Privacy Policy

TheatreLink is an Australian operating theatre scheduling, coordination, and admissions platform designed for hospitals, surgeons, anaesthetists, practice managers, theatre managers, and admissions officers. The platform facilitates theatre bookings, session scheduling, equipment coordination, workforce management, and — for hospitals that have enabled the optional Admissions & Consent module — digital patient admissions and procedure consent workflows.

TheatreLink is not an electronic health record (EHR) system, is not a system of record for clinical care, and does not participate in or connect to the Australian Government’s My Health Record system. The hospital’s patient administration system (PAS) remains the source of truth for patient care records. TheatreLink captures booking and admissions data at the point of origin and supports the hospital’s existing workflows.

We collect personal information that is reasonably necessary for the operation of the platform. The types of information we may collect include:

We collect personal information directly from individuals when they:

• Register for a TheatreLink account (or are registered by their hospital administrator)
• Update their profile or account settings
• Upload documents (e.g. accreditation certificates)
• Create or modify theatre bookings and sessions
• Contact us for support

We do not collect personal information from third parties unless it is provided by an authorised hospital administrator for the purposes of user provisioning.

We use personal information for the following purposes:

• Platform Operation: Managing user accounts, authenticating access, and providing the theatre scheduling service
• Communication: Sending booking confirmations, session notifications, schedule changes, and system alerts via email and SMS
• Security: Monitoring for unauthorised access, enforcing rate limits, and maintaining audit logs
• Professional Verification: Verifying practitioner credentials using AHPRA registration numbers
• Admissions & Consent (where the module is enabled by a hospital): Receiving completed patient admissions booklets, producing the resulting PDF artifact for the hospital’s admissions officer, capturing patient (and where required, witness) procedure consent, and producing the signed consent envelope
• Audit & Integrity: Producing tamper-evident hash-chained audit trails of admissions and consent events, anchored quarterly to an external RFC 3161 timestamp authority (FreeTSA in non-production; DigiCert in production)
• Platform Improvement: Analysing aggregated, de-identified usage data to improve platform features and performance. Patient health information is excluded from analytics payloads.
• Legal Compliance: Meeting obligations under the Privacy Act 1988, applicable state-based health record legislation, and other applicable laws

We do not use personal information for direct marketing. All communications are operational and directly related to your use of the platform.

We do not sell, rent, or trade personal information. We may disclose personal information in the following limited circumstances:

• Within your hospital network: Theatre managers can see booking details for their hospital. Surgeons and practice managers can see their own bookings and relevant scheduling information.
• Service providers: We use trusted third-party services to operate the platform (see Section 7 — Cross-Border Disclosure).
• Legal requirements: Where required or authorised by Australian law, a court order, or to prevent a serious threat to life, health, or safety.

Access within the platform is controlled by role-based access controls — users can only view information relevant to their role and hospital affiliation.

We take reasonable steps to protect personal information from misuse, interference, loss, and unauthorised access or disclosure. Our security measures include:

• Encryption in transit: All connections use TLS 1.3 encryption
• Encryption at rest: Database and file storage are encrypted using AES-256
• Record-level envelope encryption for patient health information: Where the Admissions & Consent module is enabled, each patient record, booklet answer set, signed consent envelope, and uploaded clinical document is encrypted with a per-record Data Encryption Key (DEK), wrapped by a master key held in a managed Key Management Service. Plaintext patient health information never leaves the encryption boundary except in memory during an authorised access.
• One-way lookup hashes: Where patient records must be matched (e.g. by name + date of birth), HMAC-SHA256 hashes are used so the platform can identify candidate matches without decrypting the underlying record.
• Hash-chained audit trail: Admissions and consent events (view, save-step, submit, sign, witness, withdrawal) are appended to a hash-chained audit log so that any tampering is detectable. The chain is anchored quarterly to an external RFC 3161 timestamp authority.
• Cryptographically-signed consent payloads: At the moment a patient or witness signs a consent form, a canonical representation of the consent is signed using the managed Key Management Service to support non-repudiation.
• Tokenised patient links with a second factor: Patient-facing admissions and consent invitations are delivered as single-use, short-lived tokenised links protected by a second factor (date of birth + postcode) before any health information is revealed.
• Tenant scoping with defence-in-depth checks: Every server-side request is checked against the requester’s role and the resource’s owning hospital; document streams additionally verify that the requested document belongs to a patient associated with the calling user’s case before any decryption is performed.
• Password security: Passwords are hashed using bcrypt with 12 salt rounds and are never stored in plaintext
• Multi-factor authentication: TOTP-based MFA and WebAuthn/biometric authentication are supported and can be enforced
• Session management: Configurable session timeouts with automatic expiry
• Rate limiting: Login attempts are rate-limited to prevent brute-force attacks
• Role-based access control: Portal-based access segregation ensures users only see data relevant to their role
• Security monitoring: Error tracking with PII scrubbing, plus security audit tooling, monitor for anomalous activity
• Security headers: HSTS, X-Frame-Options, X-Content-Type-Options, and strict referrer policies are enforced

TheatreLink uses the following third-party service providers to operate the platform. Some of these providers may process data outside of Australia:

Where data is processed overseas, we take reasonable steps to ensure the recipient handles information in accordance with the APPs. All connections to third-party services use encrypted channels. We do not disclose identifiable patient information to any third party.

TheatreLink collects AHPRA registration numbers for the sole purpose of verifying healthcare practitioner credentials. We do not:

• Use AHPRA numbers as internal identifiers or database keys
• Disclose AHPRA numbers to other users except where relevant to accreditation processes
• Collect Medicare numbers, tax file numbers, or other patient government identifiers

We take reasonable steps to ensure personal information is accurate, up-to-date, and complete. Users can update their profile information at any time through their account settings. Where the Admissions & Consent module is in use, the patient enters their own demographic and medical history information directly; the hospital’s admissions officer is responsible for verifying and, where necessary, correcting that information at the time of admission.

We retain personal information for as long as it is needed for the purposes described in this policy or as required by law. When information is no longer needed, we take reasonable steps to destroy or de-identify it. Expired authentication tokens and verification codes are automatically cleaned up.

Accounts that have been inactive for an extended period may be flagged for review and deactivation by system administrators.

You have the right to request access to the personal information we hold about you. You can:

• Self-service: View and update your profile information, notification preferences, and uploaded documents through your TheatreLink account
• Formal request: Submit a written request to our Privacy Officer to receive a copy of all personal information held about you

If you are a patient seeking access to admissions or consent information held about you, the hospital where you received care is the primary point of contact and the data custodian for those records. We will support the hospital’s response to your request. You may also contact our Privacy Officer directly using the details in Section 17.

We will respond to access requests within 30 days. In limited circumstances, we may refuse access where permitted by the Privacy Act (for example, where providing access would unreasonably impact the privacy of other individuals).

If you believe any personal information we hold about you is inaccurate, out-of-date, incomplete, or misleading, you may:

• Update your own profile details through your account settings
• Contact your hospital administrator to correct booking or scheduling records
• Submit a formal correction request to our Privacy Officer

If we correct information that was previously disclosed to a third party, we will take reasonable steps to notify them of the correction.

In accordance with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act, TheatreLink will:

• Take immediate steps to contain and assess any suspected data breach
• Notify the Office of the Australian Information Commissioner (OAIC) and affected individuals of eligible data breaches that are likely to result in serious harm
• Provide notification as soon as practicable and no later than 30 days after becoming aware of a breach
• Include in notifications: a description of the breach, the type of information involved, and recommended steps individuals should take

Under the Privacy Act, individuals have the right to deal with organisations anonymously or using a pseudonym where practicable. Due to the nature of TheatreLink as a healthcare coordination platform, identification is required for:

• Patient safety and clinical accountability in surgical scheduling, admissions, and consent
• Professional credential verification (AHPRA)
• Hospital access control and accreditation compliance
• The legal validity of an electronically-signed procedure consent under the Electronic Transactions Act 1999 (Cth) and state equivalents

This is permitted under APP 2.2(a) where identification is required by law or where it is impracticable to deal with individuals anonymously.

Where your hospital has activated the Admissions & Consent module, the following additional information applies in relation to your admissions booklet, your procedure consent, and the way that information flows between you, the hospital, and TheatreLink.

If you believe we have breached the Australian Privacy Principles or handled your information inappropriately, you may lodge a complaint with us:

1. Contact our Privacy Officer using the details below. We will acknowledge your complaint within 5 business days and aim to resolve it within 30 days.
2. If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
   • Website: www.oaic.gov.au
   • Phone: 1300 363 992
   • Post: GPO Box 5288, Sydney NSW 2001

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify registered users of material changes via email or in-app notification. The “Last Reviewed” date at the top of this policy indicates when it was last updated.

If you have any questions about this Privacy Policy, wish to make an access or correction request, or want to lodge a complaint, please contact: