Medenterprises Privacy Policy

1. Purpose

1.1. MedEnterprises is committed to protecting your privacy and the personal information we collect. Personal information is collected and managed in accordance with applicable privacy laws, such as:

1.1.1. the Privacy Act 2020 (NZ);

1.1.2. the Privacy Act 1988 (AU); and

1.1.3. the General Data Protection Regulation (EU).

1.2. This MedEnterprises Privacy Policy (Policy) outlines how MedEnterprises collects, discloses, uses, stores or handles your personal information.

1.3. “Personal information” means information about an identifiable individual. Personal information includes an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.

2. Scope

2.1. This Policy relates to personal information collected by MedEnterprises NZ Limited Partnership (MELP) and other members of the MedEnterprises Group.

2.2. The MedEnterprises Group consists of MELP and:

2.2.1. MedRecruit: a recruitment service matching doctors to clients in the healthcare markets of Australia and New Zealand

2.2.2. MedCapital: provides financial management services to doctors

2.2.3. MedEnterprises: provides group support services

2.2.4. MedWorld: advocates for doctors’ welfare and provides online programs to assist doctors to develop the necessary skills to promote wellbeing

2.2.5. Become: provides financial management services

2.2.6. MedCapital General Insurance: provides insurance broking services

2.3. In this Policy, the MedEnterprises Group, or a member of the MedEnterprises Group, is referred to as “MedEnterprises”, “we”, “us” or “our”.

3. Privacy Officer

3.1. Our Privacy Officer is the contact point for any queries, requests or complaints relating to your personal information.

3.2. The Privacy Officer can be contacted at:

3.2.1. Email: privacy.officer@medcapital.net

3.2.2. Phone: 0508 633 227 (NZ) or 1800 633 227 (AU).

4. Consent

4.1. In Australia and New Zealand: by submitting your personal information to MedEnterprises, you consent to MedEnterprises dealing with your personal information in accordance with this Policy. In addition, if applicable law requires your specific consent to deal with particular personal information, you will be asked to give that consent. Your personal information will be used, stored, disclosed and treated according to this Policy.

4.2. In the European Union: when submitting your personal information to MedEnterprises, you will be asked to provide consent to the use of your personal information for the purpose it was submitted and consent separately to the use of your personal information for the purpose of direct marketing outlined in this Policy.

5. Collecting your personal information

5.1. It is MedEnterprises’ usual practice to collect personal information directly from you. Collection may occur when you fill in and submit one of our application forms, provide information to us through our websites, or electronically via our telecommunications or email systems.

5.2. We also collect personal information that has been provided to us through an external third party, or a publicly available source. MedEnterprises will take reasonable steps, where practicable, to inform you that we have collected personal information from a third party.

5.3. The type of personal information we collect will depend on various factors such as the type of service you request or use and the applicable legal and regularly obligations. This may include collection of the following kinds of information:

5.3.1. Contact: information that allows us to communicate with you (e.g. e-mail, social media contact details, address, telephone number, comments made on our websites, Facebook, Twitter or on email)

5.3.2. Correspondence: Records of correspondence where MedEnterprises is contacted, including by phone, email or post. Sometimes, we collect personal information, comments and feedback that individuals choose to give us via our websites. We may use this information to provide services, for marketing purposes, or to contact you for further information or feedback.

5.3.3. Identity : information that allows us to identify you (e.g. name, date of birth, address occupation, government issued identification, photo identification)

5.3.4. Professional: information that helps us to understand more about your employment history including qualifications, talents, skills and abilities (e.g. references, resume/cv, qualification documents, criminal history, health records)

5.3.5. Financial: information that allows us to provide financial advice or pay you should you be engaged by one or more of our clients (e.g. bank details, tax details, superannuation, insurance, assets and liabilities, expenses, income)

5.3.6. Web Searches: information that allows us to assess your suitability for a position (e.g. background checking via Google, regulatory and immigration sites, electronic identity verification databases and medical registrations boards)

5.3.7. Other Individuals: information we request, or that you provide, about an individual other than yourself (previous employer and referees). If you provide us information about another person then you are responsible for making that individual aware that you have disclosed their personal information to us and that we can use that information as set out in this Policy.

5.3.8. Immigration: information that allows us to verify that you are legally permitted to work (e.g. evidence of citizenship, visa or work permit documents).

5.4. If you do not provide information, or the information provided is insufficient or inaccurate, this may limit the scope of services that MedEnterprises can provide to you.

5.5. We collect personal information for the purposes set out in clause 6 (Use of Personal Information)

6. Use of Personal Information

6.1. MedEnterprises will only use your personal information in accordance with applicable privacy laws.

6.2. MedEnterprises collects your personal information for the purposes of:

6.2.1. Verifying your identity;

6.2.2. Assisting you in finding or retaining work;

6.2.3. Assisting in your career performance or management;

6.2.4. Assisting you in accommodation and flights for locum services;

6.2.5. Paying you should you be engaged as an employee or contractor;

6.2.6. Helping in work rehabilitation;

6.2.7. Directly marketing our services to you (you have a right to opt-out from receiving direct marketing). Any opinions you provide to us such as testimonials may be passed onto a third party for the purposes of creating marketing material. We will ask your consent before passing this information onto the third party;

6.2.8. Managing risk;

6.2.9. Protecting and/or enforcing our legal rights and interests, including defending any claim;

6.2.10. Gathering statistical information and comply with statutory requirements;

6.2.11. Conducting research and statistical analysis (on an anonymised basis);

6.2.12. Providing you with MedEnterprises services;

6.2.13. Providing plans for you to reach your financial goals;

6.2.14. Making recommendations regarding your financial situation;

6.2.15. Promoting doctor wellbeing;

6.2.16. Advocating for improved doctor health;

6.3. MedEnterprises may also use personal information for purposes directly related or incidental to the above, and for any other purpose authorised by you or permitted by law.

6.4. MedEnterprises may use personal information for direct marketing purposes as follows:

6.4.1. If you are an Australian and New Zealand citizen, you acknowledge your personal information may be used for the purpose of direct marketing to the extent permitted by applicable law. If you are a European Union citizen, your personal information may be used for the purpose of direct marketing where consent is given to do so.

6.4.2. We market using a variety of methods including email, phone, and SMS. We may use information collected from you from one entity in the MedEnterprises Group to directly market the services of another entity in the MedEnterprises Group.

6.4.3. If you do not wish to have your personal information used for direct marketing purposes, you may contact our Privacy Officer and request not to receive direct marketing communications. Your marketing preferences will be updated on our systems.

7. Information collected on our websites

7.1. Users are advised that there are inherent risks in transmitting information across the internet. The internet is an open system and MedEnterprises cannot guarantee that the personal information you submit will not be intercepted by others. Our websites may have links to external websites operated by other organisations. We cannot guarantee the content or privacy practices of external websites and do not accept responsibility for those websites.

7.2. When you access our websites, our web hosting provider may make a record of the visit and log the following information for statistical purposes:

7.2.1. your IP address;

7.2.2. the date and time of visits to the website;

7.2.3. the number of, and pages viewed;

7.2.4. the referring site (if any) through which you clicked through to this website;

7.2.5. technical information on browser connections.

7.3. This statistical information is anonymous and no attempt is made to identify users or their individual browsing activities. An exception is in the event of an investigation, where a law enforcement agency may exercise a warrant to inspect a web hosting provider’s server logs.

8. Cookies

8.1. We use cookies to monitor usage of our website.

8.2. Cookies enable activities such as, retaining registration details, work preferences, logins, usernames and search queries. If you do not wish to retain information about your visit you can delete the cookies in your browser and change the settings in your web browser.

8.3. If you are an EU citizen, we will seek your consent to use cookies to the extent required by applicable law.

9. Disclosure of personal information

9.1. MedEnterprises will only disclose your personal information in accordance with the applicable privacy laws.

9.2. MedEnterprises may disclose your personal information for the purpose it was collected as set out in this Policy, and as otherwise permitted by applicable privacy law. Accordingly, MedEnterprises may disclose your personal information to other parties (located locally and/or overseas), including:

9.2.1. Other MedEnterprises entities;

9.2.2. Prospective employers, and in this regard we may disclose all relevant personal information to prospective employers, including personal information MedEnterprises holds that is historical in nature (such as previous employment engagements, complaints, and disciplinary matters);

9.2.3. Clients who may wish to engage your services;

9.2.4. MedEnterprises suppliers or service providers, including any organisation that supports MedEnterprises’ business, operations, or services, such as hosting or maintaining any IT system we use to provide our services;

9.2.5. Your nominated referees;

9.2.6. Any government authority in accordance with applicable law;

9.2.7. Any law enforcement body, including the police; and

9.2.8. Any educational or vocational organisation to the extent necessary to verify your qualifications.

9.3. We take reasonable steps to ensure that personal information disclosed to third parties is protected in the same way that MedEnterprises protects this information.

9.4. MedEnterprises stores personal information overseas in connection with the operation of our business and provision of our services. MedEnterprises uses cloud service providers, such as AWS, Sharepoint and Salesforce. The countries in which your personal information may be stored may include Australia and New Zealand and other countries in Asia-Pacific.. MedEnterprises may access and use personal information from overseas countries.

9.5. MedEnterprises may disclose personal information where required to do so by law, court order, subpoena or other legal process, as requested by a governmental or law enforcement authority.

10. Data Quality and Correction

10.1. MedEnterprises takes reasonable steps to ensure that the personal information it collects is accurate, up to date and complete.

10.2. You have the right to request a correction to any of your personal information that MedEnterprises holds, subject to certain grounds for refusal as set out in the relevant privacy laws. In circumstances where your personal information has changed or you find the information to be inaccurate please contact the Privacy Officer for correction. The Privacy Officer will take reasonable steps to update and correct the information in accordance with applicable privacy law. MedEnterprises may also contact you from time to time to check the information is correct.

10.3. If we have disclosed personal information about you that is inaccurate you can ask us to notify third parties to whom we made the disclosure. Reasonable steps will be taken to notify the third party unless it is impracticable or unlawful to do so.

10.4. MedEnterprises will respond to your request for correction within 20 working days. If we do not agree the information should be changed and refuse to correct your personal information you may make a complaint.

11. Access

11.1. You have the right to request access to the personal information held about you by MedEnterprises.

11.2. If you wish to obtain access to your personal information you should contact our Privacy Officer. You will need to verify your identity. We may charge you our reasonable costs of providing you copies of your personal information.

11.3. We may refuse to provide you with access in certain circumstances permitted by applicable law. One important circumstance is where evaluative material is obtained confidentially during reference checks. We may refuse access if it would breach confidentiality or if it would interfere with the privacy of others.

11.4. MedEnterprises will respond to your request for access within 20 working days. If we refuse access to personal information or to give access in the manner requested, you may make a complaint.

11.5. European Union citizens have the right to “data portability”. If this right applies to you: (i) you may receive your personal data in a structured, commonly used and readable format; and (ii) you have the right to transmit that data to another data controller where technically feasible and where it does not infringe on the rights of another individual.

12. Data Security and Storage

12.1. MedEnterprises takes reasonable steps to protect the personal information we hold from loss, unauthorized access and misuse.

12.2. Your information is stored on our database and cloud storage. This database is operated on a server that allows disclosure to cross border recipients only as required for the performance of our services. The database has restricted user access.

12.3. MedEnterprises may provide your personal information to third parties contracted by MedEnterprises in order to perform data storage and data processing services. All reasonable steps will be taken to ensure that the third parties comply with MedEnterprises’ instructions and will not use your personal information for any other purpose.

12.4. We take a range of measures to protect your personal information. These measures include:

12.4.1. Staff training;

12.4.2. Document control for sensitive information;

12.4.3. Confidentiality procedures;

12.4.4. Password protection and encryption;

12.4.5. Office alarm systems and restricted access after-hours; and

12.4.6. Policies on laptop, mobile phone and portable storage device security;

12.5. While MedEnterprises takes reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, the provision of that information is at your own risk. MedEnterprises makes no warranty (express or implied) in respect of data transferred over the internet. You acknowledge that the security of any personal information collected via the internet is not guaranteed.

13. Retention and Disposal

13.1. Subject to clause 13.2, we retain your personal information for only as long as it is required for the purposes for which it may lawfully be used. In addition, if applicable law requires us to cease holding your personal information when you withdraw consent, we will cease retaining it after you withdraw your consent. You can withdraw your consent at any time by contacting the Privacy Officer.

13.2. If we are unable to dispose of or delete personal information then it will either be encrypted for protection or undergo a de-identification process, to disassociate personal information from other data stored by us.

13.3. You acknowledge that we may have lawful purposes for retaining employee records, immunization records, patient-based issues, or complaints for a period continuing beyond the time during which you are actively engaged as a candidate, client, or employee with or by MedEnterprises.

14. Right of erasure, or to be forgotten

14.1. European Union citizens have the “right to be forgotten”. If you are a European citizen you may request the deletion of any of your personal or sensitive information. We will deal with such requests in accordance with applicable law.

14.2. Be aware that deletion is total and irreversible, meaning we may lose all records of you on our systems. To request deletion of your personal information, contact the Privacy Officer using the email address we hold for you or otherwise proving your identity.

15. Data Breaches

15.1. In the event that personal information has been lost or subject to unauthorised access, misuse, interference, or disclosure, we will take all necessary steps to contain and rectify the data breach, as soon as practicable, and prevent reoccurrence.

15.2. Where the privacy breach is likely to result in serious harm, we will take reasonable steps to notify you and provide you with relevant information in relation to the breach, as required by applicable law. As soon as practicable, and to the extent we reasonably consider we are required or permitted to by applicable law, we will also contact and prepare a statement for the Information Commissioner (AU) or the Privacy Commissioner (NZ) detailing the breach and the steps taken. A review of the incident will be completed, and action taken to reduce the likelihood of future breaches.

15.3. Where you are a European Union citizens and the data breach relates to your personal information, we will notify the applicable supervisory authority within 72 hours and notify you if there is a high risk to your personal rights and freedoms.

16. Changes

16.1. We may change this Policy from time to time. If we change this Policy, we will update the copy of this Policy available on our website. Your continued use of our services, or continued engagement with us, constitutes your acceptance of the changed Policy and that any personal information collected or held by us will be subject to the changed Policy.

17. Privacy Complaints

17.1. You may make a complaint about our handling of your personal information if you believe that we have interfered with your privacy. Complaints should be made to our Privacy Officer in writing.

17.2. When we receive your complaint, we will take steps to confirm the authenticity of the complaint and the contact details of the complainant. Upon confirmation, we:

17.2.1. will write to you to acknowledge receipt and to confirm that we are handling your complaint;

17.2.2. may ask for clarification of certain aspects of the complaint and for further details;

17.2.3. will consider the complaint and may make further enquiries;

17.2.4. will require a reasonable time to respond, particularly where further information, processing, assessment, consultation, or investigation is required;

17.2.5. will suggest possible solutions if the complaint can be resolved through access or correction;

17.2.6. will suggest a solution, on a confidential and without prejudice basis, if we believe that your complaint may be capable of some other solution.

17.3. If the complaint cannot be resolved, you may take your complaint to a recognised external dispute resolution provider such as the Office of the Australian Information Commissioner (Australian citizens), or the New Zealand Privacy Commissioner (New Zealand citizens) or in the case of European Union citizens, with a supervisory authority in the Member State of your habitual residence.

18. Additional European Union and California privacy terms

18.1. To the extent that you are a European Union citizen, the General Data Protection Regulation (EU) 2016/679 (GDPR) will apply to the processing of your personal information and the following provisions will apply:

18.1.1. you remain the controller of the personal information you provide to us for processing. We will process personal data only on documented processing instructions from you, and will not transfer personal data to a third country or other international organization, except where agreed between us;

18.1.2. we will not engage another processor to process personal information you provide to us without your prior consent. You acknowledge the disclosure that we have made to you of the sub-processors that we use in this Policy, and note your consent to the use of those sub-processors. Where we use (with your consent) another processor to process personal information, we have appropriate arrangements in place with that processor to protect the personal information to the same standard that the personal information is protected under these terms and conditions.

18.1.3. you may have an independent auditor audit our compliance with the privacy requirements under this Policy, and we will provide reasonable assistance to such audits, provided that:

18.1.3.1. you clearly identify the nature and purpose of the audit;

18.1.3.2. you conduct no more than one audit in each twelve-month period unless you have specific reason to believe that these privacy requirements are not being complied with;

18.1.3.3. audits may only be conducted during normal business hours in New Zealand, and will be conducted in such a way as to minimize any disruption to our business;

18.1.3.4. your auditor must comply with all reasonable health and safety and/or security measures required by us:

18.1.3.5. you will bear all costs of such an audit; and

18.1.3.6. your auditor will only have access to the data and systems necessary to conduct this audit.

18.1.4. we shall cooperate as reasonably requested by you to enable you to comply with any exercise of rights by a data subject under Chapter III of the GDPR.

18.2. To the extent you are a natural person resident in California, United States of America (a “consumer”), the California Consumer Privacy Act of 2018 (CCPA) will apply to the processing of your personal information and the following provisions will apply:

18.2.1. you remain the controller of the personal information you provide to us for processing. We will process personal information only on documented processing instructions from you (including for the purposes set out in the Policy), and we will not disclose or retain the personal information for any purpose other than for the specific purpose of providing services to you or performing our responsibilities (or exercising our rights) under this Policy, or as permitted by the CCPA.

18.2.2. we will not engage another service provider to process personal information you provide to Us without your prior consent. You acknowledge the disclosure that we have made to you of the service providers that we use in this Policy, and note your consent to the use of those service providers. Where we use (with your consent) another service provider to process personal information, we have appropriate arrangements in place with that service provider to protect the personal information to the same standard that the personal information is protected under this Policy.

18.2.3. we shall co-operate as reasonably requested by you to enable you to comply with any request by a consumer for the deletion of that consumer’s personal information, as permitted by the CCPA.