Background

1.     Purpose

The General Data Protection Regulation (GDPR) creates rules for Personal Data processing in the European Union (EU). While the GDPR is a law of the EU, it also imposes obligations on organisations anywhere in the world, provided that organisation meets certain criteria.

 

As a result of the extra-territorial reach of the GDPR, all Australian organisations must consider whether they have obligations under the GDPR in addition to any privacy obligations under Australian Privacy Law and, if obligations under the GDPR exist after such an assessment, comply with the GDPR.

 

At Next Step Medical  Pty Ltd (Business), we are committed to operating in accordance with the GDPR, where applicable, to protect the privacy of the information we collect within our business about customers, consumers, business partners, suppliers, employees or other individuals.

 

This policy outlines the GDPR compliance requirements for our Business to ensure the protection of personal data collected from individuals in the EU. This policy complements our Businesses existing obligations under the Australian Privacy Law.

 

Definitions used in this Policy

  • Australian Privacy Law – The Privacy Act 1988 (Cth), the Australian Privacy Principles (Cth), the Information Privacy Act 2014 (ACT), the Privacy and Personal Information Protection Act 1998 (NSW), the Health Records and Information Privacy Act 2002 (NSW), the Information Act 2002(NT), the Information Privacy Act 2009 (Qld), the Personal Information and Protection Act 2004 (Tas), the Privacy and Data Protection Act 2014 (Vic), the Health Records Act 2001 (Vic) and the Freedom of Information Act 1992 (WA).
  • Establishment – The place where the central administration is located and where the primary location is from which decisions regarding the processing of personal data are made.
  • EU – European Union.
  • GDPR – The European Union Data Protection Regulation.
  • Data Breach – When the personal data our business is responsible for is disclosed, either accidentally or unlawfully, to unauthorised recipients or is made temporarily unavailable or is altered.
  • Data Controller – The person who decides why and how personal data will be processed (E.g. Business owner, employee etc.).
  • Data Processing – Any action performed on data, whether automated or manual. E.g. Collecting, recording, organising, structuring, storing, using, erasing.
  • Data Processor – A third party that processes personal data on behalf of a data controller (E.g. Cloud servers, Google Drive, Microsoft OneDrive, and email service providers etc.).
  • Data Subject – The person whose data is processed.
  • Personal Data – Any information that relates to an individual who can be directly or indirectly identified (E.g. Names, email addresses, location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions etc.).

2.     Scope

Our Business already has obligations under Australian Privacy Law to protect personal information that our Business holds. However, our Business may also have obligations under the GDPR to the extent that they:

  • Have an Establishment in the EU and process Personal Data in the context of the activities of that Establishment; or
  • Do not have an Establishment in the EU, but process the Personal Data of Data Subjects who are in the EU and the processing activities relate to:
    • Offering goods or services to Data Subjects in the EU (regardless of whether payment is required); or
    • Monitoring the behaviour of Data Subjects in the EU, in so far as the behaviour takes place in the EU.

 

Subject to the geographical reach of its activities, the GDPR might apply to our Business. This policy applies to all employees, contractors, and third-party service providers who collect, process, store or manage personal data of individuals in the EU.

3.     Roles and Responsibilities

If the GDPR applies to our Business, our Business must determine its role and whether it is a Data Controller or a Data Processer.

 

Data Controllers

Our Business is a Data Controller if it determines the purposes and means of processing Personal Data.

Data Controllers must demonstrate compliance with all of the GDPR’s principles and their responsibilities include:

  • Undertaking a compulsory data protection impact assessment (DPIA) before commencing data processing of EU individuals;
  • Consulting with a relevant supervisory authority before processing begins if the DPIA indicates processing operations pose a high risk to the rights and freedoms of EU individuals;
  • Implementing a ‘privacy by design and default’ approach to indicate that effective measures to protect personal data are integrated into processing activities from the very beginning;
  • Maintaining records of processing activities under their responsibility; and
  • Establishing codes of conduct for their specific sector, business or department that ensures appropriate application of GDPR principles.

 

 

 

Data Processors

Our Business is a Data Processor if it processes data on behalf of a Data Controller.

The responsibilities of a Data Processor include:

  • Processing data only in accordance with the documented instructions from the controller;
  • Ensuring data security and confidentiality;
  • Only engaging another processor with the authorisation of the data controller;
  • Assisting the Data Controller to meet its responsibilities relating to security obligations, including DPIAs and notifications of data breaches; and
  • Implementing technical and organisational measures appropriate to the level of risk posed to the rights and freedoms of individuals.

4.     Data Protection Impact Assessments (DPIAs)

Data Protection Impact Assessments, or DPIAs are required if data processing involves:

  • Systematic and extensive evaluation of personal data, including profiling;
  • Processing special category data (e.g., racial or ethnic origin, political opinions, religious beliefs, etc.);
  • Processing data related to criminal convictions and offenses; and
  • Large-scale monitoring of publicly accessible areas.

5. EU Representative Appointment

If our Business must comply with the GDPR, it must appoint an EU representative unless its data processing is occasional and not high risk and there is no special category data or criminal conviction data processed.

6. Privacy Notices and Consent

Our Business must ensure its privacy notices and policies:

  • Align with GDPR principles;
  • Clarify data processing purposes and the lawful basis for such processing;
  • Confirm that individuals over 16 years of age can consent to data processing, while minors require parental consent; and
  • Provide individuals with the right to access, rectify, erase, and restrict their data processing.

Explicit consent must be obtained via a clear affirmative action, such as a checkbox on online forms.

7. Data Subject Rights

Our Business must facilitate the exercise of the following rights under GDPR:

  • Right to access personal data;
  • Right to rectification of inaccurate data;
  • Right to erasure (“right to be forgotten”);
  • Right to restrict processing; and
  • Right to data portability.

8. Staff Training and Compliance Manual

All staff of our Business must be trained on GDPR compliance and understand their obligations in handling personal data. A privacy compliance manual must be developed and maintained where our Business is required to comply with the GDPR.

9.     Security Measures

Our Business must implement security measures to protect personal data, including:

  • Encryption and pseudonymization of personal data;
  • Regular data protection assessments; and
  • Access controls and audit trails.

10. Data Breach Notification and External Reporting

Controllers are required to report data breaches to the Data Protection Authority within 72 hours and affected individuals if the breach poses a high risk to their rights and freedoms.

 

In Australia – Contact the Australian Federal Police (AFP) at 131 237 or NOSSC-Client-Liaison@afp.gov.au.

 

For international cases – Report to the Australian Border Force at slavery.consultations@abf.gov.au.

11. Amendments

We may, at any time and at our discretion, vary this policy as required to reflect any changes in legal and regulatory requirements.

12. Breaches

Conduct which breaches this policy is unacceptable. Depending on the severity and circumstances, breach of this policy may lead to disciplinary action, regardless of the seniority of the particular individuals involved.

13. Effective Date

This policy is effective as of 20th January 2025 and shall be formally reviewed annually and updated in consultation with internal and external stakeholders, ensuring alignment with any legislative amendments.

14. Authorisation

Name: Charles Safapour

Position: CEO

The GDPR

The GDPR is a piece of progressive and impactful privacy legislation which provides a legal framework for the use of personal information by organisations established in the EU. It came into effect on 25 May 2018.

Next Step Medical considers the GDPR to be an overwhelming win for human rights. Data protection laws such as the GDPR are crucial to protect and empower people online, ensuring that they remain in control of their personal information.

Definitions

Consent

“Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her

Controller

“Controller” means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of Personal Data;

Data Breaches

Mean breaches of security leading to the accidental or unlawful destruction or loss, alteration, unauthorised disclosure of, or access to, personal data.

ICO

Means the Information Commissioner’s Office, which is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Personal Data

“Personal Data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

(*** The definition of Personal Data has become broader under the GDPR, reflecting changes in technology and the way organisations collect information about people).

Processing

“Processing” means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

Processor

“Processor” means a natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Controller.

Sensitive Personal Data

“Sensitive Personal Data” are Personal Data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data.

Scope

This policy applies to the information and systems controlled by Next Step Medical Ltd

This policy applies to all Personal Data, including Sensitive Personal Data that is collected and processed by Next Step Medical Ltd in the course of its business, or data collected on the company’s behave by other parties which are processed by Next Step Medical Ltd in electronic format in any medium and within structured paper filing systems.

The policy applies to anyone working on behalf of Next Step Medical Ltd, whether permanent, temporary, a volunteer, contractor, consultant or apprentice (hereafter referred to as ‘staff’).

Data Processors and Controllers

Based on the definitions above, Next Step Medical is both a Processor and Controller of data in relation to its core activities. For example in relation to recruitment and complaint investigations we collect peoples personal details and determine candidates suitability for employment of the (as Controller); we then use the data in our recruitment and store it in our IT systems (as Processor).

Next Step Medical will maintain a Record of Processing which sets out our key processing activities and the legal grounds on which we process data.

Where Next Step Medical uses a third party to act as either the Controller or Processor we will put in place a data processing agreement that ensures the data will be handled in compliance with GDPR principles.

Data Protection Principles

Next Step Medical ’s approach is underpinned by the data protection principles, which are set out at Article 5 of the GDPR, as follows. Data must be:

a) “processed lawfully, fairly and in a transparent manner in relation to individuals”;

This means there have to be lawful grounds for collecting the data and it must not have a negative effect on the person or be used in a way they wouldn’t expect.

a. “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, or statistical purposes shall not be considered to be incompatible with the initial purposes”;

Data should be collected for specified and explicit purposes and not used in a way someone wouldn’t expect.

b. “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”;

It must be clear why the data is being collected and what will be done with it. Unnecessary data or information without any purpose should not be collected.

c. “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that Personal Data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay”;

Reasonable steps must be taken to keep the information up to date and to change it if it is inaccurate.

d. “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed; Personal Data may be stored for longer periods insofar as the Personal Data will be processed solely for archiving purposes in the public interest, scientific or historical purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals”;

Data should not be kept for longer than is needed, and it must be properly destroyed or deleted when it is no longer used or goes out of date.

e. “processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Data should be processed in a way that ensures appropriate security, including protection against unauthorised or unlawful Processing, loss, damage or destruction, and kept safe and secure.

Article 5 says that the Controller shall be responsible for, and be able to demonstrate, compliance with the principles.

WE WILL COMPLY WITH THE GDPR PRINCIPLES IN THE FOLLOWING WAYS

Principle a): LAWFUL BASIS FOR PROCESSING

Next Step Medical will document the legal basis for its key data processing activities in its Record of Processing.

(i) Consent

All systems that collect Personal Data are required to prominently display a privacy policy that clearly outlines the purposes for which Next Step Medical will use the information. We will use an opt-in model to acquire Consent. This means we ask the data subject to confirm whether or not they are happy for us to continue to collect and use their data by ‘opting in’, we explain that data will be used in accordance with our Privacy Policy (providing a link to the policy), and we make clear that consent can be withdrawn at any time. There must be clear and easy methods provided for the withdrawal of consent.

Consent should be kept under review and refreshed if anything changes.

(ii) Other legal bases

The following alternative legal bases are available under GDPR:

  1. Where it is necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract.
  2. Where it is necessary to collect the data to comply with a legal obligation.
  3. Where it is necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent.
  4. Where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  5. Where it is necessary for the purposes of legitimate interests

GDPR also allows EU members states to provide various exemptions, derogations, conditions or rules in relation to specific processing activities. One relevant area is: Processing for archiving purposes and for scientific or historical research and statistical purposes.

Examples of where Next Step Medical Ltd processes Personal Data under these bases are as follows:

  • Legitimate interest: our processing of staff data; contact information for target audiences in our media, advocacy and campaigning work;
  • Vital interests: obtaining data on human rights abuses and in some cases for safeguarding purposes.

Retention

Principle

A reasonable expiry date should be set against Consent after which Consent should be refreshed or the data should be deleted, anonymised or accessioned to the archive for research purposes. A reasonable expiry period should reflect the realistic expectation of the data subject when Consent was obtained.

Retention schedules will be implemented and reviewed regularly to ensure that data is kept for the appropriate length of time. Further details of relevant retention schedules can be found in the GDPR Suite SharePoint site.

Security and Integrity

 

Next Step Medical will ensure that Data Processing Agreements are applied to all contracts and management agreements where Next Step Medical is the Controller contracting out services and Processing of Personal Data to third parties (data processors).

Staff will report any actual, near miss or suspected Data Breaches to the relevant parties in line with the policy and the compliance manager will ensure that all employees are aware of their responsibilities to report Data Breaches.

Next Step Medical will adopt privacy by design approach when creating or adapting processes, policies and systems that are associated with Personal Data. Privacy Impact Assessments will be carried out where appropriate.

Accountability

The GDPR states that a data controller must be responsible for and must be able to demonstrate compliance with the data protection principles.

At Next Step Medical the Compliance Team and the team manager will be responsible for monitoring the implementation of measures that meet the principles of data protection expressed in this policy.

The company will maintain a register of all systems under Next Step Medical Ltd. control that contain personal information and a register of all relevant Processing activities. It is the responsibility of the compliance manager to ensure that these registers are kept up-to-date.

A basic level of data protection training is mandatory for all Next Step Medical temporary workers and will be refreshed at regular intervals.

Individual Rights

Everyone has the right to request a copy, free-of-charge, of the information held on them by Next Step Medical and to withdraw their Consent for the further Processing of that data. They may also request that it be amended or deleted if inaccurate, excessive or out-of-date.

All Next Step Medical employees as well as temporary staff has right to request the deletion or removal of Personal Data where there is no compelling reason for its continued Processing. A Right to be take-down process is maintained by the Compliance team.

Responsibilities

It is the responsibility of Next Step Medical Ltd to provide and maintain the systems and frameworks for implementing and monitoring the use of Personal Data to ensure it complies with the data protection policy.

It is the responsibility of each Next Step Medical employee to process information in line with the data protection policy and the six principles of data protection.