The Australian Privacy Principles (APP) guidelines outline the mandatory requirements of the APP that apply to organisations like ours.


There are 13 Australian APPs and they govern standards, rights and obligations around:

  • the collection, use and disclosure of personal information
  • an organisation's governance and accountability
  • integrity and correction of personal information
  • the rights of individuals to access their personal information

Overview

You can read an overview from the Office of the Australian Information Commissioners website. The 13 APP are:

APP 1: Open and transparent management of personal information

APP 2: Anonymity and pseudonymity

APP 3: Collection of solicited personal information

APP 4: Dealing with unsolicited personal information

APP 5: Notification of the collection of personal information

APP 6: Use or disclosure of personal information

APP 7: Direct marketing

APP 8: Cross-border disclosure of personal information

APP 9: Adoption, use, or disclosure of government related identifiers

APP 10: Quality of personal information

APP 11: Security of personal information

APP 12: Access to personal information

APP 13: Correction of personal information

APP 1: Open and transparent management of personal information

Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy.

  • We are transparent about the personal information we collect from you, directly and indirectly, including cookies and similar technologies we use which can be found in our Privacy Policy. You can request to view our Privacy Policy in another format, such as a PDF or Word document, by contacting us via email or live chat.
  • You can add a privacy policy link to your online bookings page, and require their acceptance in order to complete their booking.
  • You can record your client's consent to your privacy policy and keep track of responses.

APP 2: Anonymity and pseudonymity

Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym. Limited exceptions apply.

  • You can choose to use Splose anonymously or under a pseudonym. However, it is important to consider that doing this would limit our ability to verify you.
  • We've built several features to help your clients remain anonymous including, anonymising client names in the browser title, anonymising client names in appointments on your calendar, anonymising client names in appointments synced to Google Calendar and anonymising a client's personal details on deletion.
  • You can select how client names are displayed in the title of the browser tab for you and other members in your workspace who view client pages. Page titles are stored in your browser history and you have the option to select full name, first name, initials or anonymous. If you use a shared computer, someone viewing your browser history will be able to see previous client pages you accessed including page titles with client names. Having this option allows your clients to remain anonymous in your browser history.
  • If you are using the Google Calendar, you can also choose how client names are displayed in appointments synced to Google Calendar, with the options for full name, first name, initials and anonymous.
  • You also have the option to anonymise deleted client records at any time. If this setting is enabled, then client details displayed on appointments, invoices, payments, expense claims and all associated notifications will be anonymised.

APP 3: Collection of solicited personal information

Outlines when an APP entity can collect personal information that is solicited. It applies higher standards to the collection of sensitive information.

  • We collect personal information about you that is reasonably necessary for us. this can include information such as your name, email, business, location, browser, etc. We use this information to provide customer support, respond to queries, personalise your experience, to generate aggregate anonymous website data, monitor traffic and serve relevant ads to you.
  • We collect personal information when we receive an employment application sent in response to either a job advertisement published by us.
  • We use cookies and similar tracking technologies such as local storage and pixels, as well as store transaction data about your subscription, which helps us manage your plan, renewal date, provide credit etc.
  • We store sensitive information, such as a client's health records. We keep all of your data securely in Australia.

APP 4: Dealing with unsolicited personal information

Outlines how APP entities must deal with unsolicited personal information.

  • All data you input in Splose for the purposes of storing is unsolicited Personal Information that we collect which can include government identifiers from clients and members.
  • Our commitment to keeping such sensitive data secure this ensuring data remains encrypted in transit and at rest. All of your data is stored on our secure servers, and we only ever access it if you explicitly tell us to do us.
  • We do use cookies and similar technologies to collect information about you, but this type of information is anonymised until you accept our terms and privacy and become a customer. Our cookie policy outlines this type of information that we collect.
  • If we receive unsolicited personal information, it will be destroyed or de-identified

APP 5: Notification of the collection of personal information

Outlines when and in what circumstances an APP entity that collects personal information must tell an individual about certain matters.

  • We use your personal information and available contact details to notify you about updates to our Terms of Service, Privacy Policy, Cookies Policy and any changes we make to the collection of your personal information.
  • We display a persistent cookies consent message on our website which allows you to see cookies and similar technology that we use and third-party cookies we use with the option to accept the usage of cookies and learn more information.

APP 6: Use or disclosure of personal information

Outlines the circumstances in which an APP entity may use or disclose personal information that it holds.

  • We can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose (such as required by law).
  • We implement a variety of security measures to protect your Personal Information from misuse, interference and loss, as well as prevent unauthorised access, modification or disclosure. These measures include internal practices, data encryption, corporate governance, procedures and systems, information and communications technology security, access security, carefully choosing third-party providers, procedures for the destruction and de-identification of information when subscriptions are cancelled or we are requested to delete or required to do so by law, physical security to our office.

APP 7: Direct marketing

An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.

  • We use your personal information, such as your name, email and location where you would reasonably expect us to, such as, to send you product updates, new blog posts, events you might be interested in and news about our company.
  • Upon request, we will provide the source of your personal information, if it was not directly provided by you unless this is unreasonable or impracticable to do so.
  • You have a right to withdraw your consent from direct marketing and you can do so any time by unsubscribing from emails using the unsubscribe link.
  • If you have clients who do not want to receive marketing messages from you, you can unsubscribe them from emails and SMS by updating a client's communication preferences.

APP 8: Cross-border disclosure of personal information

Outlines the steps an APP entity must take to protect personal information before it is disclosed overseas.

  • In order for our Service to run, we work with third-party providers. We carefully select our third-party providers and only choose to use providers that meet stringent privacy and security standards. We use certain third-party providers to process personal information (Subprocessors) which you can access at all times.
  • We take reasonable steps to ensure that the third-party provider does not breach the APPs in relation to that information we share, in particular, we minimise the amount of personal information we share and only share the necessary information needed to utilise the service they provide.
  • Where possible, we engage third-parties to 'use' your personal information, rather than disclose it. For example, the third-party provider undertakes an activity with your personal information, such as our SMS provider, to send messages to your clients, however, the personal information remains in our effective control.

APP 9: Adoption, use, or disclosure of government related identifiers

Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.

  • Customers and users can store government identifiers, including Medicare numbers, Department of Veteran's numbers and NDIS numbers, within Splose, however, we have limited access.
  • If ever we receive unsolicited government identifiers from you or customer data, it will be permanently deleted.

APP 10: Quality of personal information

An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.

  • Users with the account roles Practice manager and practitioner admin can view all personal information and data in their account, including customer data that other users have added. Users are responsible for how they handle data inside their account, and any request to update incomplete or inaccurate data should be directed to these users.
  • We can also make changes for you, but we’ll first need a written request from the account owner.

APP 11: Security of personal information

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.

  • We take security seriously, as we mentioned above. We also have a dedicated Security page.
    There are certain tools we’ve built to help you protect your account, like account roles, two-factor authentication, SMS verification for online bookings,
  • We also deploy company processes, so we can take the necessary, proactive approach to keep your personal information secure.
  • If you cancel your Splose subscription, we retain your data for at least 60 days before Permanently deleting it or anonymising it.
  • We build features with security at the forefront. For example, online forms and online invoices are sent to clients using an unguessable, uniquely generated link. Client files you upload and store are retained for 30 days, even after deletion, and files accessed or downloaded trigger an audit log.
  • Where possible, we include our changelog feature to parts of Splose that involve users adding or modifying customer data. This enables users in a business to track which users have modified customer data.

APP 12: Access to personal information

Outlines an APP entity’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.

  • You gave a right to request access to the personal information we hold about you, whether that information is true or not. In order to provide such information, we must be satisfied that a request for personal information is made by the individual concerned, or by another person who is authorised to make a request on their behalf, for example, as a legal guardian or authorised agent. If we give access to the personal information of another person, this could constitute a disclosure, which may not comply with APP 6.
  • It would generally be impracticable for us to deal with an anonymous request for personal information. However, it may be practicable to deal with a pseudonymous request, for example, where the individual has previously transacted under that pseudonym, can establish their identity as that individual and the request for access relates to information about that pseudonymous identity.
  • We take appropriate steps to verify an individual’s identity. In particular, if you are already known to or readily identifiable by us, the sensitivity of the personal information and the possible adverse consequences for the individual of unauthorised disclosure. The minimum amount of personal information needed to establish an individual’s identity Is always sought. Due to the nature of an online organisation, In circumstances, where there are adverse consequences for unauthorised disclosure, we must collect personal information to verify an individual’s identity. We will take reasonable steps to destroy or de-identify personal information no longer needed for any purpose for which it may be used or disclosed (unless an exception applies).
  • We are required to provide personal information given to an individual ‘on request’. APP 12 does not stipulate formal requirements for making a request, or require that a request be made in writing, or require the individual to state that it is an APP 12 request.
  • We provide access to personal information on an informal basis, provided the minimum access requirements in APP 12 are met. Generally, we provide information free of access charges and provide written notice (Email), including the reasons for the refusal, if access is refused.
  • We endeavour to respond to your request within a reasonable period after the request is made. We will respond by giving access to the personal information that is requested, or by notifying its refusal to give access. Factors that may be relevant in deciding what is a reasonable period include the scope and clarity of a request, whether the information can be readily located and assembled, and whether consultation with the individual or other parties is required. However, as a general guide, a reasonable period should not exceed 30 calendar days.
  • We will give access to personal information in the manner requested by you if it is reasonable and practicable to do so. The manner of access is typically by email or an electronic record
  • More information, including your rights, is available on our Privacy Policy.

APP 13: Correction of personal information

Outlines an APP entity’s obligations in relation to correcting the personal information it holds about individuals.

  • You have the right to reflection and to verify the accuracy of the personal information we hold about you. You can email us to request such information.
  • You have the right to portability, where we will provide your personal information to you in a machine-readable format
  • You have the right to erasure. We’ll take reasonable steps to do so unless we are required to keep it by law, which we will inform you, if applicable, at the time of your request. This will limit your ability to access your account.
  • You can withdraw your consent at any time where you have previously given your consent to the processing of their Personal Information.
  • If a client requests you to change or remove their information, you can update a client's details or permanently delete a patient from your account.
  • You can also anonymise deleted client records to make sure the details aren’t displayed on invoices, payments, and appointment records.
  • But if you are required by law to hold on to client records, you can archive them instead.

Understanding the APP can be overwhelming at first, but you can have peace of mind that Splose is compliant with the APP and that the tools and features we have built and continue to invest in help you remain compliant with your clients. We continuously invest in features that help you meet and exceed the minimum privacy requirements required in Australia. If you have any questions or concerns, don't hesitate to send us an email or chat with us.

Did this answer your question?