Australia Data Processing Agreement

1. Parties and Background

1.1 Background

(A) The Organisation has engaged PreConsult to provide clinical decision support services ("Services") under a separate service agreement ("Principal Agreement").

(B) The provision of the Services involves the handling of personal information, including sensitive information (health information).

(C) The Parties wish to ensure that the handling of personal information complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles.

(D) This DPA sets out the terms on which PreConsult will handle personal information on behalf of the Organisation.

2. Definitions

In this DPA:

• "Privacy Act" means the Privacy Act 1988 (Cth) as amended from time to time.
• "APPs" means the Australian Privacy Principles set out in Schedule 1 to the Privacy Act.
• "APP Entity" has the meaning given in the Privacy Act and includes organisations and agencies bound by the APPs.
• "Personal Information" has the meaning given in the Privacy Act, being information or an opinion about an identified individual, or an individual who is reasonably identifiable.
• "Sensitive Information" has the meaning given in the Privacy Act and includes health information.
• "Health Information" has the meaning given in the Privacy Act and includes information about the health or disability of an individual.
• "Notifiable Data Breach" means an eligible data breach as defined in Part IIIC of the Privacy Act.
• "OAIC" means the Office of the Australian Information Commissioner.
• "Handle" means collect, hold, use, or disclose personal information.
• "Overseas Recipient" means a person who receives personal information and is not in Australia or an external Territory, and is not the Organisation or PreConsult.

3. Scope and Purpose

3.1 Scope

This DPA applies to all handling of Personal Information by PreConsult on behalf of the Organisation in connection with the Services.

3.2 Relationship

The Parties acknowledge that:

• The Organisation is an APP Entity with obligations under the Privacy Act;
• PreConsult handles Personal Information on behalf of the Organisation;
• Both Parties share responsibility for ensuring compliance with the APPs;
• PreConsult shall only handle Personal Information in accordance with this DPA and the Organisation's reasonable instructions.

3.3 Duration

This DPA shall remain in force for the duration of the Principal Agreement and for as long as PreConsult continues to hold Personal Information on behalf of the Organisation.

4. Data Handling Details (Schedule 1)

5. Service Provider Obligations

5.1 General Obligations

PreConsult shall:

• Handle Personal Information only in accordance with this DPA and the Organisation's reasonable written instructions;
• Not handle Personal Information for any purpose other than providing the Services;
• Not sell, rent, or otherwise commercially exploit Personal Information;
• Immediately notify the Organisation if it believes an instruction would result in a breach of the Privacy Act.

5.2 Confidentiality

PreConsult shall ensure that persons authorised to handle the Personal Information:

• Are bound by confidentiality obligations;
• Handle the Personal Information only as necessary to provide the Services;
• Receive appropriate training on privacy obligations.

5.3 Records

PreConsult shall maintain records of:

• Types of Personal Information handled;
• Purposes for which Personal Information is handled;
• Any disclosures to third parties;
• Security measures implemented.

6. Australian Privacy Principles Compliance

PreConsult shall assist the Organisation in complying with the APPs, including:

7. Security Measures (Schedule 2)

PreConsult shall implement and maintain reasonable technical and organisational measures to protect Personal Information, as required by APP 11:

7.1 Technical Measures

• Encryption of Personal Information in transit (TLS 1.3) and at rest (AES-256)
• Role-based access controls with principle of least privilege
• Multi-factor authentication for practitioner accounts
• Firewalls, intrusion detection, and DDoS protection
• Regular security testing and vulnerability assessments
• Encrypted backups with tested recovery procedures
• Data residency in Australia (Sydney region) for Australian customers

7.2 Organisational Measures

• Information security policies and procedures
• Staff training on privacy and security obligations
• Access limited to personnel with legitimate need
• Regular access reviews
• Incident response procedures
• Business continuity planning

7.3 Destruction and De-identification

When Personal Information is no longer needed for any purpose, PreConsult shall take reasonable steps to destroy or de-identify the information, unless retention is required by law.

8. Sub-Contractors

8.1 General Authorisation

The Organisation provides general authorisation for PreConsult to engage sub-contractors to assist in providing the Services, subject to the requirements below.

8.2 Sub-Contractor Requirements

PreConsult shall:

• Maintain a list of sub-contractors available to the Organisation upon request;
• Enter into written agreements with sub-contractors imposing privacy and security obligations equivalent to this DPA;
• Ensure sub-contractors comply with the APPs to the extent applicable;
• Remain responsible to the Organisation for the acts and omissions of sub-contractors.

8.3 Changes to Sub-Contractors

PreConsult shall:

• Notify the Organisation of any intended addition or replacement of sub-contractors handling Personal Information;
• Provide at least 30 days' notice before engaging new sub-contractors;
• Consider in good faith any objections raised by the Organisation.

8.4 Current Sub-Contractors

The current list of approved sub-contractors (available upon request) includes:

• Cloud infrastructure providers
• AI language model providers
• SMS delivery services
• Email delivery services

9. Overseas Disclosure (APP 8)

9.1 Data Residency

Primary Personal Information for Australian customers shall be stored in Australia (Sydney region) unless otherwise agreed in the Principal Agreement.

9.2 APP 8 Compliance

Before disclosing Personal Information to an Overseas Recipient, PreConsult shall take reasonable steps to ensure that the Overseas Recipient does not breach the APPs, by:

• Entering into contractual arrangements requiring APP-equivalent protections;
• Conducting due diligence on the recipient's privacy practices;
• Implementing technical safeguards such as encryption.

9.3 Countries

Personal Information may be disclosed to recipients in the following countries:

• United States: AI language model providers, some cloud services
• Ireland: EU data centres for international customers
• United Kingdom: UK data centres for UK customers

9.4 Accountability

PreConsult acknowledges that under APP 8.1, it may be accountable for any acts or practices of Overseas Recipients that would breach the APPs. PreConsult takes reasonable steps to ensure Overseas Recipients handle Personal Information consistently with the APPs.

10. Access and Correction (APP 12 & 13)

10.1 Access Requests

PreConsult shall assist the Organisation in responding to requests from individuals to access their Personal Information under APP 12, including:

• Providing access to Personal Information held within a reasonable timeframe;
• Providing information in the manner requested by the individual where reasonable and practicable.

10.2 Correction Requests

PreConsult shall assist the Organisation in responding to requests from individuals to correct their Personal Information under APP 13, including:

• Correcting inaccurate, out-of-date, incomplete, irrelevant, or misleading information;
• Providing a statement of correction if the Organisation does not agree to correct the information.

10.3 Notification

PreConsult shall notify the Organisation promptly (within 5 business days) upon receiving any access or correction request directly from an individual.

11. Notifiable Data Breaches

11.1 Notification Obligations

Upon becoming aware of a data breach (or suspected breach) that is likely to be an "eligible data breach" under Part IIIC of the Privacy Act, PreConsult shall:

• Notify the Organisation as soon as practicable (and in any event within 24 hours);
• Provide all reasonably available information about the breach;
• Cooperate with the Organisation's assessment and response;
• Assist the Organisation in meeting its notification obligations to the OAIC and affected individuals.

11.2 Information to Provide

The notification shall include:

• Description of the nature of the breach;
• Types of Personal Information involved;
• Number of individuals affected (known or estimated);
• Likely consequences of the breach;
• Steps taken to contain and remediate the breach;
• Recommendations for the Organisation's response.

11.3 Assessment

PreConsult shall assist the Organisation in assessing whether there are reasonable grounds to believe an eligible data breach has occurred, including assessment of the likelihood of serious harm to affected individuals.

12. Health Records

12.1 State and Territory Health Records Acts

Where the Organisation is subject to state or territory health records legislation (such as the Health Records Act 2001 (Vic) or Health Records and Information Privacy Act 2002 (NSW)), PreConsult shall handle Health Information consistently with those requirements.

12.2 My Health Records Act

PreConsult does not access or integrate with the My Health Record system. Any integration would require separate agreement and compliance with the My Health Records Act 2012 (Cth).

12.3 Clinical Records Retention

PreConsult acknowledges that medical records may be subject to minimum retention periods under applicable state/territory health legislation. The Organisation is responsible for advising PreConsult of any specific retention requirements.

13. Audit Rights

13.1 Audit Access

PreConsult shall make available to the Organisation all information reasonably necessary to demonstrate compliance with this DPA and the Privacy Act.

13.2 Audit Conduct

The Organisation (or its appointed auditor) may conduct audits, subject to:

• Reasonable advance notice (at least 30 days);
• Audits during normal business hours;
• Confidentiality obligations regarding PreConsult's information;
• No more than one audit per 12-month period (except where required by a regulator).

13.3 Alternative Evidence

PreConsult may satisfy audit requirements by providing:

• Third-party audit reports or certifications;
• Completed security questionnaires;
• Documentation of privacy and security practices.

14. Termination and Data Return

14.1 Upon Termination

Upon termination of the Principal Agreement, PreConsult shall, at the Organisation's choice:

• Return all Personal Information to the Organisation in a commonly used format; or
• Destroy or de-identify all Personal Information and certify such destruction/de-identification.

The Organisation shall communicate its choice within 30 days of termination. If no choice is made, PreConsult shall destroy or de-identify the Personal Information.

14.2 Retention Exceptions

PreConsult may retain Personal Information where required by Australian law, provided:

• The Organisation is notified of the legal requirement;
• Handling is limited to the extent required by law;
• Appropriate security measures continue to apply.

15. Liability

15.1 Liability Cap

Liability under this DPA shall be subject to the limitations set out in the Principal Agreement.

15.2 Indemnification

Each Party shall indemnify the other against losses arising from breaches of this DPA or the Privacy Act attributable to the indemnifying Party, including:

• Penalties imposed by the OAIC;
• Compensation ordered under section 52 of the Privacy Act;
• Costs of responding to regulatory investigations;
• Costs of notifying affected individuals of data breaches.

15.3 Australian Consumer Law

Nothing in this DPA excludes, restricts, or modifies any rights or remedies the Organisation may have under the Australian Consumer Law (Schedule 2 of the Competition and Consumer Act 2010 (Cth)).