Medtronic Australasia Pty Ltd and Medtronic New Zealand Limited (hereinafter referred to “we”, “us”, “our” and “Medtronic”), are bound by the Australian Privacy Principles (“APPs”), contained in the Privacy Act 1988 (Cth) and the New Zealand Information Privacy Principles (“IPPs”) contained in the Privacy Act 1993 (“ANZ Privacy Laws”). Medtronic may also be bound by State and Territory privacy laws in Australia, and to the extent we are bound by those laws, they form part of the ANZ Privacy Laws.
Medtronic is committed to maintaining your trust by protecting Personal Information. We are committed to ensuring that your privacy and the privacy of your patients is respected, and that Personal Information is handled in a transparent and lawful way. Any Personal Information you provide will only be used in accordance with this Privacy Notice. We encourage you to read this Privacy Statement carefully.
This Privacy Statement tells you how we protect and use information that we process through the Medtronic Mobile SmartSync Application (the "Application" or "App").
This Privacy Statement was last revised on September 7, 2018. We may change the Privacy Statement at any time and for any reason, but if we do so, we will inform you of the new contents.
This Privacy Statement and the End User Licensing Agreement (EULA) are the complete agreement between Medtronic and the medical institution with respect to its use of the Application. The medical institution is considered the data controller of this processing of Personal Information.
INTRODUCTION
The Application is owned by Medtronic, Inc of Fridley, Minnesota, USA ("Medtronic") and is licensed to you for purposes of interrogating and programming the implanted cardiac device of your patients. When we use the word "you" or "your" we mean the medical institution using the App and its medical personnel.
The App is part of the SmartSync device programming and interrogation system ("System") and is downloaded on a tablet which is part of the System. The System (a tablet with the App installed) can be brought into the medical institution by a Medtronic representative. After the programming and/or interrogation procedures, the Medtronic representative removes the System from your facility. In other circumstances the System will be brought by you, like a tablet loaned by Medtronic or by bringing your own device. The System will always be operated by you with the support of the Medtronic representative.
The System collects and processes Personal Information of your patients and your institution through the Application. Please see below for a definition of personal and non-Personal Information, and how the System processes them.
Where the tablet is temporarily provided by a Medtronic representative, the Lawful Basis for processing Personal Information by Medtronic is the performance of the agreement between Medtronic and the medical institution. In other circumstances, like a tablet loaned by Medtronic or bringing your own device, you have to determine your own Lawful Basis for processing since Medtronic will not be involved in processing.
WHAT IS PERSONAL INFORMATION?
Personal Information is information that is processed through the App that can specifically identify patients and you. Examples of Personal Information include:
- Patient first name (optional)
- Patient last name (optional)
- Patient's health condition
- Hospital/clinic name
- Medical device serial number
- Implant date
- Model number
- Medical device name
- Mobile device identifiers, such as model number, manufacturer, serial number, or IMEI/MEID, Device programming parameters and measurements
HOW DOES MEDTRONIC COLLECT AND PROCESS PERSONAL INFORMATION?
The App will serve to program and/or interrogate your patients implanted cardiac devices and to collect Personal Information from such device. Where the tablet is temporarily provided by a Medtronic representative the data will be delivered to you on a digital file or on a print-out (pdf). After the interrogation and transfer to you of the data, any data will be deleted manually from the App by your personnel or by the Medtronic representative prior to the System being removed from your facility. In other circumstances, like a tablet loaned by Medtronic or bringing your own device, you are responsible for ensuring that the right (security) controls are in place to protect and control the Personal Information. That includes deletion of Personal Data from the System before handing a loaned System back to Medtronic.
SECURITY
We are committed to protect the security and confidentiality of Personal Information. To prevent accidental or unlawful destruction, loss, alteration, unauthorised access or disclosure of, the Personal Information, we use appropriate technical and organisational measures to safeguard and secure the "Personal Information" we process.
We will inform you and/or the relevant supervisory authorities without undue delay should an unauthorised disclosure of the Personal Information require such a notification.
WILL MEDTRONIC SHARE PERSONAL INFORMATION WITH THIRD PARTIES?
Medtronic will not share any Personal Information collected from any device through the App, with any affiliated company of the Medtronic group, nor with any third party.
WHAT DOES MEDTRONIC DO WITH NON-PERSONAL INFORMATION?
Non-Personal Information will be collected and processed for the same purpose as personal data and in the same context. No non-Personal Information will be stored nor shared with anyone except with your medical institution.
YOUR PERSONAL RIGHTS AND HOW TO CONTACT MEDTRONIC
Where the tablet is temporarily provided by a Medtronic representative, we do not store or keep personal data after its transfer to you or its communication to you. Still you have the right to request access to the App to ensure that this is the case, or to object to personal data being processed by the App by not using the App, but the latter will render the programming or interrogation of the devices by the System impossible.
In other circumstances, like a tablet loaned by Medtronic or bringing your own device, Medtronic will not be able to grant these rights, since Medtronic does not process Personal Information.
In order to exercise these rights or to obtain information on the applicable procedure, please contact Medtronic’s Privacy Officer at privacy@medtronic.com, setting out a full description of the request. We will respond to your requests to access or correct your Personal Information in a reasonable timeframe.
There is no charge for requesting access to your Personal Information but we may require you to meet our reasonable costs in providing you with access (such as photocopying costs).
There are some circumstances in which we are not required to give you access to your Personal Information. Medtronic may not accommodate a request to access, change or delete Personal Information if it believes doing so would violate any law or legal requirement, or cause the information to be incorrect.
In those circumstances, if requested by you, Medtronic shall take such steps as are reasonable, to attach a statement provided by you to the information of the corrections sought.
If you have a complaint about how we have handled your Personal Information or consider that we may have breached our obligations under ANZ Privacy Laws, please write to our Privacy Officer at privacy@medtronic.com or at:
Medtronic Australasia Pty Ltd
Attention: Privacy Officer
2 Alma Road
Macquarie Park NSW 2113
We will respond to your complaint within a reasonable period, usually within 30 days. If you are unhappy with the resolution of your complaint, if you located in or reside in Australia, you may contact the Office of the Australian Information Commissioner (www.oaic.gov.au) or if you are located in or reside in New Zealand you may contact the Office of the Privacy Commissioner (https://www.privacy.org.nz/) for further guidance.
DEFINITIONS
By "Personal Information" we mean information or an opinion about an identified individual or from which an individual can be reasonably identified (either directly or indirectly).
By "Sensitive Personal Information", we mean any Personal Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade- union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
By "Processing" we mean any operation performed on Personal Information, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restrictions, erasure or destruction.
By "Lawful Basis" we mean the legal grounds on which Personal Information is processed. These include: Consent, Performance of Contract, Legal Obligation, Legitimate Interest, Vital Interest & Public Interest.