Privacy Policy

Privacy Policy

for NET Defender

NET Defender Privacy Policy

Effective Date: 7/11/2025
Last Updated: 11/12/2025

1. Introduction

NET Defender Pty Ltd (ABN:401987894) (“NET Defender”, “we”, “us”, “our”) is committed to protecting the privacy and confidentiality of personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs).

This Privacy Policy explains how we collect, use, disclose, store, and protect personal information, including health information, in the course of providing IT services to healthcare practices across Australia.

Our Contact Details:

  • Business Name: NET Defender Pty Ltd
  • Address: 27 Kittani Crescent, Ashmore, Gold Coast, QLD 4214, Australia
  • Phone: 0450 088 667 / 0467 770 020
  • Email: shahrouz@netdefender.com.au
  • Website: www.netdefender.com.au

2. Types of Personal Information We Collect

2.1 Information About Healthcare Practices

When providing IT services to medical clinics, dental practices, and pharmacies, we may collect:

  • Business contact information (practice name, ABN, address)
  • Key personnel details (practice managers, practitioners, reception staff names, email addresses, phone numbers)
  • IT infrastructure information (server configurations, network details, software systems)
  • Practice management system data (appointment schedules, system configurations)
  • Billing and payment information
  • Technical support request details and correspondence

2.2 Information About Patients (Incidental Collection)

In the course of providing IT support services, we may incidentally access or collect:

  • Patient names, dates of birth, contact details
  • Appointment information
  • Medical record numbers
  • Health information contained in practice management systems

Important: We do not actively collect patient information for our own purposes. Any patient information we access is solely for the purpose of providing IT support services to healthcare practices and remains under the control of the healthcare provider.

2.3 Website Visitors

When you visit our website, we may collect:

  • IP addresses and browser information
  • Pages visited and time spent on site
  • Referring website addresses
  • Device and operating system information

2.4 Job Applicants

If you apply for employment with us, we may collect:

  • Contact details and resume information
  • Employment history and references
  • Qualifications and certifications
  • Information provided during interviews

3. How We Collect Personal Information

We collect personal information through:

  • Direct interactions: When you contact us, request services, or provide information directly
  • Service delivery: During IT support, system maintenance, monitoring, and troubleshooting activities
  • Electronic systems: Through remote access to client IT infrastructure, monitoring tools, and support ticketing systems
  • Third parties: From IT vendors, referral partners, and publicly available sources (with consent where required)
  • Website: Through contact forms, cookies, and analytics tools

We will only collect personal information by lawful and fair means, and where reasonable and practicable, we will collect it directly from you.

4. Why We Collect, Hold, Use and Disclose Personal Information

4.1 Primary Purposes

We collect and use personal information to:

  • Provide IT services: Deliver managed IT, cybersecurity, network solutions, backup, and technical support services to healthcare practices
  • System management: Monitor, maintain, troubleshoot, and optimise IT infrastructure
  • Technical support: Respond to service requests and resolve technical issues
  • Compliance: Ensure healthcare practice IT systems meet regulatory requirements (Privacy Act, Australian Privacy Principles, healthcare regulations)
  • Service improvement: Analyse system performance and enhance service quality
  • Billing and administration: Process payments, manage accounts, and maintain business records
  • Communication: Contact clients regarding services, updates, and important notices

4.2 Secondary Purposes

With consent, we may use information for:

  • Marketing communications about relevant IT services
  • Industry research and case studies (de-identified)
  • Service development and improvement

You can opt-out of marketing communications at any time by contacting us.

4.3 Health Information

Any health information we access while providing IT services is collected and used solely for the purpose of delivering technical support to healthcare practices. We do not use health information for any other purpose and implement strict controls to protect its confidentiality.

5. Disclosure of Personal Information

5.1 Who We May Disclose To

We may disclose personal information to:

  • IT vendors and service providers: Microsoft, Cisco, AWS, and other technology partners (only to the extent necessary for service delivery)
  • Third-party contractors: Technical specialists providing services on our behalf (under strict confidentiality agreements)
  • Professional advisors: Lawyers, accountants, and auditors (where necessary for business operations)
  • Government authorities: Where required by law or to comply with legal obligations

5.2 Overseas Disclosure

We do not routinely disclose personal information overseas. All client data, including any health information, is stored exclusively within Australian data centres (AWS Sydney Region – ap-southeast-2).

In limited circumstances, we may disclose information to overseas technology vendors (e.g., Microsoft, Cisco) for technical support purposes. Such disclosures:

  • Are limited to non-health information where possible
  • Occur only with appropriate safeguards and contractual protections
  • Comply with APP 8 requirements

Before disclosing personal information overseas, we will:

  • Inform you of the countries involved
  • Obtain your consent where required
  • Ensure reasonable steps are taken to ensure overseas recipients comply with the APPs

6. Data Storage and Security

6.1 How We Store Information

Personal information is stored:

  • Electronically: On secure servers located in Australian data centres (AWS Sydney Region)
  • Cloud-based systems: Using enterprise-grade platforms with encryption and access controls
  • Physical records: In locked, secure facilities (limited circumstances only)

6.2 Security Measures

We implement comprehensive security measures including:

  • Access controls: Multi-factor authentication, role-based permissions, least privilege principles
  • Network security: Enterprise-grade firewalls, intrusion detection systems, network segmentation
  • Monitoring: 24/7 security monitoring and threat detection
  • Physical security: Restricted access to data centres and facilities
  • Staff training: Regular privacy and security training for all personnel
  • Vendor management: Due diligence and contractual security requirements for third parties
  • Incident response: Documented procedures for security incidents and data breaches

6.3 Data Retention

We retain personal information only as long as necessary for the purposes outlined in this policy:

  • Client business information: Duration of service relationship plus 7 years (standard business records retention)
  • Technical support records: 7 years from last interaction
  • Health information accessed during service delivery: We do not retain health information—it remains solely within client practice management systems
  • Website analytics: 26 months
  • Job applications: 12 months (or as required by law)

Information is securely destroyed or de-identified when no longer required.

7. Access to and Correction of Personal Information

7.1 Your Right to Access

You have the right to request access to personal information we hold about you. To make an access request:

  1. Contact us using the details in Section 1
  2. Provide sufficient details to identify the information requested
  3. Verify your identity (for security purposes)

We will respond to your request within 30 days and provide access unless:

  • Providing access would pose a serious threat to life, health, or safety
  • Disclosure would be unlawful
  • The request is frivolous or vexatious
  • Legal proceedings require confidentiality
  • Other exceptions under the Privacy Act apply

If we refuse access, we will provide written reasons and inform you of complaint mechanisms available.

7.2 Correction of Information

If you believe personal information we hold is inaccurate, out-of-date, incomplete, irrelevant, or misleading, you may request correction by contacting us.

We will:

  • Respond within 30 days
  • Correct the information if satisfied it requires correction
  • Notify third parties to whom we disclosed the information (where reasonable)
  • If we refuse correction, provide written reasons and note your request on our records

There is no fee for requesting access or correction of your personal information.

8. Anonymity and Pseudonymity

Where practicable, we provide the option to interact with us anonymously or using a pseudonym. However, for most IT services we provide to healthcare practices, we require identification to:

  • Verify authority to access systems and data
  • Provide effective technical support
  • Maintain security and accountability
  • Meet contractual and legal obligations

Website visitors can browse anonymously, though analytics tools collect limited technical information.

9. Website Privacy and Cookies

9.1 Cookies and Tracking

Our website uses cookies and similar technologies to:

  • Remember your preferences and settings
  • Analyse website traffic and user behaviour
  • Improve website functionality and user experience

You can control cookie settings through your browser. Disabling cookies may affect website functionality.

9.2 Third-Party Analytics

We use Google Analytics to analyse website usage. This involves collecting:

  • IP addresses (anonymised)
  • Pages visited and time spent
  • Referral sources and device information

Google Analytics data is subject to Google’s privacy policy. You can opt-out using Google’s opt-out tools.

9.3 Links to Third-Party Websites

Our website may contain links to third-party sites. We are not responsible for the privacy practices of external websites. Please review their privacy policies before providing personal information.

10. Direct Marketing

10.1 Marketing Communications

We may send marketing communications about:

  • New IT services relevant to healthcare practices
  • Technology updates and security advisories
  • Industry news and best practices

We only send marketing communications where:

  • You have consented (opt-in)
  • You are an existing client and the communication relates to similar services
  • You have not opted out

10.2 Opt-Out

You can opt-out of marketing communications at any time by:

  • Clicking “unsubscribe” links in emails
  • Contacting us directly using details in Section 1
  • Updating your communication preferences in writing

We will process opt-out requests within 5 business days. Note that operational communications (service updates, invoices, security alerts) continue regardless of marketing preferences.

11. Data Breach Response Plan

NET Defender has implemented a comprehensive Data Breach Response Plan in accordance with the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988.

11.1 What is a Data Breach?

A data breach occurs when personal information we hold is:

  • Lost or subject to unauthorised access or disclosure
  • In circumstances likely to result in serious harm to affected individuals

11.2 Data Breach Response Procedures

Step 1: Detection and Containment (0-4 hours)

  • Identify and verify the breach through security monitoring, staff reports, or external notification
  • Activate incident response team (Shahrouz Nasrollahi – CEO, Technical Lead)
  • Immediately contain the breach to prevent further unauthorised access or loss
  • Preserve evidence for investigation and potential law enforcement involvement

Step 2: Assessment (4-24 hours)

  • Assess the nature and extent of compromised information
  • Identify affected individuals and volume of records involved
  • Evaluate likelihood of serious harm to individuals
  • Determine if the breach meets notification thresholds under the NDB scheme
  • Document all assessment activities and decisions

Step 3: Notification (24-72 hours if required)

When notification is required:

  • The breach is likely to result in serious harm to individuals, AND
  • We have not taken remedial action that reduces likelihood of serious harm to remote

Who we notify:

  1. Affected individuals: Via direct contact (email, phone, letter) providing:
    • Description of the breach
    • Types of information involved
    • Recommendations for individuals to protect themselves
    • Contact details for further information
  2. Office of the Australian Information Commissioner (OAIC): Via online form within 30 days, including:
    • Identity and contact details of NET Defender
    • Description of the breach
    • Types of information involved
    • Number of affected individuals (or estimate)
    • Steps taken in response
    • Recommendations for individuals
  3. Healthcare practice clients: Immediate notification to affected practices with:
    • Full incident details and timeline
    • Assessment of patient information exposure
    • Remediation steps taken and planned
    • Support for practice’s own notification obligations
    • Ongoing communication protocols

Step 4: Remediation (Immediate and Ongoing)

  • Implement immediate fixes to security vulnerabilities
  • Enhance monitoring and detection capabilities
  • Review and strengthen security controls
  • Provide affected individuals with identity protection resources where appropriate)

Step 5: Review and Prevention (30-90 days post-incident)

  • Conduct thorough post-incident review
  • Identify root causes and contributing factors
  • Update security policies, procedures, and controls
  • Provide additional staff training
  • Test enhanced security measures
  • Update Data Breach Response Plan based on lessons learned
  • Report findings to senior management and clients

11.3 Serious Harm Assessment Criteria

We assess “serious harm” by considering:

  • Sensitivity of information: Health information = higher risk of serious harm
  • Security measures: Was data encrypted? Password-protected?
  • Who accessed data: Malicious actor vs accidental disclosure to trusted party?
  • Number of individuals affected: Scale of potential harm
  • Nature of harm: Identity theft, financial loss, physical harm, psychological harm, reputational damage
  • Vulnerable individuals: Children, elderly, individuals with specific health conditions

11.4 Types of Harm Considered

  • Physical harm: Risk to personal safety
  • Psychological harm: Emotional distress, humiliation, fear
  • Financial harm: Fraud, identity theft, financial loss
  • Reputational harm: Damage to personal or professional reputation
  • Employment harm: Job loss or workplace discrimination
  • Other serious harm: Blackmail, discrimination, loss of business opportunities

11.5 Exemptions from Notification

Notification is not required if:

  • The breach is unlikely to result in serious harm, OR
  • We have taken remedial action that reduces the likelihood of serious harm to remote (e.g., immediate encryption of exposed data before accessed by unauthorised parties)

All exemption decisions are documented with clear reasoning.

11.6 Record Keeping

We maintain records of all data breaches (notifiable and non-notifiable) including:

  • Date and time of detection
  • Nature and cause of breach
  • Types and volume of information involved
  • Assessment of harm and notification decision
  • Remediation actions taken
  • Communications with OAIC, individuals, and clients
  • Post-incident review findings

Records retained for 7 years in accordance with business record retention requirements.

11.7 Contact for Data Breach Matters

Incident Response Contact:

  • Name: Shahrouz Nasrollahi
  • Title: CEO & Data Protection Officer
  • Email: shahrouz@netdefender.com.au
  • Phone: 0467770020

12. Complaints and Disputes

12.1 How to Make a Complaint

If you believe we have breached the Australian Privacy Principles or this Privacy Policy, you may lodge a complaint:

In Writing:

  • Email: shahrouz@netdefneder.com.au
  • Mail: Privacy Officer, NET Defender Pty Ltd, 27 Kittani Crescent, Ashmore, QLD 4214

Your complaint should include:

  • Your contact details
  • Details of the privacy breach or concern
  • Any relevant dates and communications
  • Desired resolution or outcome

12.2 Our Complaint Handling Process

Step 1: Acknowledgment within 2 business days

Step 2: Investigation within 30 days, including:

  • Reviewing all relevant information and evidence
  • Consulting with relevant staff and departments
  • Assessing compliance with Privacy Act and APPs
  • Identifying remedial actions if breach confirmed

Step 3: Response to you in writing with:

  • Outcome of investigation
  • Reasons for decision
  • Remedial actions taken (if applicable)
  • Your right to contact the OAIC if unsatisfied

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

  • Changes to our practices and services
  • Amendments to privacy legislation
  • Technological developments
  • Client feedback and industry best practices

Notification of Changes:

  • Updated Privacy Policy posted on our website with “Last Updated” date
  • Material changes communicated directly to clients via email
  • Continued use of our services constitutes acceptance of updated policy

We encourage you to review this Privacy Policy regularly.

14. Healthcare-Specific Privacy Commitments

As a specialised healthcare IT provider, we make additional commitments regarding health information:

14.1 Health Information Protection

  • Health information accessed during service delivery is treated with the highest level of confidentiality
  • Access to health information limited to authorised personnel on need-to-know basis
  • Technical and organisational measures exceed standard requirements given sensitivity of health data
  • No use of health information for any purpose beyond providing IT services to healthcare practices
  • No disclosure of health information except as required for service delivery or by law

14.2 Healthcare Practice Obligations

While we implement comprehensive privacy protections, ultimate responsibility for patient health information remains with the healthcare practice. We:

  • Provide secure IT infrastructure supporting practice privacy obligations
  • Assist practices in meeting Privacy Act and APP requirements
  • Implement controls supporting healthcare record-keeping regulations
  • Support practices during privacy audits and assessments

14.3 Compliance Support

We help healthcare practices meet their privacy obligations through:

  • Privacy Act-compliant IT infrastructure
  • Secure backup and disaster recovery systems
  • Access controls and audit logging
  • Staff training on privacy and security
  • Regular security assessments and updates

15. Contact Us

For any privacy-related questions, concerns, or requests, please contact:

Privacy Officer: Shahrouz Nasrollahi
Business Name: NET Defender Pty Ltd
Address: 27 Kittani Crescent, Ashmore, Gold Coast, QLD 4214, Australia
Phone: 0450 088 667 / 0467 770 020
Email Shahrouz@netdefender.com.au
Website: www.netdefender.com.au

16. Acknowledgment

This Privacy Policy has been prepared in accordance with:

  • Privacy Act 1988 (Cth)
  • Australian Privacy Principles (APPs)
  • Notifiable Data Breaches (NDB) scheme
  • Office of the Australian Information Commissioner (OAIC) guidance

We are committed to continuous improvement of our privacy practices and welcome your feedback.