorous scrutinisation by ethics review boards prior to release.

DCP software when running in Victoria and some other jurisdictions allows users to install and run Medscope HMR connector at the users discretion on the users desktop for purpose of making referrals to medscope HMR services, but DCP does not communicate with Medscope remote services.

About this Privacy Policy

This Privacy Policy describes how Doctors Control Panel Software Services Pty Ltd collects, holds, transfers, discloses and otherwise processes personal data and the steps that Doctors Control Panel Software Services Pty Ltd takes to secure the personal data that it holds. In this Privacy Policy, “we“, “our” and “us” are all references to Doctors Control Panel Software Services Pty Ltd

We are committed to complying with our privacy obligations in accordance with all applicable data protection laws, including the Australian Privacy Principles contained in Schedule 1 to the Privacy Act 1988 (the “Privacy Act“).

In this Privacy Policy, we detail the various types of personal data that we collect, hold, transfer, disclose and otherwise process. If we decide to change this Privacy Policy, we will post the updated version on this webpage so that you will always know what personal data we collect, how we might use that information, and whether we will disclose it to anyone.

What is personal data

In this Privacy Policy, “personal data” has the meaning given to the term “personal information” in the Privacy Act.

The Privacy Act defines “personal information” as information or an opinion about an identified individual, or an individual who is reasonably identifiable

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not. Section 187LA of the Telecommunications (Interception and Access) Act 1979 extends the meaning of personal information to cover information kept under Part 5‑1A of that Act.

We follow the Article 4(1) of the GDPR(General Data Protection Regulation (GDPR) is a comprehensive data protection regulation implemented by the European Union (EU). While the GDPR itself is specific to the EU, it has significant implications for companies and organizations worldwide, including those in Australia, due to its extraterritorial scope.) which defines “personal data” as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The types of personal information we collect

Our policy is to minimise the amount of personal data we collect on users and otherwise process. We collect no personally identifiable data on patients. Accordingly, we only collect personal data that is adequate, relevant and limited to what is necessary for the purpose for which it is to be processed and only where we are entitled by law to collect it. We may also use collected personal data for other related, directly related or compatible purposes (if and where permitted by applicable law). We in all cases where patient uniqueness is required for storing de-identified statistics and incidental date do not use or store IHI, medicare, names, DOB, addresses, email address or other significant data. For purpose of sending SMS the mobile number of the patient is used at the time of sending sms and a hash stored on the server.

Our approach to patient personal data

We respect patient privacy. We are specifically disinterested in the personal or health data of any patient. We have no interest in viewing, collecting, storing or otherwise processing any such personal data. Our business is in the development and commercial sale and licensing of our eHealth solutions that allow clinicians to better manage their patient population for the achievement of best practice, improved patient outcomes and the delivery of business benefits to users of our eHealth solutions.

So that we can develop and enhance our eHealth tools, in some cases our software facilitates the storing of de-identified clinical information with the objective of improving population health outcomes. We develop the commercial tools to manage this but in no circumstances do we collect or otherwise process patient personal data in the usual course of our business. For example the Doctor Control Panel Software Application transfers data from clinical information systems (CIS) used by our clients to be used in communication results to patients but no third party has access to this information, it is stored encrypted, made only available to the end user enroled to view the information after logging in. And we do not collect or store this information beyond the period of making it available to the patient. Where our software is used to share personal data with third parties (such as primary health networks), we do not collect, view, hold or otherwise process any such patient personal data and the shared data is not sent on or via our computer networks or servers.

In exceptional circumstances we may utilise patient id number in aide of looking up information stored in de-identified format at the direction of an end user requiring additional support or while debugging issues. and/or quality assurance (QA) testing of our software products or to provide IT support to users of our software products. However, we will only gain access to patient personal data where we are provided with express written consent to do so. Where possible, we will only process de-identified patient personal data for such purposes and we will store all such data in high-security systems and destroy any such data that remains in our possession or control once development, QA and/or support is complete.

Personal data that we collect

We collect the following types of personal data:

1. User registration data: Users provide their name, practice name, email, address and practice phone number. This information is then stored within our licensing database for user account settings and e-commerce requirements. All information is encrypted and stored on a secure server. User contact details and registration data is also stored in our CRM for marketing and sales purposes and by IT support to log issues/installation requests etc. This includes the above information for user registration plus any account transactions or information inserted by our Account Managers and marketing team.

2. Usage data: Subject to applicable laws, we may carry out electronic surveillance of our employees and contractors when they use our computer equipment, smartphone devices and networks to monitor compliance with company policies. We also collect information about how employees and contractors use our software, websites and services. This surveillance includes tracking and monitoring, reviewing and logging emails sent and received, websites visited, content viewed and files uploaded/downloaded. It also includes IP addresses, server names, database names, usage patterns, network names, serial numbers of equipment used, WiFi passwords, computer names, application names, browser types, versions, browser plug in types and versions, operating systems and platforms, browser history, user access logs, usernames, passwords, technical support log tickets, bandwidth used, error messages, social media handles, FTP server addresses, usernames and passwords, hostnames, subnet masks, router names, server addresses, hosting account usernames and passwords.

3. Website analytics data: We collect and process personal data known as analytics data for analytical purposes, designed to measure and monitor how our websites are being used and to highlight any areas for improvement, optimisation and enhancement of our websites, including user location, IP addresses, cookie data, information about devices accessing our websites (IP address, the type of device used to access our websites and the operating system), the amount of time a user spent on our website and in which parts of it, and the path they navigated through it. We will process this personal data in order to monitor and detect unauthorised use of our websites, and to establish how our websites are used and to highlight areas for potential improvement of our websites. We often aggregate this data with other data. However, where the aggregated data is classified as personal information (or in the case of GDPR Data, personal data) we treat it in accordance with this Privacy Policy.

4. Cookies and other Tracking Technologies: We use cookies and other tracking technologies (such as traffic analytics) on our websites for website functionality, performance and advertising purposes. We will not place such tracking technologies on your computer, smartphone or electronic device without your consent, unless they are required in order for us to provide the functionality supplied by our websites. If they are not installed, features of our websites may be unavailable and your experience may be impaired as a result. Cookies are pieces of information that a website transfers to a computer’s hard disk for record-keeping purposes. We may use session cookies, which are only stored for a limited amount of time and persistent cookies that remain indefinitely until they are deleted. Such cookies may be installed by us or by our third contractors. Cookies enable us to remember and recognise you to better facilitate your user satisfaction when you visit our websites by helping us tailor and improve the information we present to you. The use of cookies is common in the Internet industry, and many major websites use them to understand your usage of websites, to customise websites for you, for statistical purposes and to provide useful relevant features, products, advertisements and services. A cookie may be used to tell when your computer or device has contacted our websites and extracts information such as your IP address, browsing pattern, content that you have viewed and browser type.

Who we collect personal data about

We collect personal data of:

• Any person who contacts us with enquiries about our services, whether by email, through contact forms on our website, face to face or by telephone
• people who download whitepapers and other content from our website
• our officers, agents, employees and subcontractors
• our clients, resellers and sales agents (and their officers, agents, employees and subcontractors)
• other parties to a transaction or dispute that we have entered into or are considering entering into or negotiating, and their representatives
• our suppliers and channel partners (and their officers, agents, employees and subcontractors)
• individuals who participate in our surveys
• employees, potential employees, subcontractors, potential subcontractors and work experience applicants
• any person where it is necessary to do so in order to provide the services that we are engaged or instructed by our clients to perform
• the representatives of other service providers and other third parties who may contact us about our clients and who we deal with on behalf of our clients
• patients (but only in exceptional circumstances) – please see above “Our approach to patient personal data”.

Management and use of De-identified data

1. In day to day use DCP software has access to local on-site clinical database for the purpose of managing patient encounters. This data is not transmitted or stored or otherwise processed by DCP software beyond encounter reporting and display.

2. When using dcpresults.com to communicate patient results, data is scrubbed of patient identifying information and stored encrypted on disk on a microsoft hosting server in australia and sms sent to patient with access code. Special functions require that some information be stored off-site for purpose of sending patient results. Specifically patient unique practice id(only identifiable within the sending practice - ie not IHI , medicare etc), mobile (hashed) and pathology tests (encrypted) are stored for a period on the dcpresults 'no sql' server in Australia and made available to the patient to view. All data is stored encrypted on disk and in transit. Disk storage uses the 'Always Encrypted' feature designed to protect sensitive data, such as credit card numbers or national/regional identification numbers stored.

3. Special functions managed by docnotes.com.au include transcription of voice to text and conversion to doctors notes. Audio data is processed in Microsoft Azure Australia East data center. No audio data is stored by Microsoft and Doctors Control Panel Services does not have access to the audio stream data. Following conversion to text the transcript is immediately processed to a short note which is returned to the users browser and desktop where it can be modified, re-converted and stored in clinical software. During transit between the user and server and back data is encrypted. The process of transmitting data whether audio or text is encrypted via SSL/TLS. Additionally all nonaudio data is encrypted via additional asymetric key encryption for the journey. Data transmitted back to the users desktop and DCP and displayed to the user is not stored on any server and it is up to the user to store the information by manually transferring the information in to clinical software.

During beta testing of docnotes.com.au, patient - doctor transcripts are stored for 48 hours, in encrypted format to allow beta testers access to fault diagnosis and tuning

How we collect personal information

We collect personal data in the following ways:

• when our clients and potential clients fill out forms with their personal data;
• when we take notes during meetings, interviews, telephone calls, conferences and events;
• through emails, letters and other correspondence and documents that we receive from clients, potential clients and others;
• when we are contacted by or communicate with any person online, through social media, email, communication tools such as Skype, online chat programs, blogs and the contact forms on our websites;
• when we are provided with completed surveys or questionnaires that we may distribute;
• when people apply for employment with us or offer to provide us with goods or services as suppliers and contractors (for example, potential employees will provide us with personal information that we will collect when they provide us with references, resumes and attend job interviews);
• when our employees, contractors and suppliers provide us with personal data;
• when our distributors, resellers and channel partners provide us with personal data that they collect about clients and potential clients;
• when we trade business cards with any person;
• when it is sent to us by our clients for the purpose of providing us with instructions or information necessary for us to process in order to provide services to our clients;
• when we create patterns, assumptions and profiles based on information provided by our clients to better market or provide services to our clients;
• when it is included in contracts that we enter into;
• through websites, public registers and directories such as telephone directories and business name and company searches;
• in the course of providing our services (for example, our software interfaces and communicates with a licensing server that we operate – this licensing server checks if a valid licence has been purchased by users of our software and locks users out of our software where a valid licence does not exist and to check for updates and new versions. We do not use any other form of automated-decision making in our business that relies on personal data);
• where any person voluntarily discloses it to us;
• where necessary for software development, quality assurance and IT support (please see above “Our approach to patient personal data”).

How we hold and use personal data

We hold personal data that we collect in our offices, computer systems, and third party owned and operated hosting facilities. We use personal data for the following purposes:

• in order to verify a person’s identity when we are contacted to ensure that we know who we are communicating with;
• to communicate with our potential clients, employees, subcontractors, channel partners, suppliers and colleagues, whether by telephone, email, post or otherwise;
• to provide clients with our services and to administer, maintain and answer questions and troubleshooting about our services;
• in order to send newsletters and other communications to our clients concerning our services, events and business opportunities;
• to send marketing material to clients and other individuals in our newsletter database who we believe may be interested in the content of our marketing material;
• to enforce our rights and comply with our contractual and other legal obligations;
• to issue bills and invoices to our clients and others, and to enforce the payment obligations of our clients to pay our fees;
• in order to consider a person as a potential employee or contractor (for example, by checking a person’s references or considering the persons’ resume and arranging interviews) and to pay our employees and contractors their wages, salaries, service fees and other entitlements;
• when conducting publicity campaigns;
• to handle complaints;
• to manage employee records;
• in order to process an application for our services;
• to identify clients and other individuals when we are contacted with questions or concerns regarding the products and services we provide;
• in order to configure a new service for our clients or as part of our service features;
• when conducting research and development of our products and services;
• in order to conduct checks for credit worthiness;
• for direct marketing purposes;
• where necessary for software development, quality assurance and IT support (please see above “Our approach to patient personal data”).

Who we disclose data to

We will only disclose personal data that we collect to third parties as follows:

• To hosting providers who host our websites and content – where necessary or practical to do so for the purposes of providing services to our clients or for the purposes of operating our business, we hold our clients’ content (such as the names of our clients) on third party computer servers in the data centres of our hosting providers.
• To other parties to a commercial arrangement where authorised or is necessary in order to provide our services – for example we may need to supply your name to the professional advisors of any regulator, including but not limited to, where a client authorises us to do so;
• To our resellers, distributors, agents and channel partners – we may appoint resellers, distributors, agents and channel partners to sell our products and services, or to manage parts of our business for us. In the course of those relationships, we may provide client or potential client personal data to them, or they may provide client or potential client personal data to us that they have collected for us;
• So that we can obtain assistance from our suppliers and corporate group with the provision of our services – in which case we may disclose your personal data to our suppliers and subcontractors as well as to members of our corporate group who we may subcontract the provision of all or part of our services to. For example, we may use printing providers who print documents on our behalf which contain personal data, couriers who deliver documents on our behalf which contain personal data, and share computers and computer servers which contain personal data with our related bodies corporate;
• Conducting publicity campaigns – in which case we may disclose your personal data to our marketing suppliers;
• Handling claims, legal disputes and complaints – in which case we may disclose your personal data to our insurers, lawyers, accountants and other professional advisors;
• Sending out a newsletter – in which case we may disclose your personal data to our email and newsletter service providers;
• In order to identify our Clients and end users – when we are contacted with questions or concerns regarding the products and services that we provide;
• In order to record billing details and process payments from our clients – in which case we will provide client bank account, cheques and credit card details to our bank and merchant facility providers;
• For professional advice – when providing information to our legal, accounting or financial advisors/representatives or debt collectors for debt collection purposes or when we need to obtain their advice, or where we require their representation in relation to a legal dispute;
• If we sell the whole or part of our business or merge with another entity – in which case we will provide to the purchaser or other entity the personal data that is the subject of the sale or merger;
• Where a person provides written consent to the disclosure of his or her personal data;
• Where required by law.

We do not disclose patient personal data to third parties in any circumstances

We may also provide your personal data to our lawyers, insurers and professional advisors and any court or administrative body, for one or more of the following purposes:

• To obtain or maintain insurance;
• The prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of a law imposing a penalty or sanction or breaches of a prescribed law;
• To protect or enforce our rights or defend claims;
• Enforcement of our claims against you or third parties;
• The enforcement of laws relating to the confiscation of the proceeds of crime;
• The protection of the public revenue;
• The prevention, detection, investigation or remedying of seriously improper conduct or prescribed conduct;
• The preparation for, or conduct of, proceedings before any court or tribunal, or implementation of the orders of the court or tribunal.
• Where disclosure is required to protect the safety or vital interests of employees, end users or property.

Notifiable data breaches

Since 22 February 2018, data breaches that are likely to result in serious harm must be reported to affected individuals and the Office of the Australian Information Commissioner (OAIC), except where limited exceptions apply. For the purposes of reporting, certain types of data breaches must also be reported to affected individuals if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms. In addition, the GDPR requires organisations to report certain types of data breaches to the relevant supervisory authority. We will notify affected individuals, the OAIC and relevant supervisory authorities of any data breach where we are required to do so in accordance with our legal obligations.

Lawful basis of processing

Under the GDPR, GDPR Data can only be processed where there is a lawful basis to do so. We will only process GDPR Data where we have a lawful basis to do so. Except where specified otherwise in this Privacy Policy to the contrary or implied in this Privacy Policy to the contrary, we will only process personal data where necessary for our legitimate interests or the legitimate interests of a third party, where consented or expressly authorised by you or where we are required to do so pursuant to a contract or other legal obligation.

Third party websites and platforms

Our websites may include links to third party websites and platforms. Our linking to those websites and platforms does not mean that we endorse or recommend them. We do not warrant or represent that any third party website or platform operators comply with applicable data protection laws. You should consider the privacy policies of any relevant third party websites and platforms prior to sending your personal data to them.

You may interact with social media platforms via social media widgets and tools such as the Facebook Like button and the Facebook pixel that may be installed on our websites. These widgets and tools may collect your IP address and other personal data. Your interaction with such widgets and tools, and any single sign-on services such as Open ID is governed by the privacy policies of the relevant social media operators and single sign-on service providers – please read them so that you are aware of how they process your personal data.

Security

We take reasonable steps to protect personal data that we hold from unauthorised access, modification and disclosure and implement technical and organisational measures to ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, as follows:

• We perform security testing (including penetration testing of our websites), and maintain other electronic (e-security) measures for the purposes of securing personal information, such as passwords, anti-virus management, multi-factor authentication, firewalls and antivirus software
• We maintain physical security measures in our buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and alarms.
• We require all of our employees and contractors to comply with privacy and confidentiality terms and conditions in their employment contracts and subcontractor agreements that we enter into with them.
• We carry out security audits of our systems which seek to find and eliminate any potential security risks in our electronic and physical infrastructure as soon as possible
• If appropriate in the circumstances, taking into account the state of the art, the costs of implementation and the nature, scope, content and purpose of the processing, we pseudonymize and/or encrypt personal data
• We implement passwords and access control procedures into our computer systems
• We have a Data Breach Response Plan in place
• We have data backup, archiving and disaster recovery processes in place
• We have anti-virus and security controls for email and other applicable computer software and systems in place.

If you refuse to provide us with personal data

If you do not provide us with your personal data, you can only have limited interaction with us. For example, you can browse our websites without providing us with personal information, such as the pages that generally describe the services that we make available, and our Contact Us page. However, when you submit a form on our website, or become a client or otherwise enter into a business relationship with us, we need to collect personal data from you in order to identify who you are, so that we can provide you with services, and for the other purposes described in this Privacy Policy. You have the option of not identifying yourself or using a pseudonym when contacting us to enquire about our services, but not if you wish to actually obtain our services. It is not practical for us to provide you with our services if you refuse to provide us with personal data.

Spam email

We do not send “junk” or unsolicited e-mail in contravention of the Spam Act 2003 (Cth). We will, however, use e-mail in some cases to respond to inquiries, confirm purchases, or contact clients. These transaction-based e-mails are automatically generated. Anytime a client or visitor receives e-mail it does not want from us they can request that we not send further e-mail by contacting us via email at: privacy@pencs.com.au or using any ‘unsubscribe’ tool contained in any communication we send. Upon receipt of any such request, we will ensure that they cease to receive automated emails from us.

Data transfers for personal data

We may transfer your personal data entered into our websites to our contractors and service providers such as Microsoft Azure, who assist us with providing our products and services to you, and to assist us with the operation of our business generally, where we consider it necessary for them to provide that assistance.

Our service providers are all comnpliant with applicable Australian Laws and we use only Australian data centers.

Retention and de-identification of personal data

It is our policy to retain personal user data in a form which permits identification of any user only as long as is necessary for the purposes for which the personal data was collected; and for any other related, directly related or compatible purposes if and where permitted by applicable law. We will only process personal data that you provide to us for the minimum length of time permitted by applicable law and only thereafter for the purposes of deleting or returning that personal data to you (except where we also need to retain the data in order to comply with our legal obligations, or to retain the data to protect your or any other person’s vital interests). Where you require personal data to be returned, it will be returned to you at that time, and we will thereafter delete all then remaining existing copies of that personal data in our possession or control as soon as reasonably practicable thereafter, unless applicable law requires us to retain the personal data in which case we will notify you of that requirement and only use such retained data for the purposes of complying with those applicable laws.

Where the personal data is not GDPR Data and is personal information for the purposes of the Privacy Act 1988 (Cth), instead of destroying the personal information we may take such steps as are reasonable in the circumstances to de-identify the personal information that we hold about an individual where we no longer need it for any purpose for which it may be used in accordance with this Privacy Policy if the information is not contained in a Commonwealth record and we are not required by Australian law (or a court or tribunal order) to retain it.

Your rights under the GDPR

Under the GDPR, you have a number of rights, including:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.
• Please contact us if you wish to exercise any of your rights under the GDPR. We will handle all such requests in accordance with our legal obligations. If you withdraw your consent for processing, object to the processing of your personal data or request us to erase your personal data and as a result it is not possible or practical for us to continue providing you with our services, we may elect to terminate our business relationship with you.

How to access and correct personal data held by us

Please contact us if you wish to access the personal data that we hold about you, using the details set out at the end of this Privacy Policy. We will handle your request for access to your personal data in accordance with our statutory obligations. To ensure that we only obtain, collect, use and disclose accurate, complete and up to date personal data, we invite you to contact us and inform us if any of your personal details we hold change or if any of the personal data held by us is otherwise incorrect or erroneous.We will provide you (or if you wish, another controller) with a copy of the personal data they we hold about you in a structured, commonly used and machine readable format. However, we will not charge any fee to access your GDPR Data where the GDPR prohibits us from doing so.

Our contact details

We are Doctors Control Panel Software Services Pty Ltd. If you wish to contact us for any reason regarding our privacy practices or the personal data that we hold about you, please contact us via help @ doctorscontrolpanel.com.au ph (03) 9013 5453

We will use our best endeavours to resolve any privacy complaint within ten (10) business days following receipt of your complaint. This may include working with you on a collaborative basis to resolve the complaint or us proposing options for resolution.

If you are not satisfied with the outcome of a complaint or you with to make a complaint about a breach of the Australian Privacy Principles you make refer the complaint to the Office of the Australian Information Commissioner (OAIC) who can be contacted using the following details:

Call: 1300 363 992

Email: enquiries@oaic.gov.au

Address: GPO Box 5218, Sydney NSW 2001

In relation to GDPR Data, you may lodge a complaint with any relevant supervisory authority.

Holding for placement

Doctors Control Panel Software does NOT participate in sharing of identified clinical information to any off-site services / partners /agencies / bodies / entities. Doctors Control Panel Services is committed to protecting your privacy, patient privacy and developing technology that gives you the most powerful and safe desktop and online experience. By using the Doctors Control Panel Services websites (doctorscontrolpanel.com.au and docnotes.com.au) and software(Doctors Control Panel Software) you consent to the data practices described in this statement. This Statement of Privacy applies to the Doctors Control Panel Services web sites and software. This Statement of Privacy governs and describes our data collection and usage.