Patient Data Policy
Effective: 1 January 2022
Applies to: Rose Optometry (Visique Rose Optometrists Ltd) and our service providers
1) What this policy covers
This policy explains how we collect, use, store, share and protect patient information in our clinical systems and marketing systems, including equipment, Cattrax, OptomateTouch, HubSpot, and our online optical data warehouse hosted in New Zealand andAustralia. It also explains your choices, including how to opt out of non‑essential uses.Legal bases & scope: We comply with the Privacy Act 2020, the Health InformationPrivacy Code 2020 (HIPC), and (for electronic marketing) the Unsolicited ElectronicMessages Act 2007 (UEMA). For cross‑border disclosure, we follow Information PrivacyPrinciple (IPP) 12.
2) What we collect
• Clinical information: contact details, demographics, clinical notes, test results, prescriptions, referrals, health history, imaging, and device data.
• Operational and service data: appointment history, payments, communications, and service usage.
• Marketing & engagement data: preferences, email/SMS interactions, website forms, and campaign responses captured in HubSpot.
We collect information directly from you and from your use of our services (HIPC Rules 1–3).
3) Why we use your information
a) To provide eye‑health care (diagnosis, treatment, recalls, safety/quality, billing).
b) Bespoke care communications: to contact you with reminders, guidance, and clinically
relevant updates.
c) Relevant research updates & invitations: to let you know about new treatments and
invite participation in developing new products/services.
d) Service improvement, analytics, and planning.
e) De‑identified data use: for clinical research, AI models, and population insights.
f) Electronic marketing: to send messages about relevant products/services with easy
unsubscribe options.
g) Research and Development: Development of new products, tools or services for use
in the ophthalmology and optometric profession
4) De‑identification standard we use
Before using data for research/AI/analytics outside direct care, we remove or irreversibly
transform direct and indirect identifiers and apply additional controls so individuals are
not reasonably identifiable.
5) Our systems and where your data is processed
Clinical record system and imaging: Optomate Touch, Medmont, Heidelberg Heyex,
Microsoft HIPPA compliant tenant.
Marketing & communications CRM: HubSpot.
Data warehouse/analytics: Secure platforms hosted in New Zealand and Australia for
clinical analytics and decision support.
6) How consent and opt‑out work
At registration: You are opted in to bespoke care communications and
research/treatment updates.
Electronic marketing: Express or inferred consent under UEMA. Each message includes
a functional unsubscribe. You can opt out anytime.
Essential messages such as recalls or results cannot be opted out of.
7) Disclosures we may make
We may share information with other health providers, processors under contract,
regulators, and research partners using de‑identified data. Overseas disclosures
comply with IPP 12 safeguards.
8) Security
We use layered security measures, encryption, access controls, and staff training. In
case of a notifiable breach, we will notify the Privacy Commissioner and affected
individuals as soon as practicable (ideally within 72 hours).
9) Retention & destruction
We keep records for at least 10 years from the date of last service as required by the
Health (Retention of Health Information) Regulations 1996. After that, data is securely
destroyed or de‑identified.
10) Your rights
You can access, correct, and request changes to your data or preferences. We will
respond within legal timeframes and verify your identity before actioning requests.
11) Governance & accountability
We maintain a privacy risk register, conduct privacy impact assessments for high‑risk
projects, and review vendor compliance regularly.
12) Contact us
Privacy Officer – Rose Optometry
38 Lake Road, Frankton, Hamilton 3204, New Zealand
Email: ops@roseoptom.co.nz | Phone: +64 7 8473195
You may also contact the Office of the Privacy Commissioner at privacy.org.nz.