Visit our FAQs or Contact Us by completing our online form.
About us
Policies and Forms
Background
CPD Home is committed to maintaining the accuracy, availability, integrity, and confidentiality of all the data it collects, holds, and utilises in conducting its business operations, including providing CPD services to its subscribers and in meeting its obligations as an accredited CPD Home.
CPD Home collects a range of data about individuals and organisations with whom it does, or may do, business with. It collects this data to:
- support subscribers meet their CPD requirements
- make strategic decisions about its operations
- improve its products and services
- inform decisions about available learning content
- meet its reporting requirements to the:
- Medical Board of Australia (MBA)
- Australian Medical Council (AMC)
- Doctorportal Learning Board.
Purpose
To provide guidance and direction on the management of CPD Home data throughout the information lifecycle, and to demonstrate how we comply with the law.
Objective
To outline how CPD Home:
- complies with data protection law and follows good practice
- protects the rights of customers, staff and learning providers
- is transparent about how it stores and processes individuals’ data
- protects itself from the risks of a data breach.
Scope
This policy applies to all subscribers, learning providers and employees of CPD Home.
Definitions
Please refer to the Glossary for definition(s) of terms that apply to this policy.
Policy
Data Governance
CPD Home aims to manage our data assets securely, safely, effectively, and efficiently. With a focus on continuous improvement, the
Data Management Committee contributes to decisions on the collection and management of data, proactively defines data rules, resolves data issues, and fosters an organisational approach to data handling.
Data Management Committee
The Data Management Committee reports to the Doctorportal Learning Board. The Committee consists of the following:
- Data Protection Officer
- IT Manager
- Technical Lead
- Web Project Lead
Data Management
CPD Home will only collect information and data pertaining to individuals or organisations it does, or may do business with, that is directly related to, or reasonably necessary for one or more of our functions or activities.
The types of information we typically collect include:
- names, addresses and phone numbers
- email addresses
- bank account or credit card details (for subscriber or learning provider payments)
- professional details, including type of profession, career stage, Ahpra registration number, practice, scope of practice, position, work setting, areas of learning focus, CPD activities undertaken and related documentary evidence, professional develop plan and learning reflections
- details of service and learning purchases, including learning module completions and views
- AMA membership status
- information pertaining to complaints or disputes
- information pertaining to a special consideration for exceptional circumstance
- IP addresses and utilised device information for web-based interactions
- date and time of web or email interactions.
We collect this information to:
- provide targeted and effective services to subscribers
- maintain our subscriber and learning provider lists
- co-ordinate and manage our staff
- communicate with subscribers, learning providers and governing officials
- account for activities or expenses
- provide supporting evidence to inform and justify improvements to service offerings or provision
- meet our reporting obligations.
CPD Home processes data as outlined in following examples:
| Outcome/Use | Processing required | Data to be processed | Conditions for processing | Evidence of lawful basis |
|---|---|---|---|---|
| CPD Home services | Completion of Learning Profile | Name, contact details, professional details | Consent – implied | Subscriber inputs data required – in so doing agrees to Terms and Conditions of Use. |
| Newsletter | Quarterly email mailout of newsletter | Email Mail Merge (Informz) name and email address from subscriber database | Consent – implied unless advised otherwise. | Subscribers can unsubscribe from newsletter. Date of ceasing subscription and reason for recorded on subscriber file. |
| Audit Report | Quarterly primary and secondary audits reports run of CPD activity | Report on subscriber: · presence of a personal development plan · hours of CPD activity record | Consent – implied | Signed on as a subscriber |
| Notifications | Quarterly email mail merge | At risk subscribers as per Audit policy identified by audit report and an email using those names and emails. Notification reflects the failed parameters as per Audit Policy | Consent – implied | Signed on as a subscriber. Subscribers can unsubscribe from CPD Home. Date of ceasing subscription and reason for recorded on subscriber file. |
| Personal contact | Inactive at-risk subscribers phoned | Secondary audit report identifies no activity in response to notification email | Consent – sought at time of contact | Date and time Recorded in subscriber file |
| CPD Statement of Completion | 4th quarter audit report identifies compliant subscribers | Presence of written CPD Plan including goals reflection, and 100% of required CPD Hours completed | Consent – implied | Signed on as a subscriber |
| Applications for exemption | Application received and put to CPD Advisor Panel for consideration given | Reasons for exemption | Consent – implied | Application received |
| Granting an exemption | Notification of request outcome | Correspondence to subscriber using their name and address. Populating data field in subscriber record to indicate an exemption | Consent – implied | Application received |
| Complaints | Record date, time and nature of complaint | Correspondence to subscriber Name and email address Population of data Complaints Register | Consent – implied | Complaint received |
Most of the information collected will be provided directly by the subscriber or the learning provider wishing to engage with CPD Home and its service offerings.
Subscribers on creating an account with CPD Home will be required to create a password (minimum 7 characters, including at least one letter and number), to declare they are not a robot, and are advised that in signing up they accept our user terms and encouraged to read our privacy policy.
CPD Home may also collect personal information indirectly via publicly available sources such as websites, social media, directories and databases. Personal information may also be collected indirectly while providing a service or managing a complaint. This may include via authorised representatives of the individual; CPD activity supporting documents; CPD Home staff or service providers; regulatory bodies authorities and bodies, professional or specialist societies or associations.
Consent
Subscribers or learning providers have the choice to engage with CPD Home and in so doing implicitly consent to CPD Home collecting and utilising their personal information for the purposes outlined above.
Anonymity and pseudonymity
There is no option of anonymity and pseudonymity for CPD Home subscribers or learning providers. It is impractical for CPD Home to operate and meet its obligations without knowing for whom it is providing a CPD Home service.
Storage
Subscriber and learning provider information is stored in electronic systems housed in the Cloud under our control. We take appropriate steps to protect the security of the information we hold, including protections against unauthorised access, virus or other electronic intrusions, fire, theft or loss. We require any contracted providers of IT services to do the same.
Our contracts with contracted providers of IT services require them to protect the privacy of your information when held on either their servers and/or the Cloud. Our contractors are also required to comply with the Privacy Act 1988 (Cth).
Management and retention
All personal information collected by CPD Home is managed in a responsible, secure manner, in compliance with the Privacy Act 1988.
We generally keep your personal information active for as long as is reasonably required to enable us to meet your needs and our obligations as your CPD Home.
When a subscriber becomes a non-subscriber all the information that CPD Home holds about them will be no longer accessible from 1 July the year following the CPD year that they ceased to be a subscriber.
We keep subscriber records and other personal information on file to enable us to undertake statistical and historical analysis and reporting. As part of our data security, we fully back-up and archive our electronic databases fortnightly, with a point-in-time snapshot taken every day.
Access to personal information
All subscribers (current and former) and staff or representatives of learning providers can access what personal information we hold about them by contacting the CPD Home team by email: enquiries@cpdhome.org.au
All subscribers will be able to download a record of their CPD activities for a CPD year. This information will be archived each year at six months from the end of each CPD year and retained for up to 7 years.
Only authorised CPD Home staff will have access to subscriber’s personal information where that access is necessary for the provision of CPD Home services. For example, when supporting a subscriber at risk of not meeting their CPD requirements.
Correcting personal information
CPD Home subscribers can easily update their information by visiting www.cpdhome.org.au or by contacting the CPD Home team by email: enquiries@cpdhome.org.au
CPD Home will update and replace contact details for representatives or staff of learning providers as advised.
Disclosure of personal information
CPD Home will not disclose personal information without an individual’s express written consent except:
- when required to facilitate access to required high-level learning
- when reporting subscriber compliance with the CPD Home Learning Program to the MBA
- where required by or authorised to do so under the law.
Sensitive information
Aside from identifying if a subscriber is a member of the AMA for accessing discounted rates on CPD Home learning content, CPD Home does not routinely collect any sensitive information about its subscribers or learning provider representatives.
Where sensitive information may be provided to CPD Home by the subscriber themselves, or an authorised representative of the subscriber, such as when applying for exemption, that information will be treated as confidential and will only be retained for as long as is necessary.
Unsolicited information
No unsolicited personal or sensitive information about another individual will be retained by CPD Home.
Should CPD Home receive unsolicited personal or sensitive information about an individual, the DPO will assess if CPD Home could have collected the information if it had solicited it. Where it could have, it will notify the individual concerned in line with APP 5. Where it could not have, the information will be at a minimum de-identified, redacted, or as lawful and reasonable to do so, destroyed.
Communications and direct marketing
CPD Home will use personal information collected from subscribers and learning provider representatives to contact them:
- where, as a subscriber, they are at risk of not completing their CPD requirements
- to keep them informed about CPD Home services, products, events and publications
- to survey them to inform ongoing improvements to CPD Home offerings and services.
Other than for communications which we may be legally required to issue, or which are required as per our obligations as an accredited CPD home to send, subscribers or certified learning providers will have the ability to unsubscribe from the communication if they no longer wish to receive it. Upon unsubscribing, the individual will be asked to indicate their reason for unsubscribing to help inform our quality improvement efforts, and a confirmation email will be sent.
Data sharing and cross-border disclosure
CPD Home will not sell or license your information.
CPD Home may from time-to-time report on the operations, services and activities of the CPD Home to other organisations within the AMA Group and to existing or potential certified learning providers (who may be based overseas). These reports will utilise de-identified and aggregated data only.
Where a CPD Home subscriber undertakes learning with one of our certified learning providers and the Subscriber ID is provide at the time of registration, the certified learning provider will upload the completion record to the CPD Tracker on the subscriber’s behalf unless otherwise stated in the CPD Home Catalogue.
CPD Home in line with our reporting requirements as an AMC-accredited CPD Home will provide compliance reports on CPD Home subscribers to Ahpra. At a minimum this report will include the subscriber’s Ahpra MED number and a status indicator of “compliant”.
Use of government related identifiers
CPD Home when reporting on subscriber compliance to the MBA will utilise the subscriber’s Ahpra Number (as provided by the subscriber) to identify them to the MBA.
Security measures
Subscriber information is accessible to individual subscribers via their password. Subscribers are responsible for maintaining the security of their password. Passwords:
- cannot contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
- must be at least eight characters in length
- must contain characters from three of the following four categories:
- English uppercase characters (A through Z)
- English lowercase characters (a through z)
- base 10 digits (0 through 9)
- non-alphabetic characters (for example, !, $, #, %)
Use of and access to subscriber information is restricted to authorised CPD Home staff. CPD Home staff are required under their conditions of employment to be aware of and comply with our privacy policy and procedures.
Multi-factor authentication is utilised across all data and systems access points.
CPD Home data is securely stored in the Cloud using best practice security standards. AMA (WA) also maintains firewalls for itself and subsidiary businesses, such as CPD Home.
All incoming emails and attachments are scanned for any malicious content. CPD Home staff are also provided with regular security awareness training to prevent any compromise to our systems through cyber-attacks of any kind.
The data we hold in our electronic databases is fully backup and archived fortnightly, with a point-in-time snapshot taken every day to facilitate any required data restoration. AMA (WA) blocks access to the CPD Home system from unauthorised overseas IP addresses.
Wherever CPD Home is required to email personal (including any sensitive) information or confidential information we will encrypt the email to ensure the security of its contents.
As per our Data Breach Response Plan anyone who collects, accesses, maintains, distributes, processes, protects, stores, uses, transmits, disposes of, or otherwise handles personally identifiable information or Protected Health Information (PHI) of CPD Home subscribers is required to notify a member of their Management Team if they know or suspect there has been a data breach. See our Data Breach Response Plan for our process on handling data breaches.
Automated processes
CPD Home will use automated processes for:
- monitoring subscribers’ compliance with their CPD requirements
- notifying ‘at risk subscribers’ via a pre-populated email identifying:
- whether a CPD Plan is in place
- how many hours of CPD activity have been completed
- percentage of recorded activities for which supporting documentation has been uploaded
- reminder of obligations under the CPD Program
- required action
- contact details for CPD Home
- reporting subscribers’ compliance to Ahpra
- transferring subscriber data upon moving to a new CPD Home
- reporting number of incoming and outgoing subscribers.
The integrity of automated notification emails will be randomly audited by the Technical Lead before each mailout.
Outgoing subscriber
Subscriber data is exported to a .CSV file for easy configuration and importation by an alternate CPD home. The data extraction including the individual’s:
- name
- Ahpra number
- professional details
- written CPD Plan
- record of completed CPD activities
- accrued CPD hours
- CPD Statement of Completion (where available).
An additional extraction of an individual’s uploaded supporting documentation is also available. The .CSV file, along with a copy of any uploaded supporting documents, will be sent to the subscriber by encrypted email.
Incoming subscriber
Data received for an incoming subscriber is scanned for any malicious content before being compiled into compatible data sets for importation into the new subscriber’s record.
Monitoring data transfers
CPD Home will annually monitor, through SQL queries, the number of subscriber data records exported or imported for reporting on incoming/outgoing subscriber activity. (Please see also our Data Transfer Policy.)
Compliance
CPD Home has the following measures in place to ensure and demonstrate compliance with the Privacy Act 1988:
- Privacy Policy – available on CPD Home website
- Subscriber User Terms – available on CPD Home website
- Data Breach Response Plan.
Related Documents / Legislation
The following documents are related to this policy.
- The Privacy Act 1988
- CPD Home Privacy Policy
- CPD Home Data Breach Response Plan.
Appendices
- Glossary
Version Tracking
| Version | Date | Comments |
|---|---|---|
| 1.0 | December 2022 | |
| 1.1 | August 2024 | Updated Introduction to reflect the joint ownership of CPD Home. Minor amendments to reflect consistent language referring to the types of conflicts. Replaced AMA (WA) Board with Doctorportal Learning Board, and AMA (WA) CEO with Executive Lead to reflect current SOP. Amended AMA (WA) Code of Conduct and Conditions of Employment to dpl Limited Code of Conduct and Conditions of Employment. Removed unrelated glossary terms. |
| 1.2 | October 2024 | Added Definitions statement and edited glossary. Transferred roles and responsibilities to SOP. Updated minor amendments. |
| 1.3 | July 2025 | Replaced CPD Home Board with Doctorportal Learning Board. |
| 1.4 | October 2025 | Updated minor amendments. |
| 1.5 | July 2025 | Replaced CPD Home Board with Doctorportal Learning Board. |
| 1.6 | October 2025 | Replaced Executive Lead with Data Protection Officer. Replaced ‘special consideration and exceptional circumstance’ with ‘exemption’. Updated minor amendments. |
Appendix 1
Glossary
| Term | Definition |
|---|---|
| Ahpra | Australian Health Practitioner Regulation Agency |
| Complaint | Dissatisfaction or concern about the conduct or actions of CPD Home expressed in a written complaint submitted via the CPD Home Complaint Form by a: · Subscriber to CPD Home services · CPD Home Education or Service Provider, or · member of an CPD Home decision making or advisory entity. |
| CPD Tracker | CPD Home’s online tracking tool enabling subscribers to record courses, events and other completed CPD activities. Each CPD activity record includes the length of time, area for self-reflection and optional storage of learning evidence. |
| CPD year | CPD year commences 1 January and concludes 31 December. |
| .CSV file | Comma Separated Value is an electronic file in which the data in each data field is separated by a comma. |
| Decision maker | Any person or persons making decisions for or on behalf of CPD Home. |
| Exemption | CPD requirements for the CPD year are waived in part or full. |
| Frivolous report or complaint | The matter giving rise to the report or complaint is minor or trivial, vague or poorly explained, inhibiting its investigation, or unable to be substantiated. |
| Inactive subscriber | A subscriber who has failed to complete any learning or record any completed CPD activities on the CPD Tracker will be considered inactive. An inactive subscriber will not be provided with a CPD Home Statement of Completion for the CPD year they have been inactive. If an active subscriber fails to renew their subscription, they will be declared a non-subscriber and their details will be deleted. |
| Malicious content | Content that appears to be motivated by a purpose that is dishonest and intended to cause harm. |
| Non-subscriber | A subscriber will become a non-subscriber when: · they cancel their subscription · their subscription renewal remains unpaid after 30 days from the due date, or · they have been inactive on the CPD Tracker for 90 days after the last login, · whichever occurs first. |
| Outgoing subscriber | Subscribers who are moving to a different CPD home provider. |
| Participating subscriber | Subscribers to CPD Home who do not have an exemption and who by default are participating in the CPD Program. |
| Personal information | Personal information includes a broad range of information such as name, gender, contact details, financial information and may also include other personal information (e.g. professional details) or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances. |
| Point-in-time snapshot | A point-in-time snapshot is a copy of a storage volume, file or database as they appeared at a given point in time and is used as a method of data protection. In the event of a data failure, data can be restored from the most recent snapshot before the failure. |
| Professional details | Professional details include information such as qualifications, scope of practice, specialty or specialties, employment information (status, type, role) and educational/supervisory/research activities. |
| Sensitive information | Sensitive information is personal information that includes information or an opinion about an individual’s: · racial or ethnic origin · political opinions or associations · religious or philosophical beliefs · trade union membership or associations · sexual orientation or practices · criminal record · health or genetic information · some aspects of biometric information. |