11. Additional Requirements for Health Information
Where TechSpecialist collects and/or holds Credit Information and Tax File Numbers, TechSpecialist will treat that information in compliance with the Act and all applicable Credit Reporting Laws governing privacy of Credit Information and the Privacy (Tax File Number) Rule 2015.
TechSpecialist will only use or disclose Credit Information and Tax File Numbers for the purpose for which it was collected or a directly related purpose that is expected, such as the storage of that information in providing services as a result of contractual relationships with Credit Providers or other organisations that collect and/or hold Credit Information and/or Tax File Numbers.
As a TFN Recipient under the Act and the Privacy (Tax File Number) Rule 2015, TechSpecialist is subject to collection, storage, use, and disclosure requirements concerning Tax File Numbers. TechSpecialist collects employee Tax File Numbers to communicate with the ATO and the employee’s superannuation funds. In all other instances where TechSpecialist receives Tax File Numbers for incidental purposes related to their operations, TechSpecialist securely stores Tax File Numbers using industry standard security.
Where Techspecialist is retained by a client that stores Credit Information and/or Tax File Numbers of its clients, in the event of a Data Breach or suspected Data Breach, Techspecialist will provide its client within 14 days of the Data Breach or suspected Data Breach:
- (a) The identity and contact details of the relevant client/s of the Health Provider Organisation (if identifiable by TechSpecialist);
- (b) A description of the data breach;
- (c) The kinds of information concerned (if identifiable by TechSpecialist);
- (d) Recommendations about the steps that those affected should take in response to the data breach; and
- (e) Steps taken by Techspecialist to secure its systems against further breach;
Unless otherwise agreed between TechSpecialist and the Health Provider Organisation in writing, TechSpecialist will not identify whether the Data Breach is a NDB in circumstances where they are in possession of Health Information as a result of providing services to a Health Provider Organisation. The Health Provider Organisation will be responsible for making an assessment as to whether the Data Breach constitutes an NDB and to report the NDB in compliance with the NDB Scheme.
TechSpecialist is not otherwise bound by the privacy policies and procedures of Health Provider Organisations unless they have had prior notice of the same and provided written acceptance of those policies and procedures to the Health Provider Organisation.