Privacy Policy

Purpose

This Privacy Policy sets out how the Immunisation Hub platform and its clinical partner collect, use, disclose, store, secure, and otherwise manage personal and health information across vaccination services, opioid agonist treatment (OAT), pharmacotherapy support, clinical governance, and related healthcare operations. We are committed to handling all information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), the Health Records Act 2001 (Vic), and all other applicable Commonwealth and State legislative requirements.

Who we are

Two organisations are involved when you use this service. Each has a distinct role, and a distinct privacy responsibility.

• Platform operator, VERDI Pty Ltd (ABN 57 666 180 936) operates the Immunisation Hub technology platform: this website, the booking flow, and outbound communications. VERDI does not provide clinical care. It handles limited platform data such as your name, contact details, the appointment you have booked, and basic site analytics.
• Clinical partner and health service provider, Priceline Pharmacy Sunshine Marketplace (ABN 46 654 295 843), 80 Harvester Road, Sunshine VIC 3020, delivers all clinical services, vaccination, OAT pharmacotherapy, dispensing, screening, and registry reporting. The pharmacy is the licensed health service provider and holds your health information as the “APP entity” under the Privacy Act 1988.

You can verify the partner pharmacy's registration on the Australian Business Register and any pharmacist immuniser via the AHPRA public register.

Scope

This policy applies to information collected in relation to:

• vaccine recipients and patients
• residents of aged care facilities we deliver clinics in
• OAT pharmacotherapy clients
• parents, guardians, and substitute decision-makers
• next of kin and emergency contacts
• provider representatives (HR managers, facility managers, school nurses)
• employees, clinical contractors, and pharmacist immunisers
• partner organisations and contracted service providers
• website visitors, booking platform users, and people who contact us

It covers both personal information and sensitive health information as defined in the Privacy Act 1988.

Information we collect

We collect only the information reasonably necessary to deliver safe, lawful and effective services. This may include:

Identifying information

• full legal name and any preferred name
• date of birth, gender
• residential address (or aged care facility details and room or resident identifier)
• contact details (phone, email)
• emergency contact, next of kin, or substitute decision-maker details

Health-system identifiers

• Medicare number
• Individual Healthcare Identifier (IHI), where provided

Clinical and health information

• relevant medical history, allergies, and current medications
• immunisation history and prior dose records
• pregnancy status, where clinically relevant
• prior adverse event history
• consent records (written or otherwise documented)

Encounter and product records

• vaccine or medication category, brand, batch number, expiry, dose number
• site of administration, date and time
• administering practitioner
• post-administration observation outcome
• for pharmacotherapy clients: prescriber details, prescription identifiers, dosing intervals, Schedule 8 record-keeping

Operational and platform data

• service agreement, voucher, and invoicing information for organisations
• payment details where required (handled by PCI-compliant providers)
• booking platform usage and limited anonymous analytics (device, approximate location, pages viewed)

Why we collect it

Information is collected for these purposes:

• coordinating vaccination and pharmacotherapy services
• determining eligibility and screening for contraindications under the Australian Immunisation Handbook
• obtaining and recording valid consent
• scheduling clinics, walk-in flow, and recurring appointments
• recording the clinical encounter accurately
• managing post-vaccination observation and any adverse-event follow-up
• ensuring continuity of clinical care with your GP or prescriber
• reporting to the Australian Immunisation Register (AIR) within the legally required 24 hours
• reporting to SafeScript Victoria where Schedule 4 or Schedule 8 medication is involved
• supporting aged care provider compliance with the Strengthened Aged Care Quality Standards (effective 1 November 2025)
• supporting workplace and school program reporting (de-identified or summary level only)
• generating governance, quality and accreditation reports
• responding to complaints, incidents, or investigations
• billing, invoicing, and integration with provider clinical systems

Where required information is not provided, services may not be able to be delivered safely or in line with legal obligations. Your immuniser will explain any specific requirement at the time.

How we use and disclose information

Information is disclosed only where reasonably necessary for service delivery, legal compliance, or clinical safety, and the minimum amount of information needed is shared. Disclosures may be made to:

• aged care providers and authorised facility staff (for clinics delivered on their premises)
• your GP, prescribing doctor, or treating clinician (only with your explicit consent)
• pharmacists, nurses, and medical practitioners involved in your care
• public health units (where required by law, for example a notifiable disease investigation)
• Commonwealth and State Government health departments where required
• the Australian Immunisation Register (Services Australia)
• SafeScript Victoria for Schedule 4 and Schedule 8 medication dispensing
• SAFEVAC and the Therapeutic Goods Administration for adverse-event reporting
• software integration partners and secure hosting providers, under written confidentiality and security obligations
• authorised subcontractors who deliver part of the service
• legal or regulatory authorities where compelled by law

Personal information is not sold, rented, or shared with advertising networks. Third parties engaged by us are required to comply with confidentiality, privacy, and data security obligations equivalent to Australian legislative standards, and to store data on Australian servers wherever practicable.

Confidentiality and staff obligations

Every employee, contractor, pharmacist, nurse, administrator, and third-party service provider engaged by either VERDI Pty Ltd or Priceline Pharmacy Sunshine Marketplace is bound by strict confidentiality requirements. Engagement conditions include:

• signed confidentiality and privacy agreements
• professional confidentiality duties under AHPRA, the Pharmacy Board of Australia, and equivalent registration bodies
• role-based access controls so staff see only what they need
• mandatory privacy, cyber, and data-handling training (initial and ongoing)
• secure credential management and individual account audit trails
• continuous compliance monitoring

Any breach of confidentiality, unauthorised disclosure, or inappropriate access may result in disciplinary action, termination, and notification to the relevant authority where required by law.

Storage and security

We take reasonable steps to protect personal and health information from unauthorised access, misuse, loss, interference, modification, and disclosure. Controls include:

• secure cloud infrastructure with Australian-hosted systems wherever available
• role-based access controls and least-privilege administration
• strong passwords and multi-factor authentication where supported
• encryption of data in transit (TLS) and at rest
• secure backup processes and disaster-recovery planning
• firewall, intrusion detection, and malware protection
• continuous access logs and audit trails
• secure physical document storage and controlled destruction of hard-copy records

Despite these controls, no system is perfectly secure. If we become aware of a notifiable data breach, we will follow the mandatory reporting procedures under the Privacy Act and notify affected individuals as required.

Retention

Health records are retained for the period required by Victorian and Commonwealth healthcare, aged care, financial, and privacy legislation, generally a minimum of seven years from the date of last service, or for children until the age of 25. Platform-side booking data is held for the minimum period needed to manage the booking and is then deleted. When records are no longer needed, they are securely destroyed or permanently de-identified in line with legislative and professional standards.

Access and correction

You can request access to, or correction of, information held about you. Requests may be made in writing by:

• the individual concerned
• an authorised representative or substitute decision-maker
• an approved provider representative (for organisation-level service data) where authorised

We will take reasonable steps to provide access or correct inaccurate, incomplete or out-of-date information. We may need to verify your identity before releasing health information, and some records (for example AIR submissions) are accessed directly through your myGov account.

Privacy complaints

Contact the right entity based on the nature of the issue:

• Platform-side (the website, booking flow, marketing emails): email info@immunisationhub.au with “Privacy” in the subject, or write to the Privacy Officer, VERDI Pty Ltd, c/- Priceline Pharmacy Sunshine Marketplace, 80 Harvester Road, Sunshine VIC 3020.
• Clinical or health-record (your record, dispensing, consent, AIR submissions): contact the Priceline Pharmacy Sunshine Marketplace Privacy Officer on (03) 9364 7133 or in person at the pharmacy.

All complaints are investigated promptly and managed under our internal incident and privacy-breach procedures. Where required, notifiable data breach obligations under Australian law are followed.

If you are not satisfied with our response, you may contact:

• the Office of the Australian Information Commissioner (OAIC): oaic.gov.au, 1300 363 992
• the Health Complaints Commissioner of Victoria: hcc.vic.gov.au, 1300 582 113

Cookies and analytics

The Immunisation Hub platform uses minimal essential cookies (for functionality such as remembering your cookie preference) and aggregated, privacy-preserving analytics. We do not use third-party advertising or cross-site tracking cookies. You can manage your preferences via the cookie banner at the bottom of any page.

Policy review

This policy is reviewed at least annually and whenever practice, technology, or regulation changes. The most current version is the version published on this page. The version date below indicates when this policy was last reviewed.