PRIVACY POLICY

Last Revised: May 23, 2018
Site: www.clinicmastery.com, www.clinicmastery.com.au

PRIVACY NOTICE Copyright notice This Privacy Notice has been created by Clinic Mastery Pty Ltd. Any redistribution or reproduction of part, or all of the contents, in any form, is prohibited. You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system. Information about Clinic Mastery Pty Ltd Company Name: Clinic Mastery Pty Ltd Place of registration: Australia Registered Office: Clinic Mastery, PO Box 4, HIGHGATE SA 5063 Principal activities: Health clinic education, mentoring and coaching. About our Privacy Notice Clinic Mastery Pty Ltd is committed to protecting your privacy and legal rights when dealing with your personal information. This privacy notice intends to provide clear and understandable details about the information we collect about you (or anyone you have provided us with information about, e.g. your child), how we use and protect it. It also provides information about your rights that relate to the data we process. If you have any queries about this privacy notice, if you are not sure what something means, or if you wish to contact us about personal information we hold, please email us at: [email protected] Clinic Mastery Pty Ltd is registered with the Australian Business Register The right to object You have the right to object to processing of your data, if processing of your data is based on legitimate interests, or if processing is being undertaken using your explicit consent for direct marketing. The definition of ‘legitimate interests’ is discussed within this Privacy Policy. Please contact us in the first instance if you wish to object. Definitions of terms within this privacy notice ‘we’, our’, ‘us’, ‘Company’ is a direct reference to Clinic Mastery Pty Ltd ‘services’ means Private Practice Business Coaching services provided by us, as defined in ‘Private Practice Business Coaching services’. GDPR means EU General Data Protection Regulations that come into force on May 25th 2018. ICO means the Information Commissioner’s Office and will also refer to any successor to it as the UK data protection authority. Data Protection Laws means the Act, GDPR, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive (2002/58/EC), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003) and all applicable laws and regulations relating to the processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the ICO or any other supervisory authority, and the equivalent of any of the foregoing in any relevant jurisdiction. Data Controller, Data Processor, Data Subject and Personal Data all have the meaning given to them in the Act and GDPR. Website or site means the Company’s website at www.clinicmastery.com ‘personal information’ means either Personal Data or Special Category data, as defined by the GDPR. Privacy notice scope This Privacy Notice will apply to any person (also known as a ‘data subject’) who enquires about, uses or purchases our services. It also applies if you communicate with us in any manner, for the purpose of discussing current or past use of our services. You may be reading a printed version of our privacy notice, which may not be the latest version. Please view the current privacy notice on our website or contact us using the contact details at the beginning of this Privacy Notice to request a copy of the Privacy Notice via email, in Adobe PDF format. Securing your personal information Data protection laws require us to take appropriate technical and organisational measures to prevent unlawful access or processing of personal information, that the Data Controller for Private Practice Ninja Limited is responsible for implementing. The level of technical safeguarding of data should be appropriate to the nature of information in question, and the harm that might result from its improper use, or from its accidental deletion or destruction. The following list shows some of the technical and organisational measures we put in place to ensure the safety and integrity of your data. • We are trained in the appropriate handing of personal information and how to respond to a data breach • We practice common sense cybersecurity requirements, such as locking screens when away from them, ensuring Windows / Mac OS updates are installed on release • Where possible, we use two factor authentication for key systems • We ensure passwords are changed regularly on our systems • We don’t use systems aimed purely at consumers, such as Gmail personal, Dropbox personal and Hotmail • We ensure we encrypt all our hardware that will store personal information, using industry standard encryption methods • Our third-party providers of systems used to process your personal data are compliant with data protection laws and requirements, and also have effective data restore capabilities to ensure your data can be recovered How we collect personal information from you We collect personal information from you or any third parties that are acting on your behalf. If you provide us with personal information about other people, please ensure that they have seen this privacy policy and understand it, before you provide this information to us. • We will collect standard personal information from you, or other third parties. We will collect the information from the following sources: o From yourself, either in face to face consultations, or via electronic communications such as email, via the telephone, or via postal communications o When you have given explicit consent to subscribe to educational or marketing email correspondence o Manually, when you fill in a business coaching needs assessment form Categories of personal information that we process Standard Personal information which can include (but is not limited to) name address(es) email address(es) date of birth details of any complaints or grievances raised that relate to the provision of our services financial details that relate to payments for our services (we do not store credit or debit card details) What we use your personal information for We will process your personal information for reasons set out in this privacy notice. By law, we need to have a lawful basis or bases for processing your Standard personal information. We undertake to process this information in line with Data Protection Laws as defined in the section “Definitions of terms within this privacy notice” within this document. We process Standard Personal information about you if it is determined: • It is in our Legitimate Interests. Details of what constitutes legitimate interests are detailed below. • We have your Explicit Consent – this only applies when you’ve subscribed and opted in to receive our email newsletters, blogs and marketing offers, or you’ve provided consent to receive email newsletters, blog and marketing offers via our marketing consent form via an opt in checkbox. Standard personal information – Legitimate Interests The law requires us to our balance the processing of your Standard personal data against your interests, rights and freedoms. We conduct a legitimate interests assessment to ensure we ensure the Standard personal data we process does not override your interests, rights or freedom. The legitimate interests we have identified that allow us to process your standard personal data are: • To enable us to take sufficient information in order to record who you are when booking business coaching sessions • To gain an understanding of how your private practice operates, to enable us to assist you with business coaching • To ensure we can email you with basic information about your appointments • To manage our personal relationship with you, with respect to discussing invoices and payments • To communicate with you if we need to cancel or rearrange appointments scheduled coaching sessions Sharing your personal information We will not typically need to share your information for the purposes of business coaching, and we would always ask for your explicit consent to share information with others, if such a need arose. Transferring information outside the boundaries of the EEA (European Economic Area) Generally, we store your personal information on secure systems that reside within the EEA. Where we store systems that are outside of the EEA, we will ensure that there are suitable contractual or other safeguards in place to protect your data. These measures may include data controller (us) to data processor contracts who we have checked have the required data protection law compliance, or ensuring your data is transmitted from the EEA to other global areas in a highly encrypted format, that is then stored on secure systems using “zero knowledge’ encryption. This means your data cannot be decrypted by a data processor. How long we process your personal information for We will process your personal information, for the duration of our business relationship. If you decide that you wish to terminate our business relationship, and you will not require our services in the future, then the lawful basis for processing will no longer apply. At this point, we would delete your data. If we have not any contact with you in relation to our business coaching after a period of three years, we will delete your personal information from our systems. In relation to the above statement, your rights regarding our processing your personal information are not affected. You still have the right to ask us to cease processing your personal information – please see the section below pertaining to your rights. Any personal information that is used for direct marketing purposes, that has been provided using explicit consent, will be erased in accordance with your rights if requested. In all instances, we might retain enough personal information to ensure that your preference not to receive direct marketing in the future is respected. Your rights You have the following rights, however please note, that the rights are not absolute. The only absolute right you have is to request that we do not use your personal information for direct marketing. Please do contact us if you are unsure about your rights as detailed below. We will always endeavour to help explain how your rights apply to the personal information we process, for our specified lawful reasons. The right to be informed We need to inform you the name and contact details of our organisation, which is at the top of this document. You have the right to be informed about how we collect and use your personal data. We are obliged to provide this right to be informed in a clear and concise manner. This privacy notice you are reading is designed to inform you how we collect and use your personal data. The right of access You have the right to confirmation that your information is being processed and to view this information. This is known as a Subject Access Request or ‘SAR’, but you do not have to specify this term when requesting your personal information from us. You also have the right to request a copy of your personal data that we process. We will need to identify you using reasonable means before we will start the process of collating your personal information. Once we have identified you, we will reply to any requests for your personal information (SARs) within 30 days, unless we deem the request to be complex, or repetitive, where we will notify you that we may take an additional two months to provide your personal information. We will not charge you to request information from us. However, we will charge a reasonable fee if the request for information is repetitive. If we’ve provided information to you and you wish to request it again, we ask that you contact us before hand to discuss what our reasonable fee is. If the request is manifestly unfounded or excessive, in particular because they are repetitive, we might decide to: • charge a reasonable fee taking into account the administrative costs of providing the information; or • refuse to respond Where we refuse to respond to a request, we will explain why to you, informing them of your right to complain to the ICO without undue delay and at the latest within one month of our refusal. The right to rectification You have the right to request rectification of your personal information. However, we only consider requests to correct factual information. The right to erasure You have the right to request erasure of personal information. If you have subscribed to any of our email educational or marketing correspondence, you have the right to request erasure from our email list, or you can click on the ‘unsubscribe’ link that appears in all emails we send. We will only use your personal information to send you marketing or educational material if you have given us your explicit permission. If we determine we cannot delete data, you still have the right to ask us to restrict processing of your personal data. The right to restrict processing You can request that we restrict processing of personal information. This means that we will stop actively processing it, and it will just be stored. Stopping processing will mean that we will not add any additional information to your existing information. The right to data portability You have the right to data portability for personal information that is processed using a lawful basis of consent. Where we process data using the lawful basis of ‘legitimate interests’, the right to data portability is not applicable. You still have to right to request this, however. The right to object You have the right to object if processing is based on legitimate interests. You have the absolute right to object processing is being used for direct marketing. Rights in relation to automated decision making and profiling We do not make any kinds of automated decisions or perform any profiling with your personal information. The right to lodge a complaint with a supervisory authority We ask that you first contact us if you feel you wish to make a complaint. Please see the template letter and guidelines listed on the ICO website. https://ico.org.uk/for-the-public/raising-concerns/ You can also contact the ICO directly: https://ico.org.uk/concerns/