Privacy statement

This privacy statement reflects how we manage and protect private information for tenants (individuals or organisations) that maintain an instance on the Congrego platform and as well for individuals (a team member or a client) who has an account on the Congrego platform. The statement is aligned with the highest international privacy principles and is intended, at a chigh level, to outline how we ensure the privacy and security of private information for all accounts on our platform.

What information does our privacy statement cover

Personal Identifiable Information (PII) or Personal data is any information that relates to an identified or identifiable individual. Personal data may also include different pieces of information, which when collected together can lead to the identification of a particular person. As well, personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person, remains personal data and falls within the scope.

Different international laws and regulations protect personal data regardless of the technology used for processing that data. That is, this statement is technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). The statement also applies regardless of how data is stored: be it using a digital workspace or via physical media - in in all cases, personal data is subject to protection and is covered by this statement. 

Personal data includes, but is not limited to: first name, last name, preferred name; photos and videos; address; contact details including phone or email; identification documents such as a passport; driver license; government issued references including tax file numbers, health cards or social security documents; financial documentation and information including ones financial situation; bank account details and credit cards; school or university information and identification; employment history; physical and mental health information including disabilities; blood type, allergies, behaviours; history of procedures; list of other specialist(s) seen by the individual; data that uniquely identifies a person including tattoos, scars, implants, blood test results, implant serial numbers etc; biometric information; criminal record; religious beliefs; racial or ethnic origin; sexual orientation; digital data including location data, Internet Protocol (IP) address, computer cookie, phone or other device IME numbers; commentary or opinion about an individual; an any similar information about family or partners. 

Examples of non private (or open source information) data include: a company registration number and ABN; published contact details including phone numbers or email addresses; anonymised data; and anything that can be accessed through publicly available channels including an internet search, social media, via a library etc.

How do we secure personal information

We have an ongoing program of works to achieve and maintain the highest information handling standards. As well, Congrego has allocated specific resources to document and implement improvements on an on-going basis. Our policies and processes cover such areas as: Information security; specific areas of privacy; privacy breach reporting; vulnerability management and patching; reporting; deviations policy and processes; system acquisition, development and maintenance; encryption and key management; access controls and identity management; physical and environmental security; cloud services management; remote access controls; third party security; service level agreements; operational processes; business continuity; human resources, incident management; and among others, additional controls including Police check for those who have access to sensitive information.

What high level objectives do these policies and procedures target

We are continuously working towards implementation and ongoing support of an organisational wide Information Security Management System that is compliant with the relevant ISO/IEC 27001/2 Standards for Information Security Management Systems and ISO27799 Standards for Information security management in health.

Our implementation of sensitive information control policies and processes are designed to be in compliance with relevant geographical legislation and regulations including but not limited to the Australian Data Protection Act 1998 and the European GDPR. In each jurisdiction and industry that we provide our platform we take time to understand and ensure that we are in compliance with the relevant data privacy requirements and laws.

Specifically our privacy and security policies and procedures cover the following:

  • Information Security Risk Assessment Process, which assesses the harm likely to result from a security failure and the realistic likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities, against controls currently implemented.

  • Privacy Risk Assessment Process, that assesses the sensitivity of private data held or processed by our systems, and puts in place measures to ensure the security and integrity of the data.

  • Business Continuity Plans to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters.

  • Information Security and Privacy awareness training for all company employees, and associated third party suppliers.

  • On-going security assessment of our third party suppliers who have any access to our data, and insisting meet compliance at the same level or better as ourselves

  • A Senior Management Team, including a specific Data Privacy Compliance Officer, that supports the continuous review and improvement of the company’s Security Policies.

  • Incident management and escalation procedures for the reporting and investigation of security incidents for management review and action.


Although we have never had a breach of privacy, we never the less have a specific Information Security Compliance Privacy Breach Reporting Process, which is designed to meet the requirements of the highest international standards including the Australian Privacy Act 1988, as amended 2017 and the European GDPR.

Our process not only includes taking preventative actions and reporting any privacy breach issues to the various government bodies, but to the public and to any individuals who might be effected.


Complaints and enquiries

If you want to enquire about your privacy, including complaints, on the first instance try and resolve the privacy concern with the tenant (individual or organisation) that is hosting your account. You can view your tenants privacy policy by visiting

For any reason, if the complaint or enquiry needs to be escalated, then the complaint or enquiry must first be made to us in writing, using the contact details in this section. We will need a reasonable time to respond.

If the privacy issue cannot be resolved, you may wish to take your complaint to the regulatory body in your jurisdiction: 

Who to contact

A person may make a enquiry/complaint or request to access or correct personal information about them held by us. Such a request must be made in writing to the following address:

Attention: Data Protection Officer


Postal address: PO Box 1728, Broadbeach, QLD 4218, Australia