Australian Privacy Principles — Compliance Matrix
Last reviewed: July 2025 · Next review: January 2026 · Prepared by: OpenBook Clinical Pty Ltd
APP 1 — Open and transparent management of personal information
Requirement
Entities must manage personal information openly and transparently, maintain a clearly expressed and up-to-date privacy policy, and make it available on request.
How we comply
Privacy Policy is published at /privacy and updated whenever there is a material change. A Data Protection Officer (DPO) contact is available at privacy@openbookclinical.com.au. Our governance framework is documented at /governance.
APP 2 — Anonymity and pseudonymity
Requirement
Individuals must have the option of not identifying themselves, or of using a pseudonym, when dealing with an entity about a particular matter.
How we comply
Users may use initials or a professional alias as their display name. A full legal name is only required for billing purposes (collected and held by Stripe). Providing an AHPRA registration number is entirely optional and self-declared.
APP 3 — Collection of solicited personal information
Requirement
Entities may only collect personal information that is reasonably necessary for, or directly related to, one or more of their functions or activities. Sensitive information requires consent.
How we comply
We collect only: name, email address, profession, institution, AHPRA number (optional), and billing details. No patient data is collected. Every data point collected is necessary for service delivery, account management, or regulatory compliance. Professional information is treated as sensitive information under the Privacy Act.
APP 4 — Dealing with unsolicited personal information
Requirement
If an entity receives unsolicited personal information that it could not have collected under APP 3, it must destroy or de-identify it as soon as practicable.
How we comply
If unsolicited personal information is received — for example, patient data inadvertently entered into a clinical search — it is identified by our real-time PII detection system, flagged to the user immediately, and not processed or stored. Search queries containing Australian PII patterns (Medicare numbers, names with DOB, etc.) are not forwarded to the AI and are discarded.
APP 5 — Notification of collection
Requirement
At or before collection (or as soon as practicable after), entities must take reasonable steps to notify individuals of certain matters, including the entity's identity, the purpose of collection, and the individual's rights.
How we comply
Users are notified at signup of: what information is collected, why it is collected, who it may be shared with (sub-processors), and their rights under the Privacy Act. A plain-language collection notice is displayed during the registration flow. Full details are in the Privacy Policy at /privacy.
APP 6 — Use or disclosure of personal information
Requirement
Entities may only use or disclose personal information for the primary purpose for which it was collected, or for a secondary purpose if an exception applies.
How we comply
Personal information is used only to provide the OpenBook Clinical service. It is not sold. It is not used for advertising. It is not disclosed to third parties except sub-processors listed at /governance/sub-processors, each of whom processes data only to the extent necessary to provide their contracted service. Disclosure to law enforcement is made only under a valid court order.
APP 7 — Direct marketing
Requirement
Entities may only use or disclose personal information for direct marketing if certain conditions are met, including providing a simple means to opt out.
How we comply
We send transactional emails only (subscription receipts, trial expiry notices, CPD export confirmations). We do not send marketing or promotional emails without explicit opt-in. Every email includes a one-click unsubscribe link. Marketing opt-outs are honoured indefinitely.
APP 8 — Cross-border disclosure of personal information
Requirement
Before disclosing personal information to an overseas recipient, entities must take reasonable steps to ensure the recipient does not breach the APPs.
How we comply
AI search queries are processed by Anthropic (USA) under a zero-data-retention API agreement — queries are not stored, used to train models, or retained after the response is returned. Billing is processed by Stripe (USA) under PCI DSS Level 1 certification. Transactional email is delivered by Postmark (USA). Each sub-processor is listed at /governance/sub-processors with their applicable data handling commitments and certifications.
APP 9 — Adoption, use or disclosure of government related identifiers
Requirement
Entities must not adopt a government-related identifier as their own identifier, and must not use or disclose such identifiers except in limited circumstances.
How we comply
AHPRA registration numbers are not used as system identifiers. We use internally generated UUIDs for all records. AHPRA numbers are user-supplied, optional, and used only for professional verification within the account. They are not disclosed to third parties, including AHPRA itself, without the user's explicit consent.
APP 10 — Quality of personal information
Requirement
Entities must take reasonable steps to ensure that personal information they collect, use, or disclose is accurate, up to date, and complete.
How we comply
Users can review and update all of their profile information at any time via the Account Settings page at /dashboard/settings. Email address changes require re-verification. We do not modify user-provided information without consent.
APP 11 — Security of personal information
Requirement
Entities must take reasonable steps to protect personal information from misuse, interference, loss, and from unauthorised access, modification, or disclosure.
How we comply
AES-256 encryption at rest (Supabase/AWS ap-southeast-2). TLS 1.3 encryption in transit (Vercel edge network). Row-level security (RLS) enforced on all database tables. JWT-based authentication with automatic token rotation. MFA available for all accounts. Detailed security controls are documented in our Trust & Security Centre.
APP 12 — Access to personal information
Requirement
Entities must give individuals access to personal information held about them on request, subject to limited exceptions.
How we comply
Users can view and export all personal information held about them at any time from the Account Settings page at /dashboard/settings. The data export produces a JSON file covering all stored information. Formal data access requests can be submitted to privacy@openbookclinical.com.au and will be responded to within 30 days as required by the Privacy Act.
APP 13 — Correction of personal information
Requirement
Entities must take reasonable steps to correct personal information to ensure it is accurate, up to date, complete, relevant, and not misleading.
How we comply
Users can correct their profile data directly via the Account Settings page at /dashboard/settings. Corrections to CPD activity logs are available in-app at any time. For corrections to other records held by us, users can submit a request to privacy@openbookclinical.com.au. We will acknowledge correction requests within 5 business days.
All 13 APPs addressed
OpenBook Clinical Pty Ltd is committed to ongoing compliance with the Australian Privacy Principles. This matrix is reviewed every six months and updated whenever our practices change. Material changes are communicated to users via the Privacy Policy update notice.
Questions about our APP compliance?
Contact our Privacy Officer at privacy@openbookclinical.com.au. We aim to respond within 5 business days. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).
This document was prepared by OpenBook Clinical Pty Ltd. It is reviewed every six months. Last reviewed: July 2025. Next review: January 2026. This document does not constitute legal advice.