Privacy policy

PART 1 UKI Privacy Policy

1. Who Is Everlight?

Everlight Radiology Limited takes its data protection and privacy responsibilities seriously. This notice explains how Everlight collects and uses personal information in the course of our business activities in our capacity of data controller for the purposes of applicable data protection legislation. Please read this notice carefully.

Everlight Radiology Limited Our contact details are:

6th Floor West, 350 Euston Road, Regent’s Place London NW1 3AX

ICO Information Commissioner Office

Please go to https://ico.org.uk/for-organisations/ for more information

We are registered with the UK Information Commissioner’s Office (ICO) under registration number ZB224415.

Previously Registered Under Radiology Reporting Online LLP Z3257763.

Data Protection Commission (DPC)

Please go to www.dataprotection.ie  for more information

Data Protection Commission (DPC) is the relevant supervisory authority responsible for approval of data protection criteria or mechanisms in certification schemes

We are registered with the Data Protection Commission (DPC) and our Companies Registration Office Ireland (CRO ) Registration number is : 652426 under the name of Everlight Radiology (Ireland) Limited

Data Protection Officer (DPO)

Everlight has a Data Protection Officer (DPO) whose role it is to ensure that data protection is built into our culture and working practices. If you have any questions about the use of your personal data, you should contact the DPO in the first instance. The contact details of our DPO are: Kate Cooper dataprotection@everlightradiology.com; phone: 0300 400 1111. Everlight’s DPO is registered with the ICO and the DPC.

2. What Does Everlight Do?

Computerised Tomography (CT) scan or Magnetic resonance imaging (MRI) MRI’s, X-Ray’s and other imaging is taken in hospitals and clinics to help to diagnose illness and injury. Specialist clinicians, called radiologists, provide services to those hospitals and clinics by interpreting this imaging to assist treating doctors in working out the cause of a patient’s injury or illness and the appropriate treatment for it.

Everlight services operate, broadly, by:

1. Treating clinicians, doctors and other specialists at our customer (an NHS Trust hospital or clinic and/or other hospital or clinic customers on whose behalf we provide services) ) take an x-ray/MRI/CT and/or other imaging of an injured or ill patient;
2. the x-ray and/or imaging and other data (‘Imaging’) are then provided to us (directly or indirectly) by our customer;
3. We, with the support of our employee and consultant radiologists, review and interpret the Imaging using our secure systems, and arrange to generate a report on that Imaging (a diagnostic report);
4. the diagnostic report on the Imaging is sent back to the customer through our secure systems is then used as part of the care and treatment of the patient.

3. Our Responsibilities

Patients
Everlight as data processor

We process personal information of patients on behalf of our customers when we provide our services to them (i.e. by providing the diagnosis report to the relevant hospital or clinic). When we do this, we act as a "data processor" under relevant data protection laws, whilst our customer will be the relevant "data controller".

In order to provide the diagnosis report to our customers, our customers provide us with the following personal information on patients that we will process on behalf of the customer as a processor:

• Patient Demographics (name, address, Date of Birth Patient ID, NHS Number, Accession);
• Referral form information - background or clinical history which is deemed relevant by the referring clinicians; and
• Images – x-rays, CT scans, MRI scans and other kinds of radiographic imaging, in order to report on them.

We will only process patient personal information in order to provide our services to our customers or where required by law. As controller, our customer is ultimately responsible for making sure that its patients’ personal data is treated in accordance with applicable data protection laws. That includes informing patients, in the first instance, how service providers (like us) collect and use data on their behalf.

Everlight as data controller

There may be limited circumstances where we will be processing your personal information as a data controller.

We may process your personal information as a controller for record keeping purposes where we have a legal obligation to do so. We are regulated by the Care Quality Commission (“CQC”) , and under CQC obligations we are required to maintain proper records of the care and treatment provided. Our clinicians are regulated by the GMC and are under professional obligations to provide care and treatment.

We may also process your personal information as a controller for record keeping purposes where the processing is necessary for health care or insurance purposes, including where we have received a complaint or concern about the services that we have provided; to defend any legal claims; or to undertake clinical audit, for insurance and professional regulatory purposes.

If you have concerns or questions about our processing of your personal information in the context of Everlight’s services as described above, you should contact us using the information in the contact details noted above. Please note that if you contact us directly, we may need to disclose your request to the relevant customer.

4. Customers and Website Users

When and how we collect your personal data

We collect personal data about you if:
(i) you use our website;
(ii) use our services;
(iii) or contact us by post, telephone or email.

5. Types Of Personal Data We Collect

Depending on the purpose for which we use your data, we may collect and use certain personal data that is disclosed to us, including:

• your name and contact details;
• your marketing preferences;
• any other personal information you provide in correspondence with us, for example where this is relevant to a complaint or query. (IMC/GMC number if applicable)

When providing our services, we also receive details of a treating radiographer’s name and contact details and the treating clinician’s name and contact details (at our customer). When providing our services via telephone we collect personal data through recording all incoming and outgoing calls for record keeping and quality control purposes, including for the purposes of quality audits, service level monitoring and for medico-legal purposes. These recordings will be stored in accordance with Everlight’s records management and record retention policies and practice. The recordings will be stored in Amazon Web Services instances located in the United Kingdom.

Through your use of our websites, we will also collect information - such as IP address and browser generated information (browser type, operating system), as well as information about your browsing session. We do not use this information to identify you as an individual, but in order to tailor or enhance your browsing experience, or in aggregate with data of other users for statistical purposes. Please see our cookies policy for further information about the cookies we use.

If you provide us with personal information about other people, or if others give us your information, we will only use that information for the specific reason for which it was provided to us. By submitting the information, you confirm that you have the right to authorise us to process it on your behalf in accordance with this Privacy Policy.

6. Why We Collect Data (the purpose and legal basis of processing)

Your personal information will be used for the purposes listed in the table below. Everlight will only collect, use and share your personal information where we are satisfied that we have an appropriate legal basis to do this. We have also described the legal bases which we rely in the table. The legal basis we rely upon will impact which rights you have in relation to your personal information (see section below for more details):

7. Sharing Personal Information

We treat all data in accordance with the principles of confidentiality. We share your information in the manner and for the purposes described below:

The people that may receive data we process are: -

• Our staff;
• Our global network of radiologists (in order to provide 24/7/365 radiology reporting services and to support the delivery of those services and manage our business);
• the clinicians and staff at the customer (e.g. hospital or clinic) that has commissioned services from us;

1. members of the Everlight group, where such disclosure is necessary to provide you with our services or to manage our business
2. with third parties who help manage our business and deliver services. All of our third parties complete Third Party Security Questionnaires annually and all of our third parties have completed Everlight Due Diligence Documentation (DPIA/Data Mapping/Supplier Review ) which has been Risk Assessed/Approved by Everlight’s IT Security Manager/Information Security Manager/DPO and IT Support Manager. This is review Annually for Critical Suppliers and all other Suppliers once in a three year ISO cycle.;
3. with our regulators, to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies;
4. any person in connection with any legal proceedings or prospective legal proceedings, including in order to establish, exercise or defend our legal rights;
5. we may share in aggregate, statistical form, non-personal information regarding the visitors to our website, traffic patterns, and website usage with our partners, affiliates or advertisers; and
6. if, in the future, we sell or transfer some or all of our business or assets to a third party, we may disclose information to a potential or actual third-party purchaser of our business or assets.

8. International Data Transfers

Everlight operates on a global basis and we may share data with clinicians and radiologists working elsewhere in the world, using our secure network and with other Everlight companies and contractors located outside of the location in which you may be located or treated. Accordingly, your personal information may be transferred, processed and stored in countries outside the EU, including Australia., that are subject to different standards of data protection. Everlight will take appropriate steps to ensure that transfers of personal information are in accordance with applicable privacy laws and are carefully managed to protect your privacy rights and interests, and will take appropriate steps to ensure that transfers are limited to countries which are recognized as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights. Everlight uses Standard Contractual Clauses (SCC).

You have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments) to ensure the adequate protection of your personal data when this is transferred as mentioned above.

9. Automated Decision Making

“Automated decision making” means decisions made about a person without any human involvement. We do not make use of automated decision making, although many of our website tools (for instance signing up to emails) will be supported by electronic systems.

10. How Long Do We Keep Your Data?

We endeavour to ensure that personal information is kept as current as possible and that irrelevant or excessive data is deleted or made anonymous as soon as reasonably practicable. However, some personal information may be retained for varying time periods in order to comply with legal and regulatory obligations and for other legitimate business reasons.

We will generally retain your personal information only so long as it is required for purposes for which it was collected. This will usually be the period of your relationship with us plus the length of any applicable statutory limitation period following the end of such relationship, although some data may need to be kept for longer. For example, where required to comply with a legal obligation.

Where we are processing clinical images on behalf of our customers, Everlight currently uses a waterfall system and clinical images are kept for approximately 4 weeks and then deleted from our system. However, other information with regard to your study will remain on our system for the legally required time. Once reported, images are kept in a restricted cold storage environment and accessed for medical legal reasons in line with NHS retention policy or as agreed with the customer in our contract. We maintain a records retention policy which we apply to all records in our care. Where your personal information is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by Everlight.

11. How Do We Keep Your Data Safe And Secure?

Everlight are committed to protecting the security of the personal information you share with us. In support of this commitment, we have implemented appropriate technical, logical, physical and organisational measures to ensure a level of security appropriate to the risk. For example, amongst other measures, we maintain a security policy and store all of your personal information on our secure servers. All patient personal information is transferred securely either via an encrypted (AES-256) SSL VPN tunnel, or a ISPEC AES-256 encrypted tunnel to a secure Tier 3 Data Centre via the HSCN Network first and then via direct connections to our secure cloud data centre. All remote machines (used by radiologists around the world) have encrypted hard drives and data is purged upon user log-off. The log-off process is enforced via Everlight group policy. System monitoring is completed via Everlight’s proprietary software. Everlight’s systems undergo regular independent penetration testing. Data is stored in secure cloud data centres, which have strict access controls in place. All our staff work under strict contractual obligations of confidentiality, and receive training on data protection matters. Our clinicians and radiologists are subject to professional regulatory standards which include confidentiality matters.

Please note that we are not in any way responsible for the security or content of, and this privacy notice does not cover the processing of your personal information by any third- party services used in conjunction with our services. It also does not cover the use of services for which we are acting as Processor: in these cases the relevant controller should provide you with an additional notice.

12. Your Rights

Subject to certain exemptions, and in some cases dependent upon the data processing activity we are undertaking, you have certain rights in relation to your personal information.

With regard to any access request you may make to us in respect of your personal information, we may ask you for additional information to confirm your identity and, for security purposes, before disclosing any personal information requested to you. We reserve the right to charge a fee where permitted by applicable laws to do so, for instance if your request is manifestly unfounded or excessive.

You can exercise your rights by going to our website to find the way to contact Everlight https://www.everlightradiology.com/en-gb/contact-us Subject to legal and other permissible considerations, we will make every reasonable effort to honour your request promptly or inform you if we require further information to fulfil your request.

We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way.

12.1       Right to access personal information

You have a right to request that we provide you with a copy of your personal information that we hold and you have the right to be informed of, inter alia, (a) the source of your personal information; (b) the purposes and legal basis of processing; (c) the data controller’s identity; and (d) the entities or categories of entities to whom your personal information may be transferred.

12.2       Right to rectify or erase personal information

You have a right to request that we rectify inaccurate personal information. We may seek to verify the accuracy of the personal information before rectifying it.

You can also request that we erase your personal information in limited circumstances where:

• it is no longer needed for the purposes for which it was collected; or
• you have withdrawn your consent (where data processing was based on consent – please note that we do not normally rely on ‘consent’ as the legal basis for processing data – the legal basis relied upon are set out in the relevant sections above); or
• following a successful right to object (see right to object); or
• it has been processed unlawfully; or
• the personal data have to be erased for compliance with a legal obligation to which Everlight is subject.

We are not required to comply with your request to erase personal information if the processing of your personal information is necessary:

• for compliance with a legal obligation; or
• for the establishment, exercise or defence of legal claims;

12.3       Right to restrict the processing of your personal information

You can ask us to restrict your personal information, but only where:

• its accuracy is contested, to allow us to verify its accuracy; or
• the processing is unlawful, but you do not want it erased; or
• it is no longer needed for the purposes for which it was collected, but you still need it to establish, exercise or defend legal claims; or
• you have exercised the right to object, and verification of overriding grounds is pending.

We can continue to use your personal information following a request for restriction, where:

• we have your consent; or
• to establish, exercise or defend legal claims; or
• to protect the rights of another natural or legal person.

12.4       Right to transfer your personal information

You can ask us to provide your personal information to you in a structured, commonly used, machine-readable format, or you can ask to have it transferred directly to another data controller, but in each case only where:

• the processing is based on your consent or on the performance of a contract with you; and
• the processing is carried out by automated means.

12.5       Right to withdraw your consent

Where we process your personal information based on your consent, you have the right to withdraw your consent at any time for the future, without affecting the lawfulness of processing based on your consent before its withdrawal.

12.6       Right to object to the processing of your personal information

You can object to any processing of your personal information which has our legitimate interests as its legal basis at any time on grounds relating to your particular situation.

If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.

12.7       Right to object to how we use your personal information for direct marketing purposes

You can object at any time to processing of personal data concerning you for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.

Alternatively you can request that we change the manner in which we contact you for marketing purposes. You can also request that we simply not transfer your personal information to unaffiliated third parties for the purposes of direct marketing or any other purposes.

12.8       Right to obtain a copy of personal information safeguards used for transfers outside your jurisdiction

You can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the European Union.

We may redact data transfer agreements to protect commercial terms.

12.9       Right to lodge a complaint with your local supervisory authority

You have a right to lodge a complaint with your local supervisory authority if you have concerns about how we are processing your personal information. In the UK, the supervisory authority is the Information Commissioner (www.ico.org.uk).

We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.

If you have any questions, concerns or complaints regarding our compliance with this notice and the data protection laws, or if you wish to exercise your rights, we encourage you to first contact us using the above contact details. We will investigate and attempt to resolve complaints and disputes and will make every reasonable effort to honour your wish to exercise your rights as quickly as possible and in any event within the timescales provided by data protection laws.

13. Validity of the Procedure
This policy is reviewed annually by the Global IGF

Part 2: EVERLIGHT ANZ POLICY

 1. Introduction

Our commitment to protecting your personal information

Everlight Radiology Limited ACN 120 630 784 (‘Everlight Radiology’, ‘us’ or ‘we’) is committed to protecting your personal privacy and complying with our obligations under relevant privacy legislation, as set out in the Privacy Act 1988 (Cth) and embodied in the Australian Privacy Principles under that legislation (and to the extent they apply, in the other jurisdictions in which we operate including the New Zealand Privacy Act 2020 and the New Zealand Health Information Privacy Code) and other relevant Australian State/Territory health privacy legislations.

2. Aim/Objectives

By accessing our website or using our services, you agree to be bound by the terms of this Privacy Policy. We encourage you to read this Policy carefully.

This Privacy Policy sets our commitment to protecting your personal information, including sensitive information. It outlines how we collect, use, hold and disclose personal information, and how you can contact us if you have any concerns, questions, or complaints about our management of your personal information, or if you want to access it.

We may update this Privacy Policy from time to time so please periodically check and review the policy for changes. You can access the current version of the Privacy Policy at https://www.everlightradiology.com/privacy-policy

Should you require a copy of the Privacy Policy in another form please contact us via the contact details provided in the below section of this policy to request a copy.

3. Personal Information & Sensitive Information

A reference to “personal information” means any information or opinion about you from which your identity is apparent or can reasonably be ascertained, from the information or opinion regardless of whether the information or opinion is:

• true or not; or

• recorded in a material form or not.

Personal information can also include sensitive information. “Sensitive information” means information or an opinion (that is also personal information) about matters such as your racial or ethnic origin, religion, political persuasion, membership of a trade or professional association or trade union, sexual orientation or practices, criminal records, or your health, genetic or biometric information. We only hold and collect sensitive information where it is necessary for the purpose for which it is being collected and with your consent unless the collection is required or authorised by law.

4. Application of this Policy

We collect a variety of information from individuals, some of which may be personal information. This Privacy Policy explains the types of information we collect and what we do with that information.

This Policy applies to personal information we receive or collect from or about you. This may occur when you:

• visit or use the Everlight Radiology Website or any related software or applications (including any mobile applications);

• request or use any of our services;

• make an enquiry, request information or register your interest with Everlight Radiology;

• become or remain a client of Everlight Radiology;

• contact and interact with us or our personnel by any means, such as by email, phone, mail, online communications or in person;

• apply for a job with us or express interest in employment or providing services to us or become or remain an employee or service provider with us;

• make or receive a payment of any tax invoices we issue; or

• provide your personal (including health) information to us in any other way.

When you provide Everlight Radiology with personal information, you consent to Everlight Radiology using, handling and processing your personal information for the purposes and in the ways outlined in this Policy or such other purposes as we may communicate to you from time to time.

You do not have to provide us with your personal information, but if you do not provide us with the personal information we need, we may not be able to provide our services or assistance to you, or on your behalf, or to process your application, enquiry or request, and you may not be able to enjoy the full benefits of our website or our services.

4.1 What kinds of information do we collect?

The types of personal information we collect will depend on what activities you are engaging in or the type of product, service or other activity used or requested by you.

We collect personal information that is necessary to manage our relationships with our clients, employees, service providers and other stakeholders and to assist us in providing our services and other functions and activities. The types of personal information commonly collected for these purposes include:

• identification and contact information (e.g. name, age, date of birth, address, phone number, email address etc.);

• employer details;

• Medicare provider numbers;

• country of residence;

• enquiry, information request or complaint details;

• your IP address for your interaction with various parts of our Everlight Radiology Website. Your IP address is the identifier for your computer / site when you are using the internet;

• educational qualifications, employment history and other employee data in connection with a job application or expression of interest; and

• employee or contractor details to include in their personnel files.

In certain circumstances, we may also be required or permitted by law, court or tribunal order to collect certain personal information about you. Where required to do so, we will notify you in accordance with relevant privacy legislation when we collect your personal information and for what purpose.

We only collect sensitive information about you with your consent and if it is necessary for, or directly related to, our functions or activities, except where we are otherwise required or permitted by law to collect, use or disclose it.

We may also collect some statistical information about visitors to the Everlight Radiology Website (for example, the number of visitors, pages viewed, your type of browser and geographic location, types of transactions conducted, time online and documents downloaded, how you came to the site, and information that will help us trouble-shoot problems, analyse our resources and improve our services). Some of this statistical information is collected by using cookies, but none of the statistical information we collect allows us to identify a visitor. We use this information to evaluate our website performance and continually improve our services. Importantly, we do not store any identifying information in any cookies on your computer. You can set your browser to refuse cookies but this may mean you cannot log in or take full advantage of our website.

4.2 Personal information about employees, contractors or job applicants

Everlight Radiology may also collect personal information from you if you apply for a job (or a position as a contractor) with and/or become employed by (or contract with) us. In these circumstances, you:

• authorise us to collect any personal information (whether written or verbal) from any referee or previous employer specified in your application for employment or curriculum vitae for evaluation of your application for employment and to hold such information on your personal file for future evaluation of your employment by us;

• acknowledge that your personal information is collected for the purpose of evaluating your application for employment by us and, if you accept employment with us, the assessment of your continued employment by us, and the administration, monitoring and management of your employment by us, and the processing of your remuneration and any PAYG tax obligations; and

• acknowledge that a failure by you to provide the requested personal information will have a detrimental effect on our ability to give your employment application proper consideration.

You can request to access and/or correct your personal information in accordance with this Policy.

4.3 How we collect your Personal Information

We will collect personal information directly from you unless:

• it is not reasonable or practicable to do so;

• you consent to us collecting it from other sources; or

• collection is otherwise permitted under relevant privacy legislation.  

Everlight will be recording all incoming and outgoing calls for quality control purposes. When providing our services via telephone we collect personal data through recording all incoming and outgoing calls for record keeping and quality control purposes, including for the purposes of quality audits, service level monitoring and for medico-legal purposes. These recordings will be stored in accordance with Everlight’s records management and record retention policies and practice, and Everlight Information Handling and Protection Policy. The recordings will be stored in Amazon Web Services instances located in the United Kingdom.

4.4 Purposes of collecting and using your Personal Information

We collect your personal information so that we can manage our relationships with our clients, employees, service providers and other stakeholders, provide our services to you and our clients, and to perform our other functions and activities. We may use your personal information in the following ways:

• communicating with you, including by email, mail, phone, online or in person;

• responding to your requests or queries;

• operating and improving Everlight Radiology’s Website, content, offers and services;

• sending you news and information about Everlight Radiology and our products, services or promotional communications, including newsletters, surveys and information about security updates, or information that is related to you as a customer or service provider of Everlight Radiology;

• occasionally sending you marketing, advertising or promotional material about our products and services (or the products and services of our partners) that we think may be of interest to you;

• providing you with more effective customer service;

• enabling us to conduct customer research;

• to compile data and conduct analysis of Everlight Radiology member/user statistics;

• performing research and analysis aimed at improving our products, services and technologies;

• establishing, maintaining and administering your account and customising the service we provide to you;

• verifying your identity, profiles and products, checking your credentials;

• monitoring and reporting as permitted or required under any applicable laws, including under applicable privacy legislations;

• investigating any complaints made by you or about you, or if we have reason to suspect that you are in breach of any of our Terms of Use or Code of Conduct (where applicable) or that you are or have been otherwise engaged in any unlawful activity;

• to communicate with regulators or government departments in respect of Everlight Radiology’s functions and activities;

• to assess a job applicant or to allow us to carry out any monitoring activities which may be required or permitted of us under applicable law as an employer;

• ensuring our internal business operations are running smoothly, which may include fulfilling legal requirements and conducting confidential systems maintenance and testing;

• quality assurance and training purposes;

• any other uses identified at the time of collecting your personal information;

• using personal information as otherwise required or permitted by any law, (including, where applicable, the Privacy Act 1988 (Cth) and the Spam Act 2003 (Cth), and the New Zealand Privacy Act 2020 and the Unsolicited Electronic Messages Act 2007) or for purposes of monitoring, meeting or reporting on our obligations under the Privacy Act and other applicable privacy legislation.

Personal information that we collect is not traded, sold, leased or rented. You consent to us using and disclosing your personal information in the manners that could reasonably be contemplated by this Privacy Policy, our Website Terms + Conditions or by the relevant activities you are engaged in when providing us with your personal information (e.g. as a website user, job candidate, service provider or customer).

5. Disclosure of your Personal Information

Any personal information provided to us may be disclosed, if appropriate, to other entities in order to facilitate the purpose for which the information was collected. Such entities generally include:

• third-party service providers for the purpose of enabling them to provide a service such as (but not limited to) payroll, superannuation administration, IT service providers, data storage/processing, IT security, web-hosting and server providers; debt collectors, maintenance or problem-solving providers; security services; credentialing service providers; professional advisory (including legal, accounting, financial and business consulting); mailing house and delivery services; HR Service providers; and banking, payment and insurance providers;

• any applicable or relevant regulator or third party for the purpose of legislative or contractual compliance and/or reporting;

• any related entities of Everlight Radiology; or

• other entities if you have given your express consent.

We may also disclose your personal information to third parties in the following circumstances:

• where we are under a legal or regulatory obligation to do so (for example, to a court or tribunal in response to a legal request, to a subpoena or to the Australian Taxation Office), or for purposes of monitoring, meeting or reporting on our obligations under applicable privacy legislation, or to protect the rights and interests, property, or safety of Everlight Radiology, our employees and contractors, our clients, members and users, or others;

• if all, or substantially all, of the assets of Everlight Radiology are merged with or acquired by another party, in which case your personal information may form part of the transferred or merged assets.

Where possible, we will inform you, at or before the time of collecting your personal information about other types of organisations to whom we may, with your consent, disclose your personal information. Prior to such disclosures, Everlight Radiology will take all reasonable steps to satisfy ourselves that:

• the organisation has a commitment to protecting your personal information; and

• where necessary, you have consented to such disclosure.

From time to time, and where permitted by law, these parties may reside outside of Australia or New Zealand including in the United Kingdom. Our contracts with these parties generally include an obligation for them to comply with Australian privacy law (or, as applicable, New Zealand privacy laws) and this Privacy Policy. However, if you are in Australia or New Zealand, you acknowledge that, by agreeing to the disclosure of your personal information to parties located outside of Australia or New Zealand, we will no longer be required to take reasonable steps to ensure the overseas recipient’s compliance with the Australian privacy law and the NZ privacy law in relation to your personal information and we will not be liable to you for any breach of the Australian privacy law or the NZ privacy law by these overseas recipients. On this basis, you consent to such disclosure of your personal information to other entities located outside of Australia and New Zealand as described in this section.

5.1 Direct Marketing

From time to time we may use your personal information to contact you about, among other things:

• particular Everlight Radiology products and services being offered to Everlight Radiology members / users which we believe may be of interest to you;

• changes to our organisation or our services; or

• your use of Everlight Radiology’s Website or services.

We will generally only do this with your prior consent (where practical or required by law) and we will always give you the opportunity to opt out of receiving such communications at any time. Direct Marketing from Everlight generally takes the form of emails or telephone calls.

Every directly addressed marketing communication sent or made by Everlight Radiology will include a means by which you may unsubscribe (or ‘opt out’) of receiving further marketing communications. You may also instruct us at any time to remove any previous consent you provided to receive marketing communications from us. Requests should be directed to us via the contact details provided in the 'Contacting us' section of this policy.

If you request not to receive direct marketing or market research information, please note that we will still contact you to provide you with relevant information in respect of your ongoing health care. For example, we will continue to send you relevant statements, invoices, reminders, notices, etc.

5.2 Links to Third Party Websites

Our website may contain links to the websites of other entities. If you click on such links, you will be transferred to the website of those third-party entities. We have no control over, and are not responsible for, the privacy practices of these entities. You should read the privacy policy of those entities to find out how they handle your personal information when you visit their websites.

We accept no responsibility or liability whatsoever for the content, actions or policies of third-party sites. The inclusion of links to third party sites on our site in no way constitutes an endorsement of the third-party sites' content, actions or policies: you access them at your own risk.

5.3 Updating or correcting your Personal Information

We will take reasonable steps to ensure the personal information (including sensitive (health) information) we collect is accurate, up to date, complete, relevant and not misleading. We will also take reasonable steps to ensure that when we use or disclose your personal information it is accurate, up to date, complete, relevant and not misleading, having regard to the purpose of the use or disclosure. However, you should advise us of any changes to your personal information by maintaining and updating your profile or information with us.

During the course of our relationship with you, we will from time to time ask you to confirm whether your personal information is correct or has changed.

You may also inform us of any changes to your personal information (such as your name or address) or correct any inaccuracy or errors in the information we hold by contacting us via the contact details in the ‘Contacting us’ section of this policy so that we can update your file accordingly. However, where there are grounds to refuse to correct the information as requested, we will provide you with reasons for not complying with your request where we are able to do so in accordance with applicable laws.

5.4 Accessing your Personal Information

You may request access to any of the personal information we hold about you at any time by contacting us via the contact details provided in the ‘Contacting Us’ section of this Policy.

While we do not generally charge you for requests to access your personal information, you should be aware that there may be reasonable charges (which will be notified to you when you make a request) for our time and cost associated with complying with your request to access your personal information in the following circumstances:

• if an extended amount of time is required to collate and prepare material for you; or

• if you wish to have your files photocopied and / or printed for you.

Where the Health Information Privacy Code 2020 applies and you request access to your health information, there may be reasonable charges (which will be notified to you when you make a request) for:

• making available the same, or substantially the same, health information we have already made available to you in the last 12 months; or

• providing you with a copy of an x-ray, a video recording, an MRI scan photograph, a PET scan photograph or a CT scan photograph.

Your request to access to your personal information may be denied on certain grounds including, for example:

• it is unlawful;

• it may have an unreasonable impact upon the privacy of other individuals; or

• your request is frivolous or vexatious.

If we deny your access or correction request, we will advise you of the reasons for doing so as soon as practicable, (except if it is unreasonable to do so) and we will inform you of the mechanisms available to complain about the refusal (see Complaints section below).

5.5       Dealing with us anonymously or by pseudonym

In order for us to effectively do business with you or make our Website, services and associated content available to you, it will not, in most circumstances, be practical for us to deal with you without you providing relevant personal information to us. However, where it is lawful and practicable to do so, you may deal with us anonymously or by using a pseudonym. Such a situation might include where you make general enquiries about current or potential Everlight Radiology Services or promotional offers or the content on our Website.

6. Storage & Security

We store personal information in both electronic and hard copy form and we will keep your personal data for no longer than is necessary for the purpose(s) it was provided for and to meet our legal obligations. Further details of the periods for which we retain data are available on request.

When the information is no longer needed for any purpose for which it was collected, or for which it may lawfully be used or disclosed, it will be destroyed or permanently de-identified.

We will also take reasonable steps to protect any personal information, including by implementing security procedures for access to our business premises and within our offices, as well as IT security procedures including encryption, password protection, firewalls, storing personal information on servers that utilise security software and systems, and site monitoring.

Although we aim to create a safe, secure environment by trying to limit access to the Website to legitimate users, we cannot guarantee that unauthorised parties will not gain access. To the extent permitted by law, we will not have any liability arising from any unauthorised access to your personal information.

Please contact us immediately if you become aware of any unauthorised use of your account by anyone else or any other breach of security (see the contact details section in this policy).

7. Contacting us

Please contact us via the contact details provided below if you want to:

• obtain further information about the way we manage your personal information;

• access your personal information held by us;

• raise a concern or make a complaint regarding how we collect or handle of your personal information, including about a breach of this Privacy Policy or the Privacy Act 1988 (Cth), the NZ Privacy Act 2020 (or other applicable privacy law);

• correct or update your personal information held by us; or

• unsubscribe from any Everlight Radiology mailing list or have any questions or complaints regarding unsolicited electronic communications which you may have received or are concerned about.

We will endeavour to:

1. provide an initial response to your query or complaint within 5 business days; and

2. resolve your query or complaint within 21 business days.

If you are still not satisfied, you can contact the Australian Privacy Commissioner (see http://www.oaic.gov.au/about/contact.html or call 1300 363 992) or New Zealand Privacy Commissioner (see https://www.privacy.org.nz/about-us/contact/).

Contact us at:

Website - https://www.everlightradiology.com/en-au/contact-us

Write to us at:

The Privacy Officer Everlight Radiology L11, 70 Phillip Street

Sydney NSW 2000

8. Changes to our Privacy Policy

We regularly review all of our business policies and may change this Privacy Policy from time to time, or as the need arises, without prior notice. The amended Privacy Policy will apply between us whether or not we have given you specific notice of any change. You should periodically check the page on the Everlight Radiology Website containing our Privacy Policy and review the policy regularly to ensure that you are aware of any changes to its terms. This is the current Privacy Policy and may replace any other privacy policy previously published for Everlight Radiology.

This Privacy Policy was last reviewed on [26/10/2021].

Need more information about privacy?

For more general information regarding privacy in Australia, visit the website of the Office of the Australian Information Commissioner. If you are in New Zealand you can visit the website of the Office of the New Zealand Privacy Commissioner.

9. Validity of Policy

This Policy will be reviewed at a minimum of once every 12 months.