Security Policy

Security

We take reasonable steps to protect personal data that we hold from unauthorised access, modification and disclosure and implement technical and organisational measures to ensure a level of protection appropriate to the risk of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed, as follows:

• We perform security testing (including penetration testing of our websites), and maintain other electronic (e- security) measures for the purposes of securing personal information, such as passwords, anti-virus management, multi-factor authentication, firewalls and antivirus software
• We maintain physical security measures in our buildings and offices such as door and window locks and visitor access management, cabinet locks, surveillance systems and
• We require all of our employees and contractors to comply with privacy and confidentiality terms and conditions in their employment contracts and subcontractor agreements that we enter into with
• We carry out security audits of our systems which seek to find and eliminate any potential security risks in our electronic and physical infrastructure as soon as possible
• If appropriate in the circumstances, taking into account the state of the art, the costs of implementation and the nature, scope, content and purpose of the processing, we pseudonymize and/or encrypt personal data
• We implement passwords and access control procedures into our computer systems
• We have a Data Breach Response Plan in place
• We have data backup, archiving and disaster recovery processes in place
• We have anti-virus and security controls for email and other applicable computer software and systems in place.

If you refuse to provide us with personal data 

If you do not provide us with your personal data, you can only have limited interaction with us. For example, you can browse our websites without providing us with personal information, such as the pages that generally describe the services that we make available, and our Contact Us page. However, when you submit a form on our website, or become a client or otherwise enter into a business relationship with us, we need to collect personal data from you in order to identify who you are, so that we can provide you with services, and for the other purposes described in this Privacy Policy. You have the option of not identifying yourself or using a pseudonym when contacting us to enquire about our services, but not if you wish to actually obtain our services. It is not practical for us to provide you with our services if you refuse to provide us with personal data.

Spam email

We do not send “junk” or unsolicited e-mail in contravention of the Spam Act 2003 (Cth). We will, however, use e-mail in some cases to respond to inquiries, confirm purchases, or contact clients. These transaction-based e-mails are automatically generated. Anytime a client or visitor receives e-mail it does not want from us they can request that we not send further e-mail by contacting us via email at: [email protected] or using any ‘unsubscribe’ tool contained in any communication we send. Upon receipt of any such request, we will ensure that they cease to receive automated emails from us.

Offshore data transfers for personal data

We may transfer your personal data entered into our websites to our contractors and service providers such as Microsoft Azure, who assist us with providing our products and services to you, and to assist us with the operation of our business generally, where we consider it necessary for them to provide that assistance.

Provided that we comply with applicable law, including the provisions of Australian Privacy Principle 8 (Cross-border disclosure of personal information), and the GDPR – in relation to GDPR Data, we may transfer personal data that we collect to our offshore contractors and service providers as well, who may be located outside the European Union (EU) or the European Economic Area (EEA). Our offshore contractors and service providers are currently located in the EU and United States of America.

Retention and de-identification of personal data

It is our policy to retain personal data in a form which permits identification of any person only as long as is necessary for the purposes for which the personal data was collected; and for any other related, directly related or compatible purposes if and where permitted by applicable law. We will only process personal data that you provide to us for the minimum length of time permitted by applicable law and only thereafter for the purposes of deleting or returning that personal data to you (except where we also need to retain the data in order to comply with our legal obligations, or to retain the data to protect your or any other person’s vital interests). Where you require personal data to be returned, it will be returned to you at that time, and we will thereafter delete all then remaining existing copies of that personal data in our possession or control as soon as reasonably practicable thereafter, unless applicable law requires us to retain the personal data in which case we will notify you of that requirement and only use such retained data for the purposes of complying with those applicable laws.

Where the personal data is not GDPR Data and is personal information for the purposes of the Privacy Act 1988 (Cth), instead of destroying the personal information we may take such steps as are reasonable in the circumstances to de- identify the personal information that we hold about an individual where we no longer need it for any purpose for which it may be used in accordance with this Privacy Policy if the information is not contained in a Commonwealth record and we are not required by Australian law (or a court or tribunal order) to retain it.

Your rights under the GDPR

Under the GDPR, you have a number of rights, including:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and

Please contact us if you wish to exercise any of your rights under the GDPR. We will handle all such requests in accordance with our legal obligations. If you withdraw your consent for processing, object to the processing of your personal data or request us to erase your personal data and as a result it is not possible or practical for us to continue providing you with our services, we may elect to terminate our business relationship with you.

How to access and correct personal data held by us 

Please contact us if you wish to access the personal data that we hold about you, using the details set out at the end of this Privacy Policy. We will handle your request for access to your personal data in accordance with our statutory obligations. To ensure that we only obtain, collect, use and disclose accurate, complete and up to date personal data, we invite you to contact us and inform us if any of your personal details we hold change or if any of the personal data held by us is otherwise incorrect or erroneous. We will provide you (or if you wish, another controller) with a copy of the personal data they we hold about you in a structured, commonly used and machine readable format. However, we will not charge any fee to access your GDPR Data where the GDPR prohibits us from doing so.

Our contact details

We are Macquarie Medical Systems Pty Ltd ABN 65 002 237 676 of 301 Catherine St, Leichhardt, NSW 2040. If you wish to contact us for any reason regarding our privacy practices or the personal data that we hold about you, please contact us at the following address:

Privacy Representative

Privacy Officer, Macquarie Medical Systems 301 Catherine St, Leichhardt, NSW 2040 [email protected]

We will use our best endeavours to resolve any privacy complaint within ten (10) business days following receipt of your complaint. This may include working with you on a collaborative basis to resolve the complaint or us proposing options for resolution.

If you are not satisfied with the outcome of a complaint or you with to make a complaint about a breach of the Australian Privacy Principles you make refer the complaint to the Office of the Australian Information Commissioner (OAIC) who can be contacted using the following details:

Call: 1300 363 992
Email: [email protected]
Address: GPO Box 5218, Sydney NSW 2001

In relation to GDPR Data, you may lodge a complaint with any relevant supervisory authority.