Updated 11th August 2021
The Australian Privacy Act 1988 and Australian Privacy Principles govern the standards and obligations to Australian organisations, including the following:
- the collection, use and disclosure of personal information
- an organisation or agency’s governance and accountability
- integrity and correction of personal information
- the rights of individuals to access their personal information
European Compliance (GDPR)
The European General Data Protection Regulation (GDPR) sets out clear standards for data protection, which NovoPsych meets or surpasses. In August 2021 NovoPsych reviewed our security to ensure we met GDPR standards, including:
- documented a privacy by design approach to compliance
- demonstrated compliance with privacy principles
- enhanced transparent information handling practices
Australian and GDPR requirements are complimentary. Both sets of laws foster transparent information handling practices and business accountability, to give individuals confidence that their privacy is being protected. Both laws require businesses to implement measures that ensure compliance with a set of privacy principles, and both take a “privacy by design” approach to compliance. Data breach notification is required in certain circumstances under the GDPR and under the Privacy Act (from February 2018). In addition, privacy impact assessments, mandated in certain circumstances under the GDPR, are expected in similar circumstances in Australia.
Although not a requirement of GDPR, large organisations in Europe with internal governance guidelines may opt for servers to be located within their own country, which can be accommodated by NovoPsych under the Enterprise Plan.
United States regulations (HIPPA Compliance)
NovoPsych has not undertaken the audit process to document compliance with HIPPA regulations given that we have chosen not to operate in the United States.
While using our Service, we may ask users to provide us with certain personally identifiable information that can be used to contact or identify an individual (“Personal Data”). Personally identifiable information may include, but is not limited to: name, email address, telephone numbers, address, credit card details, cookies and information about that individual’s activities when directly linked to that person such as information about his or her use of the NovoPsych website or services. Personal information can also include demographic information such as date of birth, gender, geographic area and preferences when such information is linked to other personal information that identifies an individual.
Where possible, we allow users to interact with us anonymously or by using a pseudonym. For most of our functions and activities, we will generally need user’s name and contact information and enough information about the matter to help you use the service effectively. If you choose not to provide your personal data, some functions and features on our websites and software may not be available and we may not be able to provide you with all our services.
Our users also enter personal data about their patients. This data can include sensitive information such as health records, and may include, but is not limited to: name, email address, telephone numbers, personal preferences, condition, treatment details and psychometric scores. This data may also relate to minors and other vulnerable individuals who may be patients of NovoPsych customers. You may use the patient’s real identifying information or pseudonym. We encourage users to use de-identified names or codes when imputing patient data. We will not use patient’s identifiable data for any purpose not intrinsic to NovoPsych’s functionality.
We may also collect information on how the Service is accessed and used (“Usage Data”). This Usage Data may include information such as users’ computer Internet Protocol address (IP address), browser type, browser version, the pages of our Service that they visit, the time and date of their visit, the time spent on those pages, unique device identifiers and other diagnostic data.
Tracking & Cookies Data
Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to a user’s browser from a website and stored on their device. Tracking technologies also used are beacons, tags, and scripts to collect and track information and to improve and analyse our Service.
Users can instruct their browser to refuse all cookies or to indicate when a cookie is being sent. However, if they do not accept cookies, they may not be able to use some or all of our Service.
Examples of Cookies and Pixels we use: session cookies (we use these cookies to operate our Service), pixels to understand the user journey and preference cookies (we use these cookies to remember users’ preferences and various settings).
How We Use Data
All information we collect directly or indirectly about users or their patients is strictly confidential. We do not rent, lease nor make available customer lists or any other identifiable information contained in customer accounts (including patient details), to third parties. We will not reveal, disclose, sell, distribute, rent, license, share or pass onto any third party (other than those who are contracted or supply services to us including spam filter operators) any identifiable information that may have been provided to us directly, or stored in a customer’s account unless we have express consent to do so, other than in the circumstances set out in this policy.
We require this information to understand your needs and provide you with a better service, and may use the data for the following reasons:
We may use personal data to contact users with information about new features or announcements, to update users on the status of their account, to issue invoices, receipts, payment reminders, to provide training information, operational communications (like security updates), to send marketing communications, to seek feedback, or communicate other information that may be relevant.
We don’t recommend it, but you can opt-out of receiving emails about new features and similar announcements by clicking on the ‘opt-out’ link or instructions in the email. Users cannot opt-out of receiving transactional emails or notifications relating to their account status, security announcements or other communication that might be essential to the operation of their account.
We use personal data to provide assistance with the resolution of any technical support issues and to assist users with using our service.
Analysis and Development
We may also use data to improve the NovoPsych service or product, analyse trends, and for monitoring the usage of the service, to detect, prevent and address technical issues. We may use collated de-identified data, including responses to psychometric instruments, in academic research, outcome based research, and to improve and develop psychometrics.
Ending Service Provision
Of course, users that cease to use NovoPsych, and all business with us is concluded (for example they have closed their practice and their NovoPsych account), can opt-out of all communications from us. See below section for your rights on deleting data.
Legal Basis for Processing (under GDPR)
NovoPsych may process your Personal Data because:
- We need to perform a contract with you;
- You have given us permission to do so;
- The processing is in our legitimate interests and it’s not overridden by your rights;
- For payment processing purposes;
- To comply with the law.
Location of Your Data
Patient Data is stored in Australia or the UK. Other data will not be stored outside of Australia, the USA, Ireland and the UK. These practices are consistent with Australian Privacy Principles and GDPR. Patient information is not transmitted to the USA. If you’re on an Enterprise Plan you can opt to have your data stored in any specific country or region.
How your data might be shared
NovoPsych will not disclose any identifiable data uploaded to our servers to anyone else without permission, except for the following reasons;
Legal or Moral Requirement
In rare circumstances, where permitted or required by law, requested and needed for a patient’s emergency treatment in exceptional circumstances, or for the prevention of immediate risk of loss of life or serious harm; to various regulatory bodies and law enforcement officials and agencies to protect against fraud and for related security purposes, we will share the personal data necessary.
International Data Transfers
NovoPsych operates internationally and we may share, transfer and process data in countries other than the country you live in. These practices are consistent with Australian Privacy Principles and GDPR. These countries may have different laws but rest assured that when we share personal data to a third party, we take all reasonable steps to ensure that personal data remains protected in the manner you would expect. For individuals in the European Economic Area (EEA), your data may be transferred outside of the EEA but it will only be transferred to countries that provide adequate protection, or to a third party where we have reviewed their data protection processes and policies for adherence to the GDPR Standard Contractual Clauses.
In order to provide our services to customers and their patients, NovoPsych employs various third party companies and individuals to assist with providing the services. Where necessary, we share a limited amount of personal data with our third-party service providers and sub-processors. NovoPsych takes care to select integration partners who have good data management policies in place and will only share the data necessary for the integration to work effectively. In all cases, we provide only the minimum amount of personal data that is needed to perform the service and take reasonable steps to ensure these parties have appropriate data protection safeguards in place.
A list of our sub-processors is as follows;
Amazon Web Services, Inc (AWS)
Web hosting (Australian Server)
Invoicing and subscription services, CRM
Issue tracking, feature requests
How we retain your data
We will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Service, or we are legally obligated to retain this data for longer time periods.
Your rights to your data
We aim to take reasonable steps to allow you to correct, amend, delete, destroy or limit the use of your Personal Data. If you are a resident of the European Economic Area (EEA), you have certain data protection rights, and we extend these rights to all users. In addition, Under Australian Privacy Principle 11 (APP 11) we are required to take reasonable steps to destroy or de-identify personal information when it is no longer required for the purpose for which it was collected.
In certain circumstances, you have the following data protection rights:
- The right to access, update or to delete the information we have on you.
- The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
- The right to object. You have the right to object to our processing of your Personal Data.
- The right of restriction. You have the right to request that we restrict the processing of your personal information.
- The right to data portability. You have the right to be provided with a copy of your Personal Data in a structured, machine-readable and commonly used format.
- The right to withdraw consent. You also have the right to withdraw your consent at any time where NovoPsych relied on your consent to process your personal information.
If you wish to be informed about what Personal Data we hold about you and if you want it to be removed from our systems, please contact us. Please note that we may ask you to verify your identity before responding to such requests. (If you are a patient or client of a business that uses NovoPsych you will need to contact that business directly to discuss and evoke your protection rights.)
If you live in the EEA, you have the right to complain to a Data Protection Authority about our collection and use of your Personal Data (see below for information about how to contact them). For more information, please contact your local data protection authority in the European Economic Area (EEA).
Note that this policy refers to customer and user data and where applicable, the employee records exemption in the Privacy Act and any other applicable exemptions in the Privacy Act or other legislation will apply.
Changes to this policy
NovoPsych will take reasonable steps to protect the personal information we hold from any misuse, interference, loss, and unauthorised access, modification or disclosure.
NovoPsych has an extensive range of security measures in place to protect personal information from unauthorised access, use, or loss. Our servers are maintained in a controlled and secured environment and access is restricted to only those who need it in order to provide the service.
NovoPsych uses 256 bit encryption. We use the cryptographic algorithms SHA-256 with RSA Encryption for our main services.
In addition, our 256bit (Security Sockets Layer) SSL encryption and has employed a number of high level security protocols to protect personal data. Strong encryption such as 256 bits, is over a trillion times stronger as 40-bit encryption. At current computing speeds, a hacker with the time, tools, and motivation to attack using brute force would theoretically require a trillion years to break into a session protected by a Server Gated Cryptography (SGC) enabled certificate.
Below are some of the processes that we have implemented to protect your security.
- The infrastructure we use (AWS) complies with the Commonwealth Government standards governing the security of IT systems and infrastructure.
- The data centre is an enterprise grade data centre with world-leading Class 1IDC infrastructure. This is the same data centre used and approved by the Department of Health and Ageing.
- Data is fully monitored with 24×7 security guards onsite and premises under constant CCTV surveillance.
- To comply with Australian Laws, all data, backups and offsite backups are stored within Australia.
- The data you enter in NovoPsych is replicated among several database servers, as well as backed up off-site to prevent a single failure from causing data loss.
- The multiple redundant VMware platform utilised offers, load balanced ESX servers to maximise performance and availability which has a minimalistic chance of unavailability
Accreditations and Certifications
We choose our partners carefully. Our hosting partner, Amazon Web Services (AWS), has achieved the following accreditations and certifications:
- PCI DSS Level 1 (Payment Card Industry Data Security Standard)
- ISO 27001 (Information Security Management System)
- FIPS 140-2 (United States Federal Information Processing Standard)
Under the Notifiable Data Breaches (NDB) scheme any organisation or agency the (Australian) Privacy Act 1988 covers must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in harm to an individual whose personal information is involved. A data breach occurs when there is unauthorised access or disclosure. For example, when:
- a device owned by NovoPsych with a customer’s personal information is lost or stolen
- a NovoPsych database with personal information is hacked
- personal information is mistakenly given to the wrong person
NovoPsych has never had a data breach of this nature however if one were to occur we would notify customers and OAIC immediately.
NovoPsych data is backed up daily. Backups are redundantly stored in multiple physical locations. Data is also constantly streamed to replica databases for up to the second redundancy.
In other words, we’ve got backups for your backups and a contingency in place to handle any potential interruptions to the storage process. Don’t forget that you can also export your data and create your own backups too.
Your Role in Security of Your Data
Our users also have an important role to play in keeping data secure. You are responsible for maintaining the confidentiality of your account details and password. Your passwords protect your personal information and you are responsible for any activities that occur in your account or in respect of your use of this service. Please let us know immediately if you suspect that the security of your password or account has been compromised in any manner.
Create a strong password
Use a unique password for your NovoPsych account. Since longer passwords are generally harder for criminals to break, try using a line from your favourite song or a short sentence you’ll easily remember. We require 10 or more characters in our passwords.
Logout of NovoPsych when not in use
If you’re not using NovoPsych, logout, rather than keeping it logged on in a browser tab.
Keep your browser updated
An up-to-date browser will ensure that NovoPsych is performing at its best and that you have the latest protection against online threats.
Use “Guided Access”
If using NovoPsych on an iPad, ensure you’re familiar with ‘Guided Access’, which allows you to temporarily restrict your iPad to a single app (i.e. NovoPsych). If you have activated Guided Access before you pass your iPad to a client to complete the assessment they will not be able to exit NovoPsych. Only you will be able to deactivate Guided Access with a passcode.
When using NovoPsych on an iPad we recommend you become familiar with Guided Access so you can have an extra layer of security and your clients can’t access other data or apps on your iPad.
Instructions to set up Guided Access on your iPad can be found here:
Use passwords on your devices
Whether you use NovoPsych on a tablet or a computer, make sure that you have password protection to activate the device.
Protecting Your Clients
You are responsible for making sure that your clients’ / patients’ privacy and associated rights are respected. As your Data Processor, we will take care to protect the privacy of your patients and will process their Personal Data in accordance with the terms of our agreement with you, and under your lawful instruction.
How To Contact Us
Attention: Data Protection Officer
Email: [email protected]
Telephone: If you would prefer to speak by telephone, please email us with your
contact details and concerns, and we will respond in a timely manner. https://novopsych.com.au/contact-us
NovoPsych treats your privacy seriously and any complaints will be assessed by an appropriate person with the aim of resolving any issue in an efficient and timely manner.
If you are not happy with our handling of your privacy concerns, you can also contact your local data protection authority. Depending on your location, you can use the following links;
- Australia: Office of the Australian Information Commissioner (OAIC)
- United Kingdom: Information Commissioner’s Office (ICO)
These organisations are independent from NovoPsych and can investigate privacy complaints.
We used a heap of different terms in this policy. To make sure it’s clear what we are talking about, here are some definitions:
- Personal Data
Personal Data means data about an individual that allows them to be identified from that data. It may be provided directly by a user, or provided indirectly by a user about their client (for example a health practitioner entering data about their patient). Personal information does not include “aggregate” information, which is data we collect about a group or category of products, services or people, from which individual identities have been removed.
- Usage Data
Usage Data is data collected automatically either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit).
Cookies are small pieces of data stored on a User’s device.
- Data Processor
Data Processor means the person or entity that processes data on behalf of a data controller. According to GDPR and for the purposes of this policy, NovoPsych is considered to be the data processor.
- Data Controller
The User (also referred to as our Customer) is the individual using our Service either directly or indirectly. The User is also referred to as the Data Subject and is any individual who can be identified via the Personal Data.