MEDirect

Privacy Policy

MEDirect Privacy Policy 

Last updated: 02.03.2026

At MEDirect Pty Ltd, your privacy isn’t an afterthought. It’s at the centre of everything we do. As Australia’s leading digital medicolegal platform, we manage sensitive medical and legal information every day. We are committed to protecting your personal information with the highest standards of security, transparency, and compliance.

This Privacy Policy explains how we collect, use, disclose, and protect your personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), relevant state and territory Health Records legislation, and our commitment to international standards including ISO 27001, SOC 2, and HIPAA.

To ensure clarity, this policy addresses the specific groups who interact with our platform:

  • Referrers: Lawyers, insurers, employers, or any organisation or individual instructing MEDirect to arrange a medicolegal service.
  • Medical Experts: Medical specialists and allied health professionals registered with MEDirect to conduct independent assessments and provide reports.
  • Examinees: Individuals who are the subject of a medicolegal assessment organised through our platform.
  1. Definitions

In this Privacy Policy:

  • Personal information has the meaning given in the Privacy Act 1988 (Cth) and includes information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.
  • Sensitive information includes health information and other categories of information defined as “sensitive information” under the Privacy Act.
  • Health information includes information or an opinion about an individual’s health, disability, health services provided or to be provided to them, and related claims or assessments, whether true or not and whether recorded in a material form or not.
  • Deidentified information means information that is no longer about an identified individual or an individual who is reasonably identifiable, having regard to the means reasonably likely to be used to identify them. De‑identification is a risk‑management process and we take into account the context in which the information will be used and who will have access to it.
  1. What Information We Collect

We only collect information that is necessary to provide and improve our services.

For Referrers, we collect:

  • Contact & Professional Details: Your name, email address, phone number, organisation name, and business address.
  • Case Details: Information required to identify and manage a case, including your case reference number and the type of assessment required.
  • Billing Information: Details required to process payments and invoices.

 

For Medical Experts, we collect:

  • Contact & Professional Details: Your name, contact information, AHPRA registration details, specialty, qualifications, professional indemnity insurance, and curriculum vitae.
  • Financial Information: Bank account details for the purpose of processing payments for your services.
  • Platform Usage Data: Login history, availability, and activity on the platform to manage scheduling and service delivery.

 

For Examinees, we collect:

  • Personal & Contact Details: Your name, date of birth, address, email address, and phone number to schedule and confirm your assessment.
  • Case Identification: Your claim number or case reference to link you to the correct matter.
  • Sensitive Health Information: As provided by the Referrer, this includes your medical history, clinical records, diagnostic imaging, specialist reports, claim‑related documentation, and other health information directly relevant to the medicolegal assessment. We collect this information on the basis that the Referrer has obtained your consent or is otherwise permitted by law to provide it to us for the purpose of the assessment.

 

Deidentified information

We may de‑identify personal and health information that we hold by removing or altering details so that individuals are no longer identifiable or reasonably identifiable in the context in which the information will be used. Once information has been appropriately de‑identified, we may handle it as de‑identified information for purposes such as analytics, service and quality improvement, research and technology development, as described below.

  1. How We Use Your Information

Primary use of personal information

Your personal information is used only as reasonably necessary to deliver our medicolegal services and to meet our legal, regulatory and professional obligations.

For Referrers, we use your information to:

  • Create and manage your account on the MEDirect platform.
  • Process your service requests and book assessments.
  • Communicate with you regarding case progress, scheduling, and report delivery.
  • Securely deliver court‑ready reports.
  • Process invoices and manage payments.

 

For Medical Experts, we use your information to:

  • Verify your identity, credentials, and qualifications.
  • Match your expertise with suitable assessment requests.
  • Facilitate communication regarding assessment details and scheduling.
  • Provide you with the necessary case documents to conduct your assessment.
  • Process payments for your professional services.

 

For Examinees, we use your information to:

  • Facilitate the medicolegal assessment requested by the Referrer.
  • Communicate with you about your appointment details, if required.
  • Provide your relevant medical and case information securely to the assigned Medical Expert for their review.
  • Ensure your assessment and the resulting report are accurately associated with your legal or insurance matter.

We do not use your sensitive health information for marketing purposes.

 

Use of deidentified information (including for AI)

We may use technical and organisational measures to de‑identify medical, legal and case information that we handle, as part of our normal privacy‑protective handling of personal and health information. Once data has been appropriately de‑identified so that individuals are not identifiable or reasonably identifiable in the relevant context, we may use it to:

  • analyse and improve our services, workflows and platform performance
  • produce statistics and insights about how our services are used
  • develop, train, test and validate tools that assist with document handling, categorisation, quality assurance and other platform features, including AI‑enabled tools
  • support research, innovation and service design, in a way that does not identify any individual.

We may also disclose de‑identified information to trusted service providers (including technical, analytics and AI providers), research partners or analytics tools for these purposes. Those providers are contractually required to implement safeguards designed to minimise any risk of re‑identification and are not permitted to attempt to re‑identify any individual.

Our approach to de‑identification and use of de‑identified data is designed to be consistent with the Privacy Act 1988 (Cth), the Australian Privacy Principles and applicable state and territory health‑records laws.

We do not use your identifiable health information to train or commercialise AI models unless we are permitted or required by law and, where required, we have obtained your explicit consent.

Optional consented uses

In some circumstances we may ask for your explicit consent to use certain identifiable information (for example, particular documents or audio) to help us test or validate new technologies, such as AI‑enabled tools. Providing consent for these uses is entirely optional and is not required for you to receive medicolegal services. If you give consent, you can withdraw it at any time, and we will stop using your information for that purpose, subject to technical and legal limitations.

  1. Disclosure of Your Information

We share your personal information only with those who require it to facilitate the medicolegal process or to support our operations, or where the law requires it.

  • Examinee information is disclosed only to the accredited Medical Expert assigned to the case and subsequently to the instructing Referrer as part of the final report or any necessary clarifications.
  • Referrer and Medical Expert information (for example, name, specialty, organisation) may be shared with one another to the extent necessary to manage the assessment and associated communications.
  • We may share information with trusted service providers who perform functions on our behalf, such as secure IT hosting, transcription, document processing, analytics, or administrative support. These providers are contractually bound to uphold privacy and security standards that are at least as protective as our own and are not permitted to use your information for their own purposes. Some of these service providers may be located outside Australia. Where we disclose personal information overseas, we take reasonable steps to ensure the recipient protects the information in a manner that is consistent with this Privacy Policy and applicable privacy laws.
  • We may disclose information where required or authorised by Australian law, regulation, or a court or tribunal order, including to regulators, complaint bodies, insurers or other third parties as legally necessary.

We may disclose deidentified information to service providers, research partners or analytics tools for the purposes described in Section 3. Such information does not identify individuals.

  1. Security of Your Information

Protecting your information is core to our platform. MEDirect uses a combination of technical, organisational and contractual measures designed to protect your information from misuse, interference and loss, and from unauthorised access, modification or disclosure, including:

  • End‑to‑end encryption for documents and communications in transit and at rest.
  • Secure hosting on Australian servers with strict access controls and role‑based permissions.
  • Information security frameworks aligned to ISO 27001, SOC 2, HIPAA and relevant Australian standards.
  • Full, immutable audit trails for case activity and document handling.
  • Staff training, confidentiality obligations and access on a “need‑to‑know” basis.

While no system is 100% risk‑free, our security controls are designed to minimise the risk of unauthorised access, misuse, or disclosure.

  1. Data Retention, Deidentification and Deletion

We retain personal information only for as long as necessary to:

  • provide our services
  • manage our relationship with Referrers, Medical Experts and Examinees
  • comply with legal, regulatory and professional obligations (including limitation periods and record‑keeping requirements)
  • resolve disputes and enforce our agreements.

When personal information is no longer required for these purposes, we will take reasonable steps to securely destroy it or de‑identify it in accordance with APP 11 and applicable health records legislation.

Where appropriate, we may retain data in a de‑identified form (so that it no longer relates to an identified or reasonably identifiable individual in the relevant context) for legitimate business purposes, including analytics, service improvement, research and AI‑assisted tools. We assess and manage the risk of re‑identification having regard to the nature of the data, the environment in which it will be used and any other data that may be available to those who have access to it.

De‑identified data is not subject to the same access and correction rights because it can no longer be linked to you.

  1. Your Rights: Access, Correction and Consent

You have rights regarding the personal information we hold about you, including the right to:

  • request access to the personal information we hold about you
  • request corrections if you believe the information is inaccurate, out‑of‑date, incomplete, irrelevant or misleading
  • withdraw consent for certain uses of your information where our processing is based on consent (for example, optional consented AI‑related uses as described above)
  • lodge a complaint if you believe your privacy rights have been breached.

Requests can be made by contacting us at TalkToUs@MEDirect.com.au. We will respond within a reasonable timeframe and in accordance with our legal obligations.

For security and privacy reasons, we may need to verify your identity before providing access or making corrections.

  1. Complaints and Oversight

If you have concerns about how your information is handled, please contact our Privacy Officer at the email below. We take all complaints seriously and will investigate them promptly and fairly.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by using the contact details published on the OAIC website.

  1. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, services or legal obligations. The most recent version will always be available on our website and will include the “Last updated” date at the top.

We encourage you to review this Privacy Policy periodically to stay informed about how we handle your personal information.

  1. Contact Us

For any questions about this Privacy Policy or how we handle your personal information, please contact:

MEDirect Pty Ltd
Email: TalkToUs@MEDirect.com.au
Phone: 1300 001 633

Scroll to Top

SUBSCRIBE TO
OUR NEWSLETTER