People Diagnostix Pty Limited (People Diagnostix) is a privately held entity which provides cloud-based software solutions for workplaces, universities and schools wanting to understand and promote positive mental health. People Diagnostix uses a positive psychology approach to assess the degree to which individuals have developed the ‘pillars’ of good mental health to stay well and optimise quality of life at university, work and beyond. People Diagnostix software and related products include an expansive resource library for self-development and organisational interventions. Based in Western Australia, People Diagnostix provides services and solutions internationally.
Under the Australian Privacy Act (Cth) 1988 (Privacy Act) ‘health service’ includes any activity that involves assessing, maintaining, improving or managing a person’s physical or psychological health, as such, People Diagnostix (We, Us, Our) is subject to the Privacy Act, and because People Diagnostix provides services and solutions internationally, We must also comply with privacy-related laws in other countries.
2. Privacy, Personal Information, Personal Data and Employee Records
People Diagnostix processes identifying PI and also special categories of PI involving physical or mental health and other conditions (Sensitive PI).
We make no distinction between employee records and other sources of PI. Neither do we discriminate between different formats of PI (electronic records, paper records, voice files etc.), nor whether the information or opinions are true or not. All PI that We process and hold (where We have possession or control of a record), or use and disclose (where the information is outside of Our possession or control) is treated with the same respect, security and high standards.
The purpose of this Policy is to inform You about the personal information that We ‘process’ (hold, collect, record, organise, structure, store, adapt, alter, retrieve, consult, use, disclose, transmit, disseminate or make available, align, combine, restrict, erase, destroy and profile) about You, how We handle it, and inform You about Your choices.
4. Scope and Applicability
This scope of this Policy extends to all personal information that We process in the course of providing the People Diagnostix Services, in complying with law and managing risk.
In providing the service, this Policy extends to Our business activities which include our client relationships, internal operations (management, employees, temporary staff, contractors) and external operations (third parties such as business partners and service providers).
The scope of this Policy extends to our external client-facing activities such as Our online presence at www.peoplediagnostix.com.au, www.flourishdx.com, www.flourishingatschool.com, and www.mentalhealthaudit.com, and to the personal information that is collected through Our Websites and the use of email for general communications and marketing purposes.
This Policy is written in simple language so that it is easy to understand. If something is not clear, We invite You to contact Us so that We can provide assistance. Our contact details are provided in section 14 below. They will also be provided every time that We make contact with, an individual.
This Policy outlines the current personal information handling practices of People Diagnostix. We will update this Policy when Our information handling practices change and We will publish updates on Our Website and through Our email distribution lists.
In all cases where consent is required, whether it be express consent (verbal, in writing, click-wrap tick box) or implied consent (browse-wrap without a tick-box and other behaviour which indicates consent through continued use), it must be voluntary, current, specific and based upon adequate information about the circumstances and choices available to You as an individual. Naturally, You must have the capacity to understand, to give (for example be 16 years or older) and communicate consent. Individuals who are not sure about giving consent are encouraged to contact Us. See section 14 for contact details.
7. Privacy Principles Governing the Handling of Personal Information
People Diagnostix is committed to making every reasonable effort to manage personal information in an open and transparent way.
7.1 Open and Transparent Management of Personal Information
To support this commitment, We have implemented practices, procedures and systems to align Our handling of personal information with principles that have been derived from Australian privacy law, relevant international law, international standards and best practice.
These practices, procedures and systems are intended to regulate Our internal and external business operations through the use of administrative, technical and physical controls. The legal notices published on Our Website are examples of Our administrative controls. Technical and physical controls are generally not made publicly available for security reasons (security through obscurity).
7.2 Anonymity and Pseudonymity
As an individual, You can choose to remain anonymous (You cannot be identified and We do not collect personal information), or You can choose to use a pseudonym (You can use a name, term or description that is different from Your own) when dealing with Us.
Circumstances where We give individuals the option to remain anonymous or to use a pseudonym include, for example, where individuals prefer not to be identified, to be left alone, to avoid direct marketing, to keep their whereabouts and choices from others, and to express views in the public arena without being identified.
Examples of circumstances where We Will need to know the identity of the person that We are dealing with relate to the provision of the People Diagnostix services, where identification is required or authorised by law, where a refund is requested, for dispute resolution, where access to information is requested for correction and where cost becomes excessive or impractical without knowing the identity of an individual We are dealing with.
7.3 Collection of Solicited Personal information
We are committed to collecting personal information by lawful and fair means and wherever possible only collecting it directly from the individual concerned.
We collect personal information from individuals where the information is reasonably necessary for one or more of the People Diagnostix functions, activities and legal obligations relating to the services that We provide.
In providing People Diagnostix services to individuals We collect “Sensitive PI. This Sensitive PI is provided by the individual themselves, or, by an organisation, partner or other stakeholder such as a school. Where We collect Sensitive PI, We always ask for prior consent in “writing”, where writing includes electronic forms of writing such as email.
Broadly, we collect and process PI and Sensitive PI such as name, age, email address, sex, and language details, for example English as an additional language or dialect.
The Sensitive PI we collect and process is in relation to mental health, including the experience of recent positive and negative emotions, knowledge of strengths, measures of balance and absorption derived from tasks recently undertaken, positive relationship experience, purpose, community, goal-setting, self-efficacy, and feeling accomplished. In relation to physical health, we collect information on nutrition, exercise and sleep.
In relation to employees, We collect and process information on job roles, years of experience, years of service, and where the experience has been gained. Other similar demographic information may be collected from time to time.
We also may collect information based on employee’s perception of psychosocial risk. This includes (but is not limited to) job demands, control, support, role variables, work relationships, levels of recognition and rewards, management of change, and perceived justice.
Information collected and processed can vary depending upon the country where the services are offered. For example, in Australia, we may include standard questions for indigenous status, for example Aboriginal or Torres Strait Islander origin (ATSI status).
For internal human resourcing, We also collect sensitive personal information, such as religious beliefs, trade union memberships and health information when it is required for employment reasons, or by law. We may solicit or request personal information from a third party such as an employment agency or referees in the context of employment.
In most instances, even for non-sensitive PI where We collect personal information, We only do so after a direct request to, and with the consent of the individual to whom the information relates.
In exceptional circumstance and for human resourcing, or when authorised or required by law, We may collect personal information from some source other than the individual themselves.
Where We provide People Diagnostix services to an organisation, such as a workplace We do solicit personal information from the organisation about an individual, but We still require the consent of each individual before their personal information is shared with Us. Our service agreement with organisational clients requires that Your consent is provided to the organisation and then to Us.
7.4 Dealing with Unsolicited Personal information
Personal information is sometimes provided to Us in circumstances where We have not requested it. In these circumstances, where the information is unsolicited, We will examine whether it could have been collected under in circumstance under section 7.3 above. We will then apply Our minds and decide whether this unsolicited information should be retained, de-identified or destroyed. Having made that decision, We will implement the decision within a reasonable time.
We do not actively seek to collect unsolicited information.
7.5 Notification of the Collection of Personal Information
This Policy, other legal notices published on Our website and Our internal practices, procedures and systems (administrative controls) are Our way to ensure that individuals know about the personal information that People Diagnostix collects.
We are committed to making all reasonable efforts to inform individuals about the personal information We collect before We collect it, for example by making this Policy and Our other Legal Notices publically available. We will also inform individuals about collection at the time We collect personal information, for example when schools engage Us to provide People Diagnostix services, through website activity and other forms of communication such as email.
In exceptional circumstances where this does not happen, for example, when We receive unsolicited personal information from a third party which We decide to retain, We will inform individuals as soon as reasonably possible after the collection of personal information.
Through this Policy and other legal notices published on Our Website, We seek to ensure that individuals are informed about the reasons for the collection, and that they know how to contact the accountable office bearers at People Diagnostix. See section 14 below for details.
7.6 Use or Disclosure of Personal Information
Where We hold personal information about an individual that was collected for a particular purpose (the primary purpose) We will not use or disclose the information for another purpose (a secondary purpose) unless required or authorised by law, the individual has consented, or the individual would reasonably expect Us to use or disclose it for a related purpose. An example of a related purpose in these circumstances might be disclosure to a next-of-kin or health care provider in the case of an employee.
In some circumstances, for example, where We believe that the People Diagnostix service may be improved through new technologies such as data science (analytics), or where We see a benefit to individuals, We may use personal information that has been provided to Us by the individual themselves or received from third parties for a purpose that is different form the purpose for which it was given to Us in the first place. Where We do this, We will use and/or disclose the personal information in a de-identified format.
Broadly speaking, We use (process, handle and manage) personal information internally for 2 reasons:
- To provide People Diagnostix services:
- Examples include: Name, address (physical, postal, email and Internet Protocol address), telephone numbers and, cookies; and
- For internal human resourcing:
- Examples include: Name, address (physical, postal, email and Internet Protocol), health information, medical service provider and counselor details, next-of-kin, spouse or partner, banking details, tax, photo identity, trade union membership, religious beliefs, gender, cultural and ethnic identity, qualifications, training and the like.
We do not collect biometric forms of personal information such fingerprints.
We also use and retain personal information records which are required to be retained for legal, business and evidential reasons. Sometimes these come from external sources and third parties.
Broadly speaking We disclose personal information (release it outside of Our possession or control) for the same primary reasons listed above, providing the service, for human resourcing and where there is a legal obligation to do so.
7.7 Direct Marketing
When We provide a service to individuals and to organisations, We ask for consent to communicate directly with the individuals concerned in order to provide information and to promote Our service.
Whenever We do, We allow individuals to opt-out of receiving direct communications and direct marketing notifications. When individuals request Us to stop communicating with them, We will comply with that request.
If an individual requests information about how We came to have their personal information, We will respond, and provide the source of an individual’s personal information wherever possible. We will respond to these requests within a reasonable time (thirty (30) business days).
We do not disclose, sell or share personal information to third parties for direct marketing purposes.
7.8 Cross-border Disclosure of Personal Information
People Diagnostix operates from offices in Western Australia. These operations include all aspects of internal operations that support the service that We provide as well as the provision of ‘live’ services (where personal information travels over telecommunications lines) and the storage of static personal information in data warehouses and on information systems.
People Diagnostix clients are located in Australia, the European Union (EU), United States of America (USA), Canada, and the United Kingdom (UK). Over time we will extend the services to other jurisdictions) with the result that personal information flow (is exported and imported) between these countries.
People Diagnostix relies on various third party service providers such as telecommunications providers, and Internet Service Providers. These are based in Australia, the EU, UK and USA.
Because information systems enable Our technology based services, personal information may be located or disclosed in transit and in a static format in countries outside Australia, in the countries mentioned above, or elsewhere. Wherever reasonably possible, we meet international best practice standards and employ recognised mechanisms such as contractual clauses and other agreements.
We employ ‘Cloud’ technology services, and these too meet international best practice standards and employ recognised mechanisms such as contractual clauses. However, individuals are cautioned to consider how their personal information moves and is stored on global information systems and to make appropriate choices.
Our operations include all aspects of internal and external business that support Our services such as (where personal information travels over telecommunications lines) and the storage of static personal information in data warehouses and on information systems.
7.9 Adoption, Use or Disclosure of Government Identifiers
We do not adopt, use or disclose government identifiers of an individual as Our own identifiers.
We do use and disclose government identifiers such as Australian Tax File Numbers, for example, for human resource purposes and where required or authorised by law.
7.10 Quality of Personal Information
We are committed to taking such steps as are reasonable in the circumstances to ensure that the personal information We collect, hold, use and disclose (process) is, having regard to the purpose of the use or disclosure, accurate, up-to-date, complete and relevant.
To do this, We ask individuals to assist Us. We provide various technical means, including email notifications and user registration access where individuals can access, verify and update personal information records that We hold. We ask individuals to participate by ensuring their information is accurate, up-to-date, complete and relevant. Individuals are also encouraged to use the access and correction facilities that We provide. See sections 7.12 and 7.13 below.
7.11 Security of Personal Information
We are committed to taking reasonable steps to protect personal information that We hold from misuse, (wrong or improper use) interference (access even where the content is not necessarily modified) and loss (accidental, inadvertent, misplaced personal information).
We are also committed to securing personal information from unauthorised access (by someone that is not permitted access the information), modification (alteration by someone that is not permitted to do so, or who acts beyond the scope of their authority to modify personal information) and unauthorised disclosure (where personal information is released from Our effective control without authority).
To comply with law and manage risk, Our practices, procedures and systems aim to protect the confidentiality, integrity and availability of Our information systems and information, especially the personal information that We collect, hold, use and disclose.
Where there is no legal obligation to retain records and evidence, and in circumstances where We no longer need personal information to provide People Diagnostix services or for any purpose for which the information may be used or disclosed under Australian law, We take reasonable steps to destroy the information or to ensure that the information is de-identified.
Our information security and privacy practices include circumstances where Our data handling practices are outsourced to third parties. Because of this We endeavour wherever possible to bind third party service providers through appropriate legal agreements. We also endeavour to monitor their privacy and security practices where possible.
7.12 Access to Personal Information
Where We hold, or have the right and power to deal with personal information (for example, where it is stored by one of Our third party service providers), We will, on request by an individual, normally give that individual access to their information.
We do this so that individuals know what information We hold on them and because it assists Us to ensure that the personal information that We hold is up-to-date, complete and relevant.
In considering a request for access to personal information by an individual, We will require identification. We reserve the right not necessarily to give access to an individual to their personal information in circumstances, for example, where provided for in law, in instances of commercial sensitivity and where a third party may be negatively affected.
We will respond to an individual’s request for access to their information within a reasonable time (thirty (30) business days), and We will consider reasonable requests for access to be given in a particular format, for example, through user registration login, by facsimile, email and postal services. As a matter of courtesy, We will provide reasons for the refusal if access is refused.
No charge will apply when an access to information request is received. We do however reserve Our rights to charge a fee where We incur costs, for example, for photocopying, postage and costs associated with using an intermediary if one is required.
7.13 Correction of Personal Information
Where We hold personal information, We will take reasonable steps to correct it to ensure that, having regard to the purpose for which We hold it, it is accurate, up-to-date, complete, relevant and not misleading.
You, as an individual may request that We correct personal information that We hold about You in circumstances where You believe that the information is inaccurate, out of date, incomplete, irrelevant or misleading.
In considering a request for the correction of personal information that We hold, We will require identification of the requesting individual. We reserve the right not necessarily to effect the changes sought, but undertake to consider reasonable requests and to associate a statement to the record reflecting Our refusal to correct the failed request for correction if We consider refusal the appropriate action.
We will respond to a request to change information within a reasonable time (sixty (60) business days) although changes sought may take longer, for example, because We may need to contact and notify other organisations and individuals about the request.
No charge applies for making a request, correcting personal information or associating a statement for refusal to change a record.
As a matter of courtesy, We will provide reasons for the refusal if correction is refused, and also a reminder of the complaint process available to individuals that feel aggrieved by the refusal.
8. Complaints, Enquiries and Access to Information Requests
In most circumstances, the Australian Information Commissioner will not investigate a complaint if an individual has not first raised the matter with Us. For this reason, We ask individuals to agree to submit all complaints relating to this Policy to Us first, so that We have an opportunity to resolve complaints before they proceed to any relevant authority. Individuals are asked to direct all complaints and enquiries to Us at [email protected] and to see sections 9 and 12 below for further details.
9. How to make a Complaint, Enquiries and Access to Information Requests
Individuals wanting to lodge a complaint can make general enquiries, request access to their information and complain to Us in writing. This includes email communications, but excludes text and social media.
We will respond to complaints within a reasonable time (thirty (30) business days). As in the case of requests to change information, a longer response time may be needed, for example, because We may need to contact and notify other organisations and individuals affected by the complaint. In this case We will endeavour to respond within sixty (60) business days.
10. Skill, Diligence, Care
People Diagnostix will exercise reasonable skill, diligence and care as may reasonably be expected from a similar service provider.
If, and when, People Diagnostix suspects, or becomes aware of a breach of its network or information systems resulting in unauthorised access to, or unauthorised disclosure of personal information likely to result in serious harm to any individuals to whom the information relates; or where information is lost in circumstances that may lead to unauthorised access to, or unauthorised disclosure of personal information, People Diagnostix will:
- Take remedial action;
- Where remedial action fails to adequately limit the risk, notify the individuals concerned, and notify the Office of the Australian Information Commissioner (Commissioner): and
- Work with the individuals concerned and the Commissioner to protect everyone and everything concerned.
If You suspect or become aware of a breach or an impending breach, please contact us as a matter of urgency on [email protected]
12. Complaints and Enquiries
You agree to submit all complaints relating to this Policy to Us first, so that We have an opportunity to resolve Your complaint before You proceed to any relevant authority. Please direct all complaints and enquiries to Us at [email protected]
13. Eligible Data Breach
Under the NDB Scheme, People Diagnistix must notify the Australian Privacy Commissioner and affected individuals of an Eligible Data Breach in relation to PI, credit reporting information, credit eligibility information or tax file number information if, and when:
- There is unauthorised access or unauthorised disclosure of the information and a reasonable person would conclude that this is likely to result in serious harm to any individual to whom the information relates; or
- The information is lost, and the loss will lead to unauthorised access or unauthorised disclosure and consequently to serious harm to individuals.
13.1 Actual Eligible Data Breach
If, and when, People Diagnostix becomes aware of a breach of its network or information systems resulting in the circumstances outlined in 13a and 13b above, People Diagnostix will:
- Take remedial action;
- Where remedial action fails to adequately limit the risk of serious harm, notify the individuals concerned, and notify the Office of the Australian Information Commissioner (Commissioner): and
- Work with the individuals concerned, the Commissioner and law enforcement or other parties to protect everyone and everything concerned.
13.2 Suspected Eligible Data Breach
If, and when, People Diagnostix suspects a breach of its network or information systems resulting in the circumstances outlined in 13a and 13b above, People Diagnostix will:
- Undertake an assessment of the situation with a view to establishing the facts; and do so within a reasonable time (thirty (30) business days).
- When a suspected breach is found to be an actual breach, People Diagnostix will follow the steps in 13.1 above.
If any person suspects or becomes aware of a breach or an impending breach, please contact Us as a matter of urgency on [email protected].
14. Governing Law
15. Skill, Diligence, Care
People Diagnostix will exercise reasonable skill, diligence and care as may reasonably be expected from a similar service provider.
16. Company Information
|Name||People Diagnostix Pty Ltd|
|Physical address and the address for receipt of legal service of documents||Enterprise Unit 3, Suite 4, 9 De Laeter Way, Technology Park, Bentley, Western Australia, 6102|
|Postal address||PO Box 63, Rockingham, Western Australia, 6968|
|Phone numbers||+61 (0) 1300 739 426|
|Email address||recept[email protected]|
|ABN||37 261 871 814|
|Directors||J van Schie
C van der Veen