Background

CPD Home is committed to maintaining the accuracy, availability, integrity, and confidentiality of all the data it collects, holds, and utilises in conducting its business operations, including providing CPD services to its subscribers and in meeting its obligations as an accredited CPD Home. CPD Home collects a range of data about individuals and organisations with whom it does, or may do, business with. It collects this data to:

• support subscribers meet their CPD requirements
• make strategic decisions about its operations
• improve its products and services
• inform decisions about available learning content
• meet its reporting requirements to the:
  • Medical Board of Australia (MBA)
  • Australian Medical Council (AMC)
  • Doctorportal Learning Board.

Purpose

To provide guidance and direction on the management of CPD Home data throughout the information lifecycle, and to demonstrate how we comply with the law.

Objective

To outline how CPD Home:

• complies with data protection law and follows good practice
• protects the rights of customers, staff and learning providers
• is transparent about how it stores and processes individuals’ data
• protects itself from the risks of a data breach.

Scope

This policy applies to all subscribers, learning providers and employees of CPD Home.

Definitions

Please refer to the Glossary for definition(s) of terms that apply to this policy.

Policy

Data Governance CPD Home aims to manage our data assets securely, safely, effectively, and efficiently. With a focus on continuous improvement, the Data Management Committee contributes to decisions on the collection and management of data, proactively defines data rules, resolves data issues, and fosters an organisational approach to data handling. Data Management Committee The Data Management Committee reports to the Doctorportal Learning Board. The Committee consists of the following:

• Data Protection Officer
• IT Manager
• Technical Lead
• Web Project Lead

  Data Management  CPD Home will only collect information and data pertaining to individuals or organisations it does, or may do business with, that is directly related to, or reasonably necessary for one or more of our functions or activities. The types of information we typically collect include:

• names, addresses and phone numbers
• email addresses
• bank account or credit card details (for subscriber or learning provider payments)
• professional details, including type of profession, career stage, Ahpra registration number, practice, scope of practice, position, work setting, areas of learning focus, CPD activities undertaken and related documentary evidence, professional develop plan and learning reflections
• details of service and learning purchases, including learning module completions and views
• AMA membership status
• information pertaining to complaints or disputes
• information pertaining to a special consideration for exceptional circumstance
• IP addresses and utilised device information for web-based interactions
• date and time of web or email interactions.

We collect this information to:

• provide targeted and effective services to subscribers
• maintain our subscriber and learning provider lists
• co-ordinate and manage our staff
• communicate with subscribers, learning providers and governing officials
• account for activities or expenses
• provide supporting evidence to inform and justify improvements to service offerings or provision
• meet our reporting obligations.

CPD Home processes data as outlined in following examples:

Outcome/Use	Processing required	Data to be processed	Conditions for processing	Evidence of lawful basis
CPD Home services	Completion of Learning Profile	Name, contact details, professional details	Consent – implied	Subscriber inputs data required – in so doing agrees to Terms and Conditions of Use.
Newsletter	Quarterly email mailout of newsletter	Email Mail Merge (Informz) name and email address from subscriber database	Consent – implied unless advised otherwise.	Subscribers can unsubscribe from newsletter. Date of ceasing subscription and reason for recorded on subscriber file.
Audit Report	Quarterly primary and secondary audits reports run of CPD activity	Report on subscriber: · presence of a personal development plan · hours of CPD activity record	Consent – implied	Signed on as a subscriber
Notifications	Quarterly email mail merge	At risk subscribers as per Audit policy identified by audit report and an email using those names and emails. Notification reflects the failed parameters as per Audit Policy	Consent – implied	Signed on as a subscriber. Subscribers can unsubscribe from CPD Home. Date of ceasing subscription and reason for recorded on subscriber file.
Personal contact	Inactive at-risk subscribers phoned	Secondary audit report identifies no activity in response to notification email	Consent – sought at time of contact	Date and time Recorded in subscriber file
CPD Statement of Completion	4th quarter audit report identifies compliant subscribers	Presence of written CPD Plan including goals reflection, and 100% of required CPD Hours completed	Consent – implied	Signed on as a subscriber
Applications for exemption	Application received and put to CPD Advisor Panel for consideration given	Reasons for exemption	Consent – implied	Application received
Granting an exemption	Notification of request outcome	Correspondence to subscriber using their name and address. Populating data field in subscriber record to indicate an exemption	Consent – implied	Application received
Complaints	Record date, time and nature of complaint	Correspondence to subscriber Name and email address Population of data Complaints Register	Consent – implied	Complaint received

Most of the information collected will be provided directly by the subscriber or the learning provider wishing to engage with CPD Home and its service offerings. Subscribers on creating an account with CPD Home will be required to create a password (minimum 7 characters, including at least one letter and number), to declare they are not a robot, and are advised that in signing up they accept our user terms and encouraged to read our privacy policy. CPD Home may also collect personal information indirectly via publicly available sources such as websites, social media, directories and databases. Personal information may also be collected indirectly while providing a service or managing a complaint. This may include via authorised representatives of the individual; CPD activity supporting documents; CPD Home staff or service providers; regulatory bodies authorities and bodies, professional or specialist societies or associations. Consent Subscribers or learning providers have the choice to engage with CPD Home and in so doing implicitly consent to CPD Home collecting and utilising their personal information for the purposes outlined above. Anonymity and pseudonymity There is no option of anonymity and pseudonymity for CPD Home subscribers or learning providers. It is impractical for CPD Home to operate and meet its obligations without knowing for whom it is providing a CPD Home service. Storage Subscriber and learning provider information is stored in electronic systems housed in the Cloud under our control. We take appropriate steps to protect the security of the information we hold, including protections against unauthorised access, virus or other electronic intrusions, fire, theft or loss. We require any contracted providers of IT services to do the same. Our contracts with contracted providers of IT services require them to protect the privacy of your information when held on either their servers and/or the Cloud. Our contractors are also required to comply with the Privacy Act 1988 (Cth). Management and retention All personal information collected by CPD Home is managed in a responsible, secure manner, in compliance with the Privacy Act 1988. We generally keep your personal information active for as long as is reasonably required to enable us to meet your needs and our obligations as your CPD Home. When a subscriber becomes a non-subscriber all the information that CPD Home holds about them will be no longer accessible from 1 July the year following the CPD year that they ceased to be a subscriber. We keep subscriber records and other personal information on file to enable us to undertake statistical and historical analysis and reporting. As part of our data security, we fully back-up and archive our electronic databases fortnightly, with a point-in-time snapshot taken every day. Access to personal information All subscribers (current and former) and staff or representatives of learning providers can access what personal information we hold about them by contacting the CPD Home team by email: enquiries@cpdhome.org.au All subscribers will be able to download a record of their CPD activities for a CPD year. This information will be archived each year at six months from the end of each CPD year and retained for up to 7 years. Only authorised CPD Home staff will have access to subscriber’s personal information where that access is necessary for the provision of CPD Home services. For example, when supporting a subscriber at risk of not meeting their CPD requirements. Correcting personal information CPD Home subscribers can easily update their information by visiting www.cpdhome.org.au or by contacting the CPD Home team by email: enquiries@cpdhome.org.au CPD Home will update and replace contact details for representatives or staff of learning providers as advised. Disclosure of personal information CPD Home will not disclose personal information without an individual’s express written consent except:

• when required to facilitate access to required high-level learning
• when reporting subscriber compliance with the CPD Home Learning Program to the MBA
• where required by or authorised to do so under the law.

  Sensitive information Aside from identifying if a subscriber is a member of the AMA for accessing discounted rates on CPD Home learning content, CPD Home does not routinely collect any sensitive information about its subscribers or learning provider representatives. Where sensitive information may be provided to CPD Home by the subscriber themselves, or an authorised representative of the subscriber, such as when applying for exemption, that information will be treated as confidential and will only be retained for as long as is necessary. Unsolicited information No unsolicited personal or sensitive information about another individual will be retained by CPD Home. Should CPD Home receive unsolicited personal or sensitive information about an individual, the DPO will assess if CPD Home could have collected the information if it had solicited it. Where it could have, it will notify the individual concerned in line with APP 5. Where it could not have, the information will be at a minimum de-identified, redacted, or as lawful and reasonable to do so, destroyed. Communications and direct marketing CPD Home will use personal information collected from subscribers and learning provider representatives to contact them:

• where, as a subscriber, they are at risk of not completing their CPD requirements
• to keep them informed about CPD Home services, products, events and publications
• to survey them to inform ongoing improvements to CPD Home offerings and services.

Other than for communications which we may be legally required to issue, or which are required as per our obligations as an accredited CPD home to send, subscribers or certified learning providers will have the ability to unsubscribe from the communication if they no longer wish to receive it. Upon unsubscribing, the individual will be asked to indicate their reason for unsubscribing to help inform our quality improvement efforts, and a confirmation email will be sent. Data sharing and cross-border disclosure CPD Home will not sell or license your information. CPD Home may from time-to-time report on the operations, services and activities of the CPD Home to other organisations within the AMA Group and to existing or potential certified learning providers (who may be based overseas). These reports will utilise de-identified and aggregated data only. Where a CPD Home subscriber undertakes learning with one of our certified learning providers and the Subscriber ID is provide at the time of registration, the certified learning provider will upload the completion record to the CPD Tracker on the subscriber’s behalf unless otherwise stated in the CPD Home Catalogue. CPD Home in line with our reporting requirements as an AMC-accredited CPD Home will provide compliance reports on CPD Home subscribers to Ahpra. At a minimum this report will include the subscriber’s Ahpra MED number and a status indicator of “compliant”. Use of government related identifiers CPD Home when reporting on subscriber compliance to the MBA will utilise the subscriber’s Ahpra Number (as provided by the subscriber) to identify them to the MBA. Security measures Subscriber information is accessible to individual subscribers via their password. Subscribers are responsible for maintaining the security of their password. Passwords:

• cannot contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
• must be at least eight characters in length
• must contain characters from three of the following four categories:
  • English uppercase characters (A through Z)
  • English lowercase characters (a through z)
  • base 10 digits (0 through 9)
  • non-alphabetic characters (for example, !, $, #, %)

Use of and access to subscriber information is restricted to authorised CPD Home staff. CPD Home staff are required under their conditions of employment to be aware of and comply with our privacy policy and procedures. Multi-factor authentication is utilised across all data and systems access points. CPD Home data is securely stored in the Cloud using best practice security standards. AMA (WA) also maintains firewalls for itself and subsidiary businesses, such as CPD Home. All incoming emails and attachments are scanned for any malicious content. CPD Home staff are also provided with regular security awareness training to prevent any compromise to our systems through cyber-attacks of any kind. The data we hold in our electronic databases is fully backup and archived fortnightly, with a point-in-time snapshot taken every day to facilitate any required data restoration. AMA (WA) blocks access to the CPD Home system from unauthorised overseas IP addresses. Wherever CPD Home is required to email personal (including any sensitive) information or confidential information we will encrypt the email to ensure the security of its contents. As per our Data Breach Response Plan anyone who collects, accesses, maintains, distributes, processes, protects, stores, uses, transmits, disposes of, or otherwise handles personally identifiable information or Protected Health Information (PHI) of CPD Home subscribers is required to notify a member of their Management Team if they know or suspect there has been a data breach. See our Data Breach Response Plan for our process on handling data breaches. Automated processes CPD Home will use automated processes for:

• monitoring subscribers’ compliance with their CPD requirements
• notifying ‘at risk subscribers’ via a pre-populated email identifying:
  • whether a CPD Plan is in place
  • how many hours of CPD activity have been completed
  • percentage of recorded activities for which supporting documentation has been uploaded
  • reminder of obligations under the CPD Program
  • required action
  • contact details for CPD Home
• reporting subscribers’ compliance to Ahpra
• transferring subscriber data upon moving to a new CPD Home
• reporting number of incoming and outgoing subscribers.

The integrity of automated notification emails will be randomly audited by the Technical Lead before each mailout. Outgoing subscriber Subscriber data is exported to a .CSV file for easy configuration and importation by an alternate CPD home. The data extraction including the individual’s:

• name
• Ahpra number
• professional details
• written CPD Plan
• record of completed CPD activities
• accrued CPD hours
• CPD Statement of Completion (where available).

An additional extraction of an individual’s uploaded supporting documentation is also available. The .CSV file, along with a copy of any uploaded supporting documents, will be sent to the subscriber by encrypted email. Incoming subscriber Data received for an incoming subscriber is scanned for any malicious content before being compiled into compatible data sets for importation into the new subscriber’s record. Monitoring data transfers CPD Home will annually monitor, through SQL queries, the number of subscriber data records exported or imported for reporting on incoming/outgoing subscriber activity. (Please see also our Data Transfer Policy.)

Related Documents / Legislation

The following documents are related to this policy.

1. The Privacy Act 1988
2. CPD Home Privacy Policy
3. CPD Home Data Breach Response Plan.

Appendices

1. Glossary