Privacy notice (AU)
Last updated: 21 September 2025
At Concentric Health, protecting your privacy and safeguarding your personal information is central to how we operate. This privacy notice explains how your data is collected, protected, and used when Concentric is provided to you by a healthcare organisation in Australia.
What is Concentric?
Concentric is a digital consent application used by your healthcare organisation to support safe, informed decision-making about treatment and care.
Healthcare professionals use Concentric to share information about treatment options, record discussions and decisions, and capture your consent. You may also use Concentric to review information, record your preferences, and provide your consent electronically.
Concentric is not used for marketing purposes, and your information is never sold. Its sole purpose is to support your care and treatment. Click here to read our Concentric introduction for patients.
Who is responsible for your information?
Because Concentric is provided to you by your healthcare organisation (for example, a hospital or clinic), it is important to understand how responsibilities are shared:
Healthcare organisation: The organisation providing your care is responsible for deciding what information is collected, how it is used, and how long it is retained, in line with the Privacy Act 1988 and Australian Privacy Principles (APPs).
Concentric Health: We provide the technology platform and process your information strictly on behalf of, and under the instructions of, your healthcare organisation. We do not determine the purposes for which your data is used.
What information is processed?
Concentric processes both personal information and sensitive health information, entered or generated in the following ways:
- Patient demographic information: details brought through from your healthcare organisation’s clinical systems, such as name, date of birth, gender, patient identification number (e.g. IHI or hospital number), and contact details (email address and/or mobile phone number). These demographic details are used to ensure safe identification and communication.
- Clinician-entered information: information recorded by your clinical team about your care, which may include the indication and purpose for treatment, alternative options, anaesthetic choices, risks of treatment, clinician notes, and external resources shared. This information is required for the consent record and supports you with decision-making about your treatment.
- Patient-entered information: details you provide directly, such as consent preferences and your signature.
- System-generated information: technical and security information, including audit logs, timestamps, and access records. These help ensure your information is handled securely.
Lawful basis for processing
Under the Privacy Act 1988 (Cth), personal and sensitive information may only be collected, used, or disclosed in line with the Australian Privacy Principles (APPs).
For health information, this typically means:
- collection and use where reasonably necessary to provide a health service (APP 3 and APP 6), and
- disclosure or use for directly related purposes, such as documenting and securely sharing consent information (APP 6).
In practice, your healthcare organisation decides the lawful grounds for using your information and is responsible for ensuring compliance with the APPs. Concentric Health processes your information only on their instructions, under a contract that sets out data processing terms.
Third-party processors & international data transfers
To provide Concentric, we work with carefully-selected third-party service providers (sub-processors). These organisations support the secure delivery of the service (for example, cloud hosting and communications).
All sub-processors are engaged under contracts that include data processing terms, ensuring that they meet APP standards for data protection and security. Concentric Health does not permit any sub-processor to use your information for their own purposes.
Hosting / Cloud Infrastructure
The core Concentric application and health record data are hosted on Google Cloud Platform (GCP). For Australian healthcare organisations, this data is stored in secure Australian data centres. GCP provides contractual safeguards for the protection of sensitive health information.
Communications Providers
To deliver notifications, a limited subset of personal information (such as your email address or phone number, and the message content necessary for the communication) is processed by:
- Postmark (part of ActiveCampaign): used to send email notifications.
- Twilio: used to send SMS notifications.
These communication providers process personal information only (not sensitive health information). Each is engaged under a contract with data processing terms. Where international transfers occur, Concentric Health takes reasonable steps to ensure these transfers comply with APP 8 (Cross-border disclosure of personal information) and that protections are maintained in line with Australian privacy law.
How long is your information kept?
The length of time your healthcare record is retained is determined by your healthcare organisation.
Concentric Health retains information only while providing services on behalf of your healthcare organisation. If a healthcare organisation stops using Concentric, all information required for the patient’s clinical record — including the consent information shared, summary PDFs, and the audit trail — is transferred to them as part of the offboarding process. After this transfer, the data is securely deleted from Concentric Health’s systems.
Where a healthcare organisation continues to use Concentric over the long term (for example, 8 years or more), records are retained in line with the organisation’s policies and then reduced to a minimal record kept only for evidential purposes, with the remainder of the record securely deleted from Concentric Health’s systems.
For communications data, message metadata and content are retained by Postmark and Twilio for up to 45 days to support delivery, troubleshooting, and abuse prevention, after which they are permanently deleted.
Your rights
You have rights under data protection law in relation to your personal information. These rights are primarily exercised through your healthcare organisation. Below is a summary of your rights under data protection law, with an explanation of how each applies in this context:
Right to be informed (APP 1 & 5): This privacy notice explains what information is collected, why it is used, how it is stored and how long it is kept. It is linked directly from the Concentric patient application, allowing you to access it whenever you use the service.
Right to anonymity/pseudonymity (APP 2): Under Australian privacy law, you generally have the option to interact with organisations anonymously or using a pseudonym. In a healthcare setting, this is not practicable, as your information must be linked to your identity to ensure safe and effective care. However, your healthcare organisation may choose not to record your contact details in Concentric, in which case consent information can be provided in print.
Cross-border disclosure (APP 8): Your Concentric record is hosted securely in Australia on Google Cloud Platform. Some personal information may be processed by communications service providers that operate internationally. For example, email notifications are sent via Postmark, and SMS notifications via Twilio. These providers process contact details and message content only (not clinical information). Concentric Health takes reasonable steps to ensure any transfers outside Australia comply with APP 8 and that protections are maintained in line with Australian privacy law.
Right of access (APP 12): You can request access to the information held about you through your healthcare organisation. Your request covers your entire health record, which may include information recorded in Concentric.
Right to correction (APP 13): If your information is inaccurate or incomplete, you can ask your healthcare organisation to correct it. Updates will then be reflected in Concentric where relevant.
To exercise these rights, please contact your healthcare organisation. For independent advice about your rights, or if you are unhappy with how your information is handled, you can contact the Office of the Australian Information Commissioner (OAIC).
If you have questions about Concentric’s role specifically, you can also contact us directly (see below).
How we keep your information safe
We take data security seriously and use both technical and organisational measures to protect your information, as required under APP 11 – Security of personal information. These include encryption of data in transit and at rest, secure hosting, access controls, and appropriate organisational processes.
Healthcare professionals sign in using secure authentication, for example, through single sign-on via their organisational login. Patients are provided with access via a secure method that combines something you have (a unique link sent by email or SMS) with something you know (your date of birth), ensuring that only you can view your information.
Cookies and similar technologies
Concentric uses only essential session cookies, which are required for the application to function securely. These cookies allow clinician and patient users to log in and maintain a secure session. Concentric does not use cookies for marketing, analytics, or tracking across other websites.
Contact information
In most cases, you should contact your healthcare organisation if you have questions or concerns about your information. They are responsible for your health record and for responding to rights requests under data protection law.
If you have questions about Concentric Health’s role as the technology provider, you can contact our Data Protection Officer using the details published on our entry in the UK Information Commissioner’s Office’s (ICO) public register: Concentric Health (ICO Registration ZB709350).