PRIVACY POLICY

1.1	Privacy Framework

ConcertRX Pty Ltd ABN 77 659 713 176 (ConcertRX) has developed and operates the ConcertRX® patient journey application to enable pharmacies to send pharmacy patients/customers just-in-time updates via SMS messages (ConcertRX App). ConcertRX recognises the importance of privacy and is committed to the management and handling of Personal Information and Sensitive Information in an open and transparent way in compliance with the Australian Privacy Act 1988 (Cth) (Privacy Act).  This policy creates a framework to ensure that any Personal Information ConcertRX holds is collected, used, stored and disclosed in accordance with the Australian Privacy Principles in the Privacy Act and with any other relevant federal or state and territory legislation relating to privacy, whether or not specific to the health sector. 

ConcertRX ensures that all Personal Information is held securely in accordance with this Privacy Policy and privacy laws and is treated with respect and care. You have the right to contact us to access or correct your Personal Information. We encourage you to contact us if you have questions or concerns about your privacy or how your Personal Information is handled by ConcertRX.

In addition, ConcertRX assesses whether the GDPR applies to any personal data it collects, processes or stores. Accordingly, please notify ConcertRX in writing if you are currently, or in the future become, a resident of the European Union, so that ConcertRX can assess whether any Personal Information it holds falls within the scope of the GDPR.

1.2	Scope

This Privacy Policy applies when you sign up for, access, or use ConcertRX’s products solutions and in relation to Personal Information ConcertRX may otherwise collect during the course of our business, or a ConcertRX user may enter into the ConcertRX App, as set out in this Privacy Policy. 
 
ConcertRX may amend the Privacy Policy at any time, with effect from the time the updated version is posted on ConcertRX’s website.  

This policy does not apply to the handling of Personal Information about ConcertRX employees, which is the subject of a separate policy.

ConcertRX may access, collect and hold information about individuals who may be customers, pharmacy employees, customers of pharmacies, job applicants, business contacts and others. 

The information ConcertRX typically collects, holds and processes is detailed below.

2.1	Pharmacy Customers and Potential Customers

•	Information obtained when you access ConcertRX’s website or the ConcertRX App
•	Information obtained during sales calls and presentations, such as name, contact information, role/position details, summary of discussions
•	Pharmacy users – name, contact information, pharmacy details, personal identification
•	Information for processing payments via Stripe
•	Pharmacy contact details – address, email, phone number, ABN
•	Pharmacy IP address
•	Responses to customer surveys
•	Social medial information

2.2	Customers of Pharmacies
•	Information obtained when a pharmacy inputs pharmacy customer details into the ConcertRX App, including:
o	Patient and/or Carer name
o	Patient and/or Carer mobile phone number
o	Prescribed or dispensed medication
o	Details of other pharmacy products purchased
o	Dates of visits to pharmacy

2.3	Other Business Contacts

•	Name, business address, ABN
•	Contact information for relevant personnel, including telephone number(s) and email address(es)
•	Work, professional and employment references, reports and assessments
•	Information from public domain websites
•	Financial and other information obtained from credit checks and reports
•	Bank information for payment of invoices
•	Vaccination status for COVID-19 or other relevant public health/pandemic instances, where you will attend ConcertRX offices or have face-to-face contact with ConcertRX personnel or customers

2.4	Job Applicants

The types of Personal Information ConcertRX collects from job applicants, including for both employment and contract positions, may include:

•	Employment history and qualifications
•	Contact information, including email address, phone number(s) and residential address
•	Opinions about suitability for employment from referees and previous employers
•	Taxation and banking details and superannuation fund details
•	Information from public domain and social media websites
•	Identification information, such as driver licence /passport details and date of birth
•	Confirmation of working rights (for non-Australian residents)
•	Vaccination status for COVID-19 and/or other pandemics
•	AHPRA registration data
•	“Right to work” check to ascertain right to reside and work in Australia
•	Police clearance, where required for customer facing roles employment purposes
•	Vaccination status for COVID-19 or other relevant public health/pandemic instances, where relevant for the performance of the role being applied for 

Job applicants have the right to not disclose Personal Information, however ConcertRX may not be able to assess a candidate’s suitability for employment when it does not receive all necessary information.  ConcertRX will only disclose the Personal Information of job applicants to third parties with the consent of the job applicant, or as otherwise permitted in limited circumstances by law. Once a position has been filled, all applications received by ConcertRX are filed and kept in ConcertRX’s human resources files.  

The following information, if previously collected, will not be retained for applicants who do not commence employment or a contract position with ConcertRX: bank account details, driver licence/passport, Tax File Number, superannuation fund details, next of kin.

3.1	How Will ConcertRX Collect Your Personal Information 

Wherever possible, ConcertRX will collect Personal Information about you directly from you. Nevertheless, on some occasions ConcertRX may collect your Personal Information from other sources, such as: 

•	Your pharmacy
•	Third party agents or data providers
•	Public domain websites on the Internet 
•	Publicly available directories and listings 
•	Newspapers, magazines, professional journals and the electronic media
•	Interactions with ConcertRX via various social media sites
•	Personal interactions and/or communications with ConcertRX employees and/or contractors

Personal information about you which ConcertRX collects and holds may vary depending on your particular interaction with ConcertRX and will be for a legitimate business purpose. This may include financial and health Sensitive Information.

3.2	Collection of Your Personal Information Through ConcertRX’s Website

ConcertRX’s website may provide for direct input of Personal Information under some circumstances. In addition, ConcertRX’s websites make use of ‘cookies’ which are small text files that are stored in the visitor's local browser cache. This enables recognition of the visitor's browser to optimise the website and simplify its use. Most browsers are set up to accept these cookies automatically, however you can deactivate the storing of cookies or adjust your browser to inform you before the cookie is stored on your computer. Data collected via cookies will not be used to determine the personal identity of the website visitor. 

ConcertRX collects non-personally identifying information from web browsers and servers, such as the browser type, language preference, referring site, and the date and time of each visitor request. This assists ConcertRX better understand how visitors use its website. ConcertRX may release aggregated non-personally identifying information and may use third-party services such as Google Analytics to collect and store this information.

ConcertRX expects to increasingly make use of web analytics, including analysis by third party service providers, which may use IP addresses. While this may in some circumstances be ‘Personal Information’ neither ConcertRX nor the service providers have any interest in an individual’s browser activities and will not use the information to identify website visitors or take any action targeted to individuals without having obtained that person’s consent. 

3.3	How Will ConcertRX Hold and Use Your Personal Information

ConcertRX may disclose information about you in the course of any of the uses described above, including to related businesses and third-party service providers for routine business purposes, such as credit card processing, fraud management services, order fulfillment, IT services, email service providers, data hosting, customer support, customer surveys, marketing, data processing and validation, data storage or archiving, printing and mailing. ConcertRX will use only reputable service providers and will ensure that it enters into appropriate contractual provisions with service providers to safeguard your privacy. 

4.1	Overseas Recipients 

ConcertRX engages with a number of third-party service providers who have global operations, such as Shopify, Facebook, Mailchimp, AWS, Xero, Zendesk. In the context of routine work with its international service providers, ConcertRX may transfer your Personal Information to ConcertRX service providers located outside of Australia. Under these circumstances, your Personal Information will always be stored in a secure manner which is at least as robust as the practices followed by ConcertRX in Australia. 

4.2	European General Data Protection Regulation (GDPR)

If you are a European resident, ConcertRX may be subject to GDPR in relation to Personal Information it holds about you. Accordingly, we request that you notify us if you are a European resident when you transfer your Personal Information to us or if you are aware that we are collecting your Personal Information. Your Personal Information will still be subjected to the same information security standards as are applied to all Personal Information held by ConcertRX. However, we may manage your Personal Information in a different manner to take account of data portability entitlements and other GDPR-specific requirements, as outlined in ConcertRX’s Privacy Policy.

5.1	Data Security 

ConcertRX uses technical and organisational security precautions to protect your data from misuse, interference or loss and from unauthorised access, modification or disclosure. ConcertRX’s CyberSecurity procedures are regularly reviewed based on new technological developments to ensure that any Personal Information that is provided to ConcertRX by you through ConcertRX’s systems will be protected against possible misuse by third parties. In the event of an actual or suspected data breach, ConcertRX will follow the procedures outlined in its Mandatory Data Breach Response Plan, including 
•	containing the Data Breach
•	conducting a risk assessment to assess the severity rating of a suspected or known Data Breach
•	assessing whether an Eligible Data Breach has occurred. 

If an Eligible Data Breach has occurred, ConcertRX may report the Data Breach to third parties as required by the Privacy Act, or to other ConcertRX business partners or service providers. ConcertRX will contact you if you have been personally impacted by an Eligible Data Breach.

5.2	Data Retention

ConcertRX will maintain your Personal Information for as long as is necessary to fulfil the purposes for which it was collected and for additional legal purposes related to ConcertRX’s legitimate business interests. If ConcertRX becomes aware that you are a European resident, it will ensure that your personal data is kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. ConcertRX will delete from its records Personal Information which is no longer required.

5.3	Data Access and Correction
 
You may request access to Personal Information ConcertRX holds about you at any time. If you believe your Personal Information is inaccurate, out of date, incomplete, irrelevant or misleading, you may request to have it corrected and/or supplemented.

Requests to access or correct Personal Information should be sent to the Privacy Officer. Please provide as much detail as possible to assist in the location of information ConcertRX may be holding about you, such as your name, contact details, any former name(s), and if possible the context, for example, your relationship with ConcertRX. Please specify if you are seeking access to specific Personal Information.
 
ConcertRX will respond to your request within 30 days of receipt or within any further time notified to you in writing, or if you are a European resident, will correct any of your inaccurate personal data without undue delay. ConcertRX will take reasonable steps to verify the identity of any person requesting access to or correction of their Personal Information to ensure that the person making the request is actually the data subject.

5.4	Deletion of Data 

You may notify ConcertRX at any time if you do not wish ConcertRX to retain your Personal Information. ConcertRX will comply with all such requests wherever practicable and lawful. ConcertRX will take reasonable steps to verify the identity of any person requesting erasure of their Personal Information to ensure that the person making the request is actually the data subject. If you are a European resident, ConcertRX will correct any of your inaccurate personal data without undue delay where the right to be forgotten applies.

6.1	Complaints 

All complaints regarding your Personal Informational should be made in writing to ConcertRX’s Privacy Officer. ConcertRX will respond to your complaint within 30 days of receipt of your correspondence or within any further time notified to you in writing. 

If you are not satisfied with the outcome of the response you receive, we can refer you to the Office of the Australian Information Commissioner (as applicable) for further investigation.

6.2	Privacy contact information

All requests relating to access, correction or deletion of Personal Information, or any other information relating to ConcertRX’s Privacy Policy should be made in writing to: 

The Privacy Officer
ConcertRX Pty Ltd

Address 	447 High Street, Penrith, NSW 2750
Email 	support@concertrx.com
Phone 	02 9090 4007

Definitions

ConcertRX: ConcertRX Pty Ltd, ABN 77 659 713 176

Confidential Information: Information that is not known to, or readily accessible by, the public and disclosure of that information would cause harm to or disadvantage a person or organisation. Access and disclosure of Confidential Information must be controlled and will only be given to persons who require access to perform their duties. 

Data Breach: An incident, in which Personal Information or Confidential Information is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference.

Eligible Data Breach: A Data Breach which has caused serious harm to an individual requiring notification under the Notifiable Data Breaches Scheme under the Privacy Act.

GDPR: The General Data Protection Regulation (EU)

Personal Information: Any information or an opinion about an identified individual, or an individual who is reasonably identifiable, as defined in the Privacy Act, or which is classified as personal data under the GDPR.

Privacy Act: Privacy Act 1988 (Cth).

Sensitive Information: Personal Information categorised as Sensitive Information under the Privacy Act, including but not limited to health records.