1.1 In conducting its business of designing, supplying and supporting ophthalmic devices, Medmont International Pty Ltd ACN 154 326 600 (Medmont, us, we or our) commits to complying with all applicable privacy laws, including the Privacy Act 1988 (Cth) (Privacy Act).
1.3 We reserve the right to vary this policy from time to time (at our sole discretion). If we make such a variation, the updated policy will be posted on our website and will apply to all personal information that we hold at the time of variation.
- How and why we collect your personal information
2.1 We collect your personal information for the primary purpose of enabling us to conduct our business of designing, supplying and supporting ophthalmic devices. We also collect your personal information for secondary purposes including sending you newsletters, marketing material and invitations to events.
2.2 When we collect personal information, we generally collect it directly from you, including when you:
(a) submit a request for information or for support (e.g. when you complete a form field on our website);
(b) send us a message via social media, email or any other communication;
(c) visit or call our offices (e.g. we keep a Visitor Logbook);
(d) give your details at an event, conference, trade show or similar;
(e) purchase a good or service from us (including from our distributors and agents).
2.3 We do not have patients nor treat them, so we do not keep patient lists or records. If you have visited a doctor who uses our device, it is likely that he/she will retain your diagnostic information. There is no function within our devices or its software which automatically transmits patient data to us.
2.4 In any event, in order for us to supply Medmont products and support, and to communicate with you in respect of such, we will keep your contact information including but not limited to your name, telephone number/s, address and email address.
2.5 In order to support users with our devices, our users and their patients may also provide certain “sensitive information” to us including in respect of an individual’s health and biomedical data. We do this to support users of our devices to seek the best possible results for their patients. Where we collect such information, we will anonymise it and/or pseudonymise it as soon as possible. Further, we will often use aggregated anonymized datasets for the purpose of testing, displaying and using our devices. If you have any concerns that it may be discernable that your identity can be derived from such datasets, please contact us.
2.6 If at any time you provide us with personal information about someone other than yourself (e.g. a representative of your business), you warrant that you have the person’s explicit consent to provide such information for the purpose specified. You acknowledge that we may require you to provide us with proof of such consent.
2.7 The primary and secondary purposes to which we put your personal information are to communicate with you and provide you with support, and to display and promote our products. However if we use any personal or sensitive information when using, displaying or promoting our devices, or to develop datasets, we will anonymise such information and use pseudonyms.
2.8 By way of example:
(a) datasets that are installed on our devices are anonymised by a variety of methods including the name of the dataset patient being a computer generated random number, replacing the patient’s date of birth with the year of birth and then not retaining any connection to the original personal identifiers;
(b) if you see a demonstration of a Medmont device (e.g. at a trade show), you may see on the device’s screen an “example patient” with a name and diagnostic information – the name is a pseudonym and the diagnostic information will be cleansed of personal identifiers so that it is anonymised.
2.9 We will deal with your information anonymously or by pseudonym as long as it is not impractical to do so (which is most instances). Occasionally a medical practitioner will ask that we assist them with their use of a Medmont device and we will do so without knowing or retaining any personal information.
2.10 We do not collect government identifiers – such information is inadvertently sent to us, we will destroy or delete it. However, if we have reason to keep such identifiers, we will inform you of such.
- Unsolicited collection of personal information
3.1 From time to time, we may receive unsolicited personal information. Where this occurs, we will destroy or delete it. However if we wish to keep it, we will check whether we could have reasonably collected that information.
3.2 If we determine that we could have reasonably collected that personal information, we will handle it in the same way that we will handle your personal information when directly collected from you.
3.3 If we couldn’t have reasonably collected that personal information, we will, as soon as practicable, destroy, delete or de-identify the personal information if it is lawful and reasonable for us to do so.
4.2 Cookies are small text files sent by us to your computer or mobile device. They are unique to your account or your browser. Session-based cookies last only while your browser is open and are automatically deleted when you close your browser. Persistent cookies last until you or your browser delete them or until they expire. We use all of these types of cookies as well as third party cookies such as Google Analytics.
4.4 Unfortunately disabling cookies is likely to disable or reduce the functionality and features of our website. If you are not sure whether you need them or not, it is often recommended that you leave on all cookies in case they are used to provide a service that you use.
4.5 Further, our server may log details about any computer used to access our website (such as IP address, domain name and browser type), the date and time of access and details relating to the information downloaded from our website. Such information is used for our own statistical purposes and to improve our website.
- Using your personal information
5.1 We do not sell, rent or trade your personal information to third parties and will only disclose your personal information to third parties where:
(b) you have consented (including implicitly consented by giving your contact details to be sent elsewhere); or
(c) the disclosure is required or authorised at law, by a court order, or by a decision of a government agency or department.
5.2 We will primarily use and/or disclose your personal information for the following purposes:
(a) to supply and support our products;
(b) to give to our distributors and supplier networks so that they may assist you (e.g. if you send us a product request, we will send your contact details to your nearest Medmont distributor);
(c) subject to the relevant individual’s consent, we may share ophthalmic industry participants with information in support of advancing medical treatments (e.g. with your consent, and often liaising your eye specialist, we will provide certain information to contact lens manufacturers for the production of custom made contact lenses for you);
(d) to establish a newsletter mailing list (e.g. marketing material);
(e) to invite you to events (e.g. information sessions about Medmont products);
(f) for usual account keeping and record keeping purposes; and
(g) as stated elsewhere in this policy or any other agreement we may have with you (including in our terms of supply with you).
5.3 In any event, we may also disclose your personal information where a “permitted general situation” exists, such as:
(a) use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety and it is unreasonable or impracticable to obtain consent;
(b) we have reason to suspect that unlawful activity or misconduct of a serious nature has been (or may be) engaged in and use or disclosure is necessary in order for us to take appropriate action;
(c) use or disclosure is reasonably necessary for the establishment, exercise or defense of a legal or equitable claim; or
(d) use or disclosure is reasonably necessary for a confidential alterative dispute resolution process. This may be the case where the counter party to your transaction is based overseas.
- Overseas disclosures
6.1 From time to time, we may disclose your personal information to overseas recipients in accordance with this policy. Wherever possible, we will endeavor to limit our activities in this respect.
6.2 We often transfer personal information overseas in order to help you. For instance, if you are located overseas and send to us a product or support request here in Australia, we will pass on your contact details to the distributor and/or support provider based in your jurisdiction or region so that they can assist you with your request. When you contact us, you are consenting to us using your contact details for this purpose.
6.3 We use a worldwide network of distributors and support providers as the manufacture and supply of our devices are subject to regulations and standards throughout different jurisdictions and regions. The risk associated with your information being sent out to a foreign distributor is that we do not control their information security. We mitigate this risk by:
(a) taking reasonable steps to ensure that the overseas recipient is in a country with adequate levels of information protection;
(b) requiring a commitment from each of our distributors and partners that they will not use your information for any purpose other than for the purpose it was collected and transferred to them (including that, if you did not provide consent, they must not use for on-selling, transfer for an unrelated purpose or for direct marketing purposes); and
(c) requiring a commitment to a standard data protection clause from each of our distributors and partners (including that they will safeguard your personal information according to relevant privacy laws.
6.4 We may also provide your personal information to overseas recipients where:
(a) we are required or authorised by law to do so; or
(b) we suspect that unlawful activity or misconduct of a serious nature is being or may be engaged in.
- Mailouts, marketing, information
7.1 You have a choice to opt-in, and we will send you marketing material. If choose not to opt-in no marketing material will be provided unless you opt-in.
7.2 If you own one of our devices, you may still receive correspondence from us even if you opt-out of receiving marketing material. We will do so where such communications include device maintenance and support information. If this remains an issue, please contact us directly.
- Security of your personal information
8.1 We take reasonable steps to protect your personal information from misuse, interference, loss, or unauthorised disclosure. We do this via employee training; document storage policies; security measures for access to our systems (including log-in and password controls to staff on a need-to-know basis); controlling access to our offices and maintaining secure offices; electronic security systems; and from time to time, monitoring and reviewing of information security.
8.2 On reasonable request, and where it is no longer required for record keeping purposes, we may destroy, delete or de-identify your personal information that we hold (unless we are otherwise required or authorised by law to retain it).
- Accessing your personal information
9.1 You may request access to your personal information that we hold by emailing us at email@example.com. We may ask that you include verification details and/or documentation so we can confirm who we are communicating with. Please also ensure that you identify, as clearly as possible, the specific information that you seek access to.
9.2 Although we will not charge you for making your first access request, we may charge you a reasonable fee to cover the costs associated with retrieving your personal information for subsequent requests.
9.3 We will endeavor to respond to requests for access to personal information within a reasonable period of time and we will generally provide you with the following:
(a) confirmation of whether your personal information is being processed or not;
(b) the purpose/s of processing your personal information;
(c) the categories of personal information that we hold about you;
(d) the recipients or categories of recipients to whom your personal information has been or will be disclosed to;
(e) the period of time that your personal information will be stored (where possible); and
(f) notification of your rights.
9.4 When we provide such information, we will provide it in a structured, commonly used, machine-readable format.
9.5 We may refuse your request when:
(a) you do not verify your identity;
(b) we reasonably believe that giving access would pose a serious threat to the life, health or safety of an individual, or to public health or public safety;
(c) giving access would have an unreasonable impact on the privacy of others;
(d) your request is frivolous or vexatious;
(e) it would be unlawful to do so; or
(f) we are required to deny access by law, a court order, or by a decision of a government agency or department.
9.6 If we refuse your request for access, we will give you reasons for the refusal and information about the complaint mechanism/s available to you.
- Correcting your personal information
10.1 You may seek correction of your personal information that we hold. In such circumstances, we will take reasonable steps to correct your personal information, taking into account the purpose for which it is held, its accuracy, the reasonableness and the relevance of your correction request.
10.2 If your personal information has been disclosed to a third party, we will take reasonable steps to notify the third party of any such correction.
10.3 If accuracy of your personal information remains an issue or is contested by you, we may elect to not continue to use it, and/or destroy or delete it.
- Right to be forgotten
11.1 If we hold your personal information, you may ask for it to be removed or deleted where:
(a) it is no longer necessary for the purposes for which it was collected;
(b) ou withdraw consent and your consent was the legal basis for collection;
(c) you object to the use of your personal information for automated decision making;
(d) you object to the use of your personal information for marketing purposes;
(e) your personal information is being used unlawfully; or
(f) removal is required or authorised at law, by a court order, or by a decision of a government agency or department.
11.2 However, we may refuse your request for removal of your personal information where your personal information is necessary:
(a) to exercise a right to freedom of expression and information;
(b) to comply with an obligation at law;
(c) for the performance of a task carried out in the public interest (including in the public interest for the purposes of public health); or
(d) for the purpose of a judicial process.
11.3 Please note that we may anonymise personal information to the extent that it has the actual or practical effect of deleting your personal identifiers, or that we cannot identify it as yours to remove or delete.
- European Union General Data Protection Regulation (GDPR)
12.1 We offer devices and support throughout the world including to businesses and individuals who are located in the EU. In order to do so, we often collect personal data about individuals in the EU but we do not monitor their behaviour.
12.2 If you are in the EU, and you provide personal data to us, it is your responsibility to notify us as to your location in the EU.
12.3 If you are in the EU we will work to ensure that our use does not infringe your personal data protection entitlements under the GDPR including in respect of the right to be forgotten, data portability and the objection to the processing of your data.
- Data breaches
13.1 A data breach can occur as a result of a system fault, human error, or a malicious or criminal attack. When we suffer a data breach that causes individuals to be at risk of serious harm (which we cannot prevent with remedial action) or poses a high risk to your rights and freedoms, we are committed to notifying the regulator (within 72 hours) and notifying individuals as required by law.
13.2 Our notification/s will include the steps we are taking to resolve the issue and the recommendations about the steps the affected individuals should take in response to the data breach.
- Making a complaint
14.1 If you think we have failed to comply with our privacy obligations, we ask that you first make a complaint to us. We will acknowledge your complaint in a prompt manner and give you an estimated timeframe for our response. We are committed to dealing with your complaint in a reasonable and effective manner.
14.2 If we are unable to resolve your complaint or if you are unhappy with the outcome, you may lodge a complaint with the Australian Information Commissioner (www.oaic.gov.au).
- Contact us
15.1 If you have any questions about this policy, please contact us at firstname.lastname@example.org.
This policy was last updated 30 October 2020.