If your practice handles the data of anyone who lives in Australia (even if you live somewhere else), you’ll need to make sure you're following all the requirements of the Australian Privacy Principles (APPs).
But don’t stress! We have to follow the APPs too, and we take our responsibilities seriously. That means using Cliniko to manage your practice can make certain requirements easier for you to follow, and we’ve even got some tools to help you do it!
In this article, the principles are listed in numerical order (1-13), and each one has a summary description using the exact wording found on the APPs quick reference page (part of the website for the Office of the Australian Information Commissioner).
We’ve included bulleted overviews of how Cliniko complies with each principle and links to other pages where you can learn more. You’ll also find tips on how Cliniko can help your practice stay in compliance.
If you need info on a particular topic, use the jump links below to skip ahead and find what you’re looking for, or just scroll through and read as you go!
APP 1: Open and transparent management of personal information
Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.
You can find the details on Cliniko’s collection and management of personal information in our privacy policy.
If you’d like to take a look at our privacy policy in a PDF or some other format, just let us know. We’ll be happy to get you what you need.
If you ask for clients to consent to your privacy policy, you can keep track of responses in Cliniko.
You can also include a link to your privacy policy when patients book online and ask for their consent before they confirm the appointment.
APP 2: Anonymity and pseudonymity
Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.
Account owners and users can use Cliniko anonymously or under a pseudonym if they choose to.
When it comes to clients’ personal information, clinics are responsible for adhering to this principle, but we’ve come up with some ways to help:
Privacy settings can be adjusted to conceal a patient's name from showing up in browser page titles or external calendars.
Clinics can also anonymise deleted patient records at any time.
APP 3: Collection of solicited personal information
Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of sensitive information.
We directly collect some solicited personal info when you reach out to us through Cliniko or our website, as well as through chat, email, or phone.
This info can include things like your name, date of birth, email address, etc.
We won’t directly collect special categories of your personal data—like race, ethnicity, religious beliefs, sexual orientation, political opinions, etc.
If you need more details on our practices and purposes, you’ll find it all in our privacy policy and our terms of service.
APP 4: Dealing with unsolicited personal information
Outlines how APP entities must deal with unsolicited personal information.
We indirectly collect unsolicited personal information when someone uses Cliniko to record info about someone other than themselves—like when a practitioner enters a patient’s personal data.
This can include things like names, genders, dates of birth, etc.
It can also include sensitive information like private health records.
All of your patients’ data is kept safely stored on our secure servers, and we’ll only access it if you ask us to.
We also collect device information like which browser or hardware is used, cookies and tracking technology, as well as transaction data for your Cliniko subscription payments.
Our privacy policy has more details on how we handle unsolicited personal information.
APP 5: Notification of the collection of personal information
Outlines when and in what circumstances an APP entity that collects personal information must tell an individual about certain matters.
If we make changes to our privacy policy, terms of service, contact details, or anything related to the collection and use of personal information, we’ll let all of our account holders know long before those changes take effect.
APP 6: Use or disclosure of personal information
Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.
We collect personal information for specific reasons, and we’ll only use your info for its intended purpose.
If there is ever a reason to do otherwise, we’ll ask for your consent first.
You can find more details on this in our privacy policy.
APP 7: Direct marketing
An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
We’ll always get your consent before sending promotional messages (things like news, tips, updates, and special offers).
You can withdraw your consent at any time. Just follow the unsubscribe link at the bottom of any marketing message, and you’ll be taken off the list immediately.
If you’d like help withdrawing your consent, please drop us a line. Our support team will be happy to lend a hand.
If you have clients who don’t want to receive marketing messages from you, we’ve got some helpful tools:
• You can unsubscribe them from SMS marketing.
• You can also select if a group SMS message is ‘marketing-related’ or ‘need-to-know’.There are also a couple of options for those who are using the Mailchimp integration to send marketing emails:
• You can archive or delete a patient's contact info to make sure they’re off your mailing list.
• The double opt-in feature can make sure clients won’t receive any Mailchimp messages until they’ve confirmed they actually want to get them.
APP 8: Cross-border disclosure of personal information
Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.
In order for Cliniko to function efficiently, we work with some third-party services (subprocessors) in Australia and the USA.
These subprocessors help us with things like web hosting, data backup, and accepting payments.
In compliance with the APPs, subprocessors are only allowed to access and use personal information if it is a vital aspect of the service they offer.
We’ve minimised the amount of data they can use, and we’ve taken the necessary steps to make sure they follow all the appropriate regulations.
You have the option to provide your API key to third-party applications which allows them to access the data in your Cliniko account (including personal information). We are not responsible for the privacy policies and practices of these connected apps.
APP 9: Adoption, use, or disclosure of government related identifiers
Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.
Users can store Medicare numbers (which are considered government identifiers), within their Cliniko accounts for use with third-party connected apps, but we don’t adopt these numbers for our own purposes.
If ever we receive unsolicited data containing government identifiers, they’ll be deleted.
If you have any questions or need more info on this topic, please let us know.
APP 10: Quality of personal information
An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.
Admins and account owners can edit nearly all the personal information in their account. If you’d like some help with this, our support team is always standing by to lend a hand.
We can also make changes for you, but we’ll first need a written request from the account owner.
APP 11: Security of personal information
An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.
Security is always our top priority for everything we build in Cliniko. You can learn about all the precautions we take on our security page.
If you cancel your Cliniko subscription, we’ll hold on to your data for at least 90 days before deleting it.
If you need to cancel your account due to the COVID-19 pandemic, please select it as your reason for leaving, and we’ll keep storing your data for a minimum of 12 months.
Clinics have the ability—and the responsibility—to archive or delete clients’ personal information when necessary.
APP 12: Access to personal information
Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.
If you need to access any of the personal information you’ve provided us, please send an email at privacy@cliniko.com, and we’ll get you what you need straight away.
If you have a client who needs access to their info, you can export all of their data stored in your Cliniko account.
APP 13: Correction of personal information
Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.
If you need to make corrections or updates to your personal info, please send an email to privacy@cliniko.com.
You can also email a request to transfer your data or erase it altogether.
If you’d like to withdraw your consent for us to process your data, you can do that too. Just send us an email, and we’ll work with you to get it done.
You can find more details in our privacy policy.
If a client requests you to change or remove their information, you can edit a patient’s details or permanently delete a patient from your Cliniko account.
You can also anonymise deleted patient records to make sure their details aren’t displayed on invoices, payments, and appointment records.
But if you’re required by law to hold on to patient records, you can archive them instead.
If you have any questions about the APPs or anything else, our support team is always eager to help! Just send us an email or select the chat bubble in the lower-right corner of your screen.