PRIVACY POLICY
I.
INTRODUCTION
This Privacy Policy (the "Policy") is adopted and published by Moana Digital Health Pty Ltd (ACN 694 101 052 / ABN 41 694 101 052), a proprietary limited company duly incorporated under the laws of the Commonwealth of Australia, trading as "Moana Digital Health" (the "Company", "we", "us", or "our"). Our registered office is at St Kilda Road, Melbourne, Victoria 3004, Australia.
This Policy governs the manner in which the Company collects, uses, processes, discloses, retains, and transfers personal data of natural persons (Data Subjects) through their interaction with our proprietary healthcare infrastructure platform, associated mobile and web applications, APIs, and related services (collectively, the Platform).
This Policy is enacted in compliance with the following data protection frameworks:
• Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) — primary governing framework
• Privacy Amendment (Notifiable Data Breaches) Act 2017 — data breach notification obligations
• Health Records Act 2001 (Vic) and equivalent state/territory health records legislation
• Regulation (EU) 2016/679 (GDPR) — for Data Subjects in the European Economic Area
• UK General Data Protection Regulation and Data Protection Act 2018 — for UK Data Subjects
• California Consumer Privacy Act (CCPA) as amended by the CPRA — for California residents
• Pacific Island data protection frameworks — including Fiji Information Act, PNG Privacy Act (where applicable), and equivalent legislation in Vanuatu, Samoa, Tonga, Solomon Islands, Kiribati, and other Pacific deployment jurisdictions
• OECD Privacy Guidelines (2013 Revision) and comparable international instruments
IMPORTANT NOTICE: Moana Digital Health is a technology infrastructure provider, not a healthcare provider. Where you access Moana services through a healthcare organisation (such as a hospital, clinic, or Ministry of Health), that organisation is the Data Controller responsible for your health information. Please refer to that organisation's own privacy policy. Moana acts as a Data Processor on that organisation's instructions.
II.
DEFINITIONS
For the purposes of this Policy, the following terms carry the following meanings:
Term | Definition |
Company / Moana | Moana Digital Health Pty Ltd (ACN 694 101 052 / ABN 41 694 101 052), the Data Processor of Personal Data processed through the Platform on behalf of healthcare organisation clients. |
Data Controller | The healthcare organisation (hospital, clinic, government health department) that determines the purposes and means of processing Personal Data through the Platform. |
Data Processor | Moana, which processes Personal Data on behalf of Data Controllers (healthcare organisations) pursuant to written agreements. |
Data Subject | Any natural person whose Personal Data is processed in connection with the Platform, including patients, healthcare professionals, and administrative staff. |
Health Data | Personal Data relating to a Data Subject's physical or mental health, constituting Special Category Data under GDPR Article 9(1) and sensitive information under the Privacy Act 1988 (Cth). |
Personal Data | Any information relating to an identified or identifiable natural person, consistent with Article 4(1) GDPR and the definition of "personal information" under the Privacy Act 1988 (Cth). |
Platform | The Moana Digital Health healthcare infrastructure software including EMR/EHR, clinical workflow, and health data interoperability services. |
Sensitive Information | Personal Data revealing health information, racial or ethnic origin, political opinions, religious beliefs, or other categories defined as "sensitive information" under Schedule 1 of the Privacy Act 1988 (Cth) and Article 9 GDPR. |
Supervisory Authority | An independent regulatory authority established to oversee compliance with data protection laws, including the OAIC (Australia), the EDPB (EU), the ICO (UK), and equivalent bodies in Pacific Island jurisdictions. |
III.
JURISDICTION AND SCOPE
3.1 Corporate Authority
This Policy governs all data processing activities carried out by Moana Digital Health Pty Ltd (ACN 694 101 052 / ABN 41 694 101 052), acting as Data Processor on behalf of its healthcare organisation clients. The Company maintains its principal place of business at St Kilda Road, Melbourne, Victoria 3004, Australia.
3.2 Governing Law
This Policy is primarily governed by and construed in accordance with the laws of the State of Victoria, Australia, and the Commonwealth of Australia. Where mandatory local data protection laws of a Data Subject's jurisdiction apply (including GDPR for EU residents, UK GDPR for UK residents, and Pacific Island laws for regional users), those laws apply in addition and Moana will comply with whichever affords the higher standard of protection.
3.3 Global Applicability
This Policy applies extraterritorially to all Data Subjects who access the Platform, regardless of their location, consistent with Article 3(2) GDPR and equivalent provisions. The higher standard principle applies: in the event of conflict, the provision affording the greater protection to the Data Subject shall prevail, consistent with Recital 10 GDPR and general principles of lex specialis.
IV.
LEGAL BASES FOR PROCESSING
Moana (as Data Processor) processes Personal Data on the instructions of healthcare organisation clients (Data Controllers). The following legal bases govern processing consistent with Article 6 GDPR, the APPs, and equivalent frameworks:
1. Contractual Necessity (GDPR Article 6(1)(b); APP 3)
Processing necessary to perform the MSA and provide Services, including: Platform operation, patient record management, clinical workflow management, system integrations, and Implementation Services.
2. Compliance with Legal Obligations (GDPR Article 6(1)(c); APP 3; PIPEDA s.7(3))
Processing required to comply with applicable legal obligations, including health records legislation, tax and financial reporting, notifiable data breach obligations, and lawful requests from courts or regulatory authorities.
3. Legitimate Interests (GDPR Article 6(1)(f); Recital 47; APP 3)
Processing necessary for Moana's legitimate interests in: Platform security and integrity monitoring; fraud prevention; abuse prevention; system diagnostics; and product improvement (using de-identified and aggregated technical data only), where those interests are not overridden by Data Subjects' rights.
4. Consent (GDPR Article 6(1)(a); APP 3)
Where required for specific processing activities (e.g., geolocation features, cookies), consent is obtained by the healthcare organisation as Data Controller. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.
5. Vital Interests (GDPR Article 6(1)(d))
In exceptional circumstances, processing may be necessary to protect the vital interests of a Data Subject or another person where the Data Subject is physically or legally incapable of giving consent (e.g., emergency clinical scenarios).
V.
CATEGORIES OF PERSONAL DATA COLLECTED
In adherence to the principles of data minimisation and purpose limitation (Article 5(1)(b)-(c) GDPR; APP 3), the Platform processes only those categories of Personal Data that are adequate, relevant, and limited to what is necessary for the specified healthcare purposes. The following categories may be processed:
Category | Data Elements |
Identification & Contact | Full name, date of birth, gender, nationality, email address, mobile number, postal address, national health identifier, passport/ID numbers, IP address |
Health & Clinical Data | Medical history, diagnoses, treatment records, clinical notes, prescriptions, allergies, immunisation records, pathology results, imaging reports, medication records — constituting Sensitive Information / Special Category Data |
Biometric & Authentication | Biometric login data (device-based), profile photographs, authentication credentials (hashed/tokenised), OTP verification records, session tokens |
Device & Technical | Device type, OS version, browser type, IP address, user agent, session logs, crash diagnostics, usage statistics, language preferences |
Financial & Billing | Payment tokens (via PCI-DSS processors), transaction history, subscription status — full card numbers and CVV are never stored by Moana |
Staff & Professional | Healthcare professional registration numbers, role classifications, department, facility, access logs, audit trails |
Communications & Workflow | Clinical messages between authorised users, file attachments in clinical context, workflow timestamps, task logs, referral communications |
Moderation & Compliance | Incident reports, audit logs, access anomaly flags, enforcement records — retained for legal defensibility and compliance |
VI.
PURPOSES OF PROCESSING
Moana processes Personal Data solely for purposes that are specified, explicit, and legitimate consistent with Article 5(1)(b) GDPR and APP 6. The definitive list of lawful purposes is:
• User Account Lifecycle Management — creation, verification, maintenance, and administration of Authorised User accounts, including credential assignment, session authentication, and access control
• Electronic Health Records — creation, storage, retrieval, and management of patient health records in FHIR R4-compliant formats
• Clinical Workflow Management — appointment scheduling, clinical pathways, care coordination, referral management, and multi-facility patient tracking
• Health System Interoperability — facilitating secure data exchange between healthcare facilities, laboratories, pharmacies, and radiology services using FHIR R4, HL7, and DICOM standards
• Financial Transactions and Billing — processing service fees, subscription management, and compliance with PCI DSS and financial reporting obligations
• Platform Security and Integrity — detecting, preventing, and responding to security threats, unauthorised access, and data breaches
• Legal Compliance and Regulatory Cooperation — compliance with health records legislation, tax obligations, NDB scheme, and lawful requests from courts and regulatory authorities
• Platform Optimisation and Diagnostics — using de-identified, aggregated technical data to improve Platform performance and eliminate technical errors
• Supporting Clinical Audit and Governance — providing audit trails and reporting tools to support the Client's clinical governance obligations
VII.
CHILDREN AND MINORS IN CLINICAL SETTINGS
7.1 Children's Data in Healthcare
The Platform is designed for use by healthcare organisations and may process Personal Data relating to minors (persons under 18 years of age) in the course of clinical care. Such processing is conducted solely on the instructions of and under the governance of the healthcare organisation (Data Controller), which is responsible for compliance with all applicable laws governing the collection and processing of children's health data.
7.2 Guardian and Proxy Access
The Platform supports proxy access functionality allowing authorised guardians, parents, or legal representatives to manage records on behalf of minors. Healthcare organisations are responsible for ensuring that proxy access is granted in accordance with applicable legal and professional requirements, including the relevant age of medical consent in each deployment jurisdiction.
7.3 COPPA Compliance
In accordance with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501-6506), Moana does not knowingly collect Personal Data directly from children under the age of 13 through Moana's own interfaces. All data relating to minors that is present on the Platform is submitted by and under the governance of the healthcare organisation Data Controller.
7.4 Additional Protections
Moana applies enhanced access controls and audit logging to records tagged as belonging to minor patients. Healthcare organisations may configure age-based access restrictions to further protect minors' health records.
VIII.
AI AND CLINICAL DECISION SUPPORT DISCLOSURE
8.1 AI Features
The Platform may incorporate artificial intelligence (AI) and machine learning capabilities to assist with: (a) clinical coding suggestions (ICD-10/SNOMED); (b) automated transcription of clinical notes; (c) predictive scheduling and workflow optimisation; and (d) data quality and completeness alerts. Any AI-generated outputs are presented as informational suggestions only and do not constitute clinical recommendations, diagnoses, or treatment advice.
8.2 Not a Medical Device
AI features within the Platform are designed as administrative and informational tools to support (not replace) clinical judgment. Moana does not represent that any AI feature constitutes a Software as a Medical Device (SaMD) under TGA, FDA, EU MDR, or equivalent regulatory frameworks as at the Effective Date. Healthcare organisations must independently assess regulatory requirements for AI-assisted clinical tools in their jurisdiction.
8.3 AI Data Processing
Where AI features process Patient Data, such processing occurs within Moana's controlled cloud environment. Personal Data is not transmitted to third-party AI providers for model training without the explicit prior written consent of the Data Controller. Moana will disclose any third-party AI service providers used in connection with clinical data processing in the applicable Order Form and DPA sub-processor schedule.
8.4 Disclaimer
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, MOANA EXPRESSLY DISCLAIMS ANY LIABILITY ARISING FROM RELIANCE ON AI-GENERATED SUGGESTIONS OR OUTPUTS. ALL CLINICAL DECISIONS REMAIN THE SOLE RESPONSIBILITY OF QUALIFIED HEALTHCARE PROFESSIONALS.
IX.
DATA SHARING AND THIRD PARTIES
9.1 Authorised Recipients
Subject to the principles of purpose limitation and data minimisation (Article 5(1)(b)-(c) GDPR; APP 6), Moana shares Personal Data only with the following categories of recipients:
• Authorised Users — healthcare professionals and administrative staff of the Client, as directed by the Data Controller
• Cloud Infrastructure Sub-processors — AWS (primary cloud infrastructure provider), subject to equivalent data protection obligations
• Laboratory, Radiology, and Pharmacy Integration Partners — third-party health systems connected at the Client's direction for clinical interoperability
• Technical Support Personnel — Moana's authorised technical staff accessing data solely to provide support services, subject to strict confidentiality obligations
• Legal and Regulatory Authorities — where required by law, pursuant to court orders, subpoenas, regulatory audits, or NDB scheme obligations
9.2 No Sale of Personal Data
Moana does not and shall not sell, rent, trade, or otherwise disclose Personal Data (including Health Data) to any third party for monetary consideration or for the purposes of targeted advertising. This commitment applies regardless of whether the data is identified, pseudonymised, or de-identified.
9.3 Cross-Border Transfers
Where Personal Data is transferred internationally, Moana ensures appropriate safeguards are in place including SCCs (EU/EEA transfers), UK IDTA (UK transfers), adequacy decisions, and equivalent mechanisms for Pacific Island and other international transfers. All sub-processors are contractually bound by data protection obligations equivalent to this Policy.
X.
DATA RETENTION AND SECURITY
10.1 Retention
Moana retains Client Data for the duration of the MSA. Upon termination, data is available for export for thirty (30) days and then securely deleted unless the Client provides a written retention instruction (e.g., to comply with health records legislation). Health Records may be subject to minimum statutory retention periods in the applicable deployment jurisdiction — the healthcare organisation Data Controller is responsible for instructing Moana accordingly.
10.2 Security
Moana implements an ISMS aligned to ISO/IEC 27001 standards. Key security measures include: AES-256 encryption at rest; TLS 1.2+ encryption in transit; RBAC with least privilege; MFA across all access points; regular penetration testing; security event logging; and incident response procedures. Full security details are set out in the DPA (Schedule C to the MSA).
XI.
DATA SUBJECT RIGHTS
In accordance with Article 15-21 GDPR, APPs 12-13, and equivalent provisions under applicable Data Protection Laws, Data Subjects have the following rights:
Right | Legal Basis | How to Exercise |
Access | GDPR Art. 15; APP 12 | Contact your healthcare organisation (Data Controller) |
Rectification | GDPR Art. 16; APP 13 | Contact your healthcare organisation |
Erasure (Right to be Forgotten) | GDPR Art. 17 | Contact your healthcare organisation — subject to health records retention laws |
Restriction of Processing | GDPR Art. 18 | Contact your healthcare organisation |
Data Portability | GDPR Art. 20 | Contact your healthcare organisation — FHIR R4 export available |
Object to Processing | GDPR Art. 21 | Contact your healthcare organisation |
Opt-out of Sale/Sharing (CA) | CPRA § 1798.120 | Moana does not sell or share data |
Lodge a Complaint | GDPR Art. 77; Privacy Act s. 36 | Contact OAIC at www.oaic.gov.au or contact@moanadigitalhealth.com |
All Data Subject rights requests, complaints, or privacy enquiries to Moana should be submitted to: contact@moanadigitalhealth.com. Moana will acknowledge valid requests within legally required timeframes (30 days under GDPR and Privacy Act; 45 days under CPRA).
XII.
COOKIES AND TRACKING
The Platform uses strictly necessary cookies and session tokens required for secure operation. No advertising or cross-site tracking cookies are used. Cookie categories:
• Authentication Cookies — to maintain secure user sessions and verify identity across Platform requests
• Security Cookies — to detect and prevent fraudulent activity, session hijacking, and CSRF attacks
• Performance Cookies — to monitor Platform availability and identify technical issues
Users may manage cookie preferences through device browser settings. Disabling strictly necessary cookies will impair Platform functionality. Moana complies with the ePrivacy Directive (2002/58/EC) and Cal. Bus. & Prof. Code § 22575 (CalOPPA) where applicable.
XIII.
INTERNATIONAL TRANSFERS
Moana may transfer, store, or process Personal Data in jurisdictions including Australia (primary), and AWS regions configured per deployment. All international transfers are protected by appropriate safeguards: SCCs (EU/EEA); UK IDTA (UK); Australian adequacy-equivalent protections (Pacific/other jurisdictions). Data Subjects may request details of transfer mechanisms at: contact@moanadigitalhealth.com.
XIV.
AMENDMENTS TO THIS POLICY
Moana reserves the right to modify this Policy at any time. Material changes will be communicated via: (a) written notice to healthcare organisation clients; and (b) updated publication on our website at moanadigitalhealth.com. Continued use of the Platform after the effective date of amendments constitutes acceptance. Healthcare organisations should ensure Authorised Users are informed of relevant changes.
XV.
CONTACT AND SUPERVISORY AUTHORITIES
15.1 Contact Details
Company | Moana Digital Health Pty Ltd |
ACN / ABN | ACN 694 101 052 / ABN 41 694 101 052 |
Registered Office | St Kilda Road, Melbourne, Victoria 3004, Australia |
Privacy & Data Rights | contact@moanadigitalhealth.com |
Legal & Compliance | contact@moanadigitalhealth.com |
Website | moanadigitalhealth.com |
15.2 Supervisory Authorities
• Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au
• European Union: European Data Protection Board (EDPB) — edpb.europa.eu
• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
• California: California Privacy Protection Agency (CPPA) — cppa.ca.gov
• Canada: Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
• Pacific Islands: Relevant national data protection authority in deployment jurisdiction