Video conferencing software for medico-legal examinations - TAC

Consider the following when using video conferencing software or apps for medico-legal examinations (Independent Medical Examinations and Joint Medical Examinations):

Privacy laws require you to take reasonable steps to protect the personal information you collect use and disclose. Sensitive and health information have extra protections under Victorian privacy laws.

Free software and apps often access your device's contacts, your friends list and your photos, and can use them for any purpose they want. The terms and conditions of free software usually give the software owner some rights in accessing and using your data. Free software usually also has lower levels of technical protection (making hacking easier). Read the terms and conditions and privacy policy. If the software is free, your data and your clients' data is probably the price.

Better privacy and security often comes by upgrading to a paid version or by purchasing a license.

Ask if it is necessary to record an exam, or if the exam can be done without recording. If you use recording, you must obtain your patient’s permission and be even more certain that the facilities you are using are secure. For example, if you record a teleconference and the recording is stored anywhere outside Victoria, that location must have privacy laws equal to or better to Victorian laws, or you must have client consent to send their information to whatever location the recording is stored at. If there is no recording, then this reduces the privacy risks.

Search for the company on the internet. Look for news articles about the company having previous privacy or data breaches or being investigated by privacy regulators. If you find any articles, seriously consider not using the service.

Find out if the company has a privacy policy on their website. Avoid the software if they don’t. You want the company to be open and transparent about what they’re doing with your and your patients' information.

Read the terms and conditions and check for the following:

Is the reason that the company can access and use your data and any recorded content solely for the reason of providing the video conferencing? Any use of patient data for reasons not associated with providing their video conferencing services may breach privacy laws.
What does the company say about limitation of liability? A good company will not limit liability to a small dollar amount.
Does the company agree that they will ensure the software is fit for purpose? The terms and conditions for free software often say that the company makes no guarantees that the service will function as intended.
Who owns the data? Best practice is that you own your data, not the company. This is sometimes under the heading ‘intellectual property’.

Read the privacy policy and check for the following:

What will the company do with the information they collect? Will the company disclose it to others? Ideally the company will only use it for the purpose they collected it and will not disclose to others unless required to by law.
Which privacy laws will the company comply with? The company needs to comply with Australian privacy laws in order to be privacy compliant. Relevant Australian and Victorian privacy laws are the Privacy Act 1988 (Cth); Privacy and Data Protection Act 2014 (Vic), which governs personal and sensitive information; and the Health Records Act 2001 (Vic), which governs health information.
Where does the company store its data? If the data is stored overseas this is likely not to be compliant with Australian privacy laws. Privacy laws say that data stored overseas must be stored in a country that has a similar level of privacy protections as Victoria. Access this website to compare privacy protection laws. Australia has heavy privacy protection laws. Other countries with heavy privacy protections include Canada, Finland, Italy, Norway, Singapore, Spain and Sweden. Countries with poor privacy protections or known problems include China, India, Ireland, Russia, South Korea, UK and USA.
Records management – what will the company do with the data when their contract with you expires? Will they delete it or return it to you? Do they say how long they will keep the data?
Does the company have any information on their website about their security features? If they do, the best practice is data encryption in transit and at rest.