QuickClaim’s approach toward Personal Identifiable Information (PII)

This document clarifies QuickClaim’s approach towards Personal Identifiable information (PII). More information about Australian Privacy Principles can be found here. This document should be read together with our Privacy Policy. 

1. Which QuickClaim products have implemented the principles outlined in this document?

Topics described in this document are specifically about PII of National Disability Insurance Scheme (NDIS) Participants whose information is entered into our applications by our Customers and/or via National Disability Insurance Agency (NDIA) API calls.

The applications below are the ones used by our customers to process NDIS Payments:

• qc.online: The online application to process NDIS Payments.
• qc.pay: The mobile application to process NDIS Payments.

 

2. What data is collected? 

We gather the minimum data that is required to be able to provide QuickClaim’s services. These data fields are:

• Participant’s first name
• Participant’s last name
• Participant’s NDIS number
• If plan or self managed:
  • Participant’s financial contact name
  • Participant’s financial contact email
  • Participant’s financial contact phone
  • Participant’s financial contact address
• Participant’s date of birth (only required when customers want to get plan data from NDIS)

Customers can amend and delete this data after it is entered into QuickClaim applications.

Note: We also gather data about the users of the QuickClaim applications. The Privacy Policy relating to those can be found here.

3. Why is this data collected? 

The purpose of collecting this data is to be able to

1. Process NDIS Payments
2. Get Service Bookings from NDIS PRODA (Provider Digital Access) and
3. Get plan data from NDIS PRODA.

 

4. How is this data collected?

There are three ways QuickClaim collects data:

• Users can manually enter data into QuickClaim applications.
• QuickClaim’s API functionality pushes data to our applications.
  • Customers can use the API functionality to connect QuickClaim to their CRM or scheduling system.
  • Customers can use the API functionality to connect QuickClaim to their finance and accounting systems.
• QuickClaim’s API functionality pulls NDIS PRODA data into QuickClaim.

 

5. Where is the data stored?

We store data in our private database. We use Amazon Web Services (AWS) private cloud which is hosted in Australia on AWS data centres.

 

6. Who can access the data?

Only users who are defined in the application under their organisation can access that organisation’s data.

Our development and support team do not have direct access to customer data. If it is required for a support team member to access customers’ data to be able to support their service, our team will first request to be added to that organisation as a user. After the request is approved by the organisation’s administrator, they can access your data in the same way other users can (i.e. with proper logging and level of restriction).

There is no direct access to the database. The only way to access data in the database is via an API call with the proper credentials. This data is only shared with the NDIA and not shared with any other parties.

If customers have connected their Finance system to use data via API, and depending on the invoicing set up, this data might be shared with your Finance system.

 

7. How do we protect the data?

We have implemented the highest level of security based on ISO 27001 and NDIA requirements. This includes:

• Personnel security
• Encryption in transition
• Encryption at rest
• Encryption key management
• Audit log
• Security monitoring
• Firewall protection
• WAF

Note: All API connections to data are controlled by a pair of credentials (Organisation ID, API KEY). Customers can refresh their API KEY from the integration tab within the application which removes all the connections to their data. To establish a new connection the new API KEY should be shared with the authorised applications. This API KEY is stored in our database as a one-way hashified value, so by reading this data field, users cannot generate the original API KEY hence cannot use it.

 

8. How do we use the data?

We only use data for the purpose specified under clause 3 above. We do not use data internally, for marketing, for analytics or for any other purpose.

 

9. How and when do we retain and destroy the data?

To be able to address the business needs of our customers, we retain this data for as long as our relationship with our customers are active. If our relationship is terminated, our customers can delete their data or ask us to delete all of their data. If we do not explicitly receive a request to delete the data, we will keep it for 10 years.

 

10. How do we govern the data?

We review this document, our Privacy Policy and Users Terms and Conditions every year. Additionally, we review our ISMS Policies and security posture at least once a year depending on the review schedule of each policy.