OpenCivics Privacy Policy

Health Information Security and Privacy Policy

Version: 1.1 | Effective date: 23 August 2025 | Approved by: Alexander Tashevski‑Beckwith (Information Security and Privacy Officer)

1. Purpose and Our Commitment to Privacy

The organisation is committed to protecting the confidentiality, integrity, and availability of all its information assets to maintain legal, regulatory, and contractual compliance, and to safeguard customer trust and business operations.

The founder and any future directors are fully committed to this policy and will provide the necessary resources and support for its implementation and continual improvement.

This policy establishes the mandatory requirements for safeguarding information and serves as the organisation's official Privacy Policy in compliance with Australian Privacy Principle (APP). It is designed to comply (where applicable) with:

  • Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
  • Health Records Act 2001 (Vic) and the Health Privacy Principles (HPPs)
  • Notifiable Data Breaches (NDB) Scheme (Part IIIC of the Privacy Act)
  • ISO/IEC 27001:2022 and alignment to NIST Cybersecurity Framework (CSF)
  • Healthdirect contractual security obligations
How to contact us / complaints: Contact: team@opencivics.ai
Complaints will be acknowledged and handled promptly; if unresolved, individuals may complain to the Office of the Australian Information Commissioner (OAIC).

2. Scope

This policy applies to:

  • All information created, stored, processed, transmitted, or disposed of by the organisation, in any format.
  • All forms of health information, including identified, de‑identified, and aggregated data.
  • The founder, any directors, and any future employees, contractors or third parties engaged by the organisation.
  • All company‑owned and managed assets, including systems, cloud services, networks, applications, workstations, and mobile devices.

3. Guiding Principles

  • Confidentiality: Information shall be protected from unauthorised access or disclosure.
  • Integrity: Information shall be accurate, complete, reliable, and protected from unauthorised modification.
  • Availability: Information and supporting systems shall be accessible to authorised users when required.
  • Compliance: All activities shall comply with applicable laws, regulations, contractual obligations, and standards.
  • Data Segregation: Healthcare‑related data and other company data shall be strictly isolated through logical controls.
  • Privacy and Security by Design: All new systems and processes shall incorporate privacy and security protections from the outset.
  • Least Privilege: The founder and any systems shall operate with the minimum level of access required to perform their authorised functions.

4. Roles and Responsibilities

The founder, Alexander Tashevski‑Beckwith, acts as the Information Security and Privacy Officer (ISPO). Responsibilities include:

  • Developing, implementing, monitoring, and enforcing this policy.
  • Managing security incidents, conducting risk assessments, and overseeing the security program.
  • Ensuring compliance with all legal, regulatory, and contractual obligations.
  • Undertaking regular security and privacy training to maintain currency with the threat landscape and legal obligations.
  • Immediately reporting and managing any suspected security weaknesses or incidents per the Incident Response Plan.

5. Individual Rights and Choices

5.1 Access and Correction

Individuals have the right to request access to, and correction of, their personal and health information where held by the organisation. We will decide access or correction requests as soon as practicable and within 30 days, provide written reasons if refused, and may associate a correction statement where a record is not amended. Identity verification is required.

5.2 Anonymity and Pseudonymity

Where lawful and practicable, individuals will be given the option of not identifying themselves or of using a pseudonym when dealing with the organisation.

5.3 Information for Other Providers

At an individual's request, their health information will be made available to another health service provider.

5.4 Collection Notices

At or before the time of collection (or as soon as practicable afterwards), we provide collection notices addressing the matters required by APP 5.

6. Policy Statements

6.1 Information Classification

Information shall be classified according to sensitivity as Public, Internal, Confidential, or Restricted. Restricted applies to all personal health information, Third-Party Health Service Data (e.g. HealthDirect), credentials, and system logs.

6.2 Acceptable Use

Company systems, devices, and networks shall be used solely for authorised business purposes. Exception: Where the Information Security and Privacy Officer approves personal use on a device, a dedicated partition or logically separated container must be created to ensure secure separation between healthcare data, other company data, and personal use.

6.3 Access Control

Access shall follow least privilege and need‑to‑know. MFA is mandatory for all external‑facing systems and services handling Confidential or Restricted data. User access reviews are performed at least annually for all systems.

6.4 Data Security

  • Encryption at Rest: The company workstation must use full‑disk encryption with ASD‑approved algorithms (e.g., AES‑256).
  • Encryption in Transit: All data transmitted over public networks uses strong, ASD‑approved protocols (e.g., TLS 1.2+).
  • Partitioning: Workstations handling healthcare data maintain a logically isolated, encrypted container for all "Healthcare Work".
  • Data Retention and Disposal: In compliance with the Health Records Act 2001 (Vic), client health information is retained for seven years from the date of last contact, or until age 25 if the individual was under 18 at last contact.

6.5 Network Security

All systems and partitions handling Restricted data (including healthcare and third-party provider data) operate under a hardened profile, including mandatory VPN connectivity, DNS filtering, and outbound‑only firewall rules.

6.6 Incident Response & Notifiable Data Breaches

All suspected or actual security incidents must be reported and managed immediately per the Incident Response Plan. We will assess suspected eligible data breaches as soon as practicable and within 30 days. If an eligible data breach is confirmed, we will prepare a statement to the OAIC and notify affected individuals or Third-Party Health Service data providers with recommended steps to mitigate harm.

6.7 Third‑Party Security

Third‑party vendors must meet the organisation's security and privacy requirements. Before disclosing personal or health information overseas, we take reasonable steps to ensure the recipient is subject to a law, binding scheme, or contract that effectively upholds privacy principles substantially similar to the APPs/HPPs, or obtain informed consent, or rely on another lawful basis.

6.8 Use and Disclosure

We will only use or disclose personal information when one of the following applies:

  • Primary purpose: For the exact reason we collected it
  • Permitted secondary purpose: For a purpose the individual would reasonably expect
  • Consent: The individual has given informed, current, and documented consent
  • Required or authorised by law: We are legally required/authorised to use or disclose
  • Permitted general/health situations: To reduce/mitigate a serious threat to life/health/safety
  • De-identified/aggregated analytics: We may use or share de-identified data for reporting or analytics

7. Policy Review

This policy is reviewed at least annually, or upon significant changes to legislation, business operations, or the threat landscape.

8. Approval

Name: Alexander Tashevski‑Beckwith
Role: Information Security and Privacy Officer
Date: 23 August 2025
Version: 1.1