MEDirect Privacy Policy 

Last updated: 27.03.2026

At MEDirect Pty Ltd, your privacy isn’t an afterthought. It’s at the centre of everything we do. As Australia’s leading digital medicolegal platform, we manage sensitive medical and legal information every day. We are committed to protecting your personal information with the highest standards of security, transparency, and compliance.

This Privacy Policy explains how we collect, use, disclose, and protect your personal information in accordance with the Privacy Act 1988 (Cth), the Australian Privacy Principles (APPs), relevant state and territory Health Records legislation, and our commitment to international standards including ISO 27001, SOC 2, and HIPAA.

To ensure clarity, this policy addresses the specific groups who interact with our platform:

• Referrers: Lawyers, insurers, employers, or any organisation or individual instructing MEDirect to arrange a medicolegal service.
• Medical Experts: Medical specialists and allied health professionals registered with MEDirect to conduct independent assessments and provide reports.
• Examinees: Individuals who are the subject of a medicolegal assessment organised through our platform.

1. Definitions

In this Privacy Policy:

• Personal information has the meaning given in the Privacy Act 1988 (Cth) and includes information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether true or not and whether recorded in a material form or not.
• Sensitive information includes health information and other categories of information defined as “sensitive information” under the Privacy Act.
• Health information includes information or an opinion about an individual’s health, disability, health services provided or to be provided to them, and related claims or assessments, whether true or not and whether recorded in a material form or not.
• De‑identified information means information that is no longer about an identified individual or an individual who is reasonably identifiable, having regard to the means reasonably likely to be used to identify them. De-identification is a risk-management process. Techniques may include removal of direct identifiers, aggregation, pseudonymisation and other measures designed to minimise the risk of re-identification, having regard to OAIC guidance, the context of use, and the data environment.

2. What Information We Collect

We only collect information that is necessary to provide and improve our services.

For Referrers, we collect:

• Contact & Professional Details: Your name, email address, phone number, organisation name, and business address.
• Case Details: Information required to identify and manage a case, including your case reference number and the type of assessment required.
• Billing Information: Details required to process payments and invoices.

 

For Medical Experts, we collect:

• Contact & Professional Details: Your name, contact information, AHPRA registration details, specialty, qualifications, professional indemnity insurance, and curriculum vitae.
• Financial Information: Bank account details for the purpose of processing payments for your services.
• Platform Usage Data: Login history, availability, and activity on the platform to manage scheduling and service delivery.

 

For Examinees, we collect:

• Personal & Contact Details: Your name, date of birth, address, email address, and phone number to schedule and confirm your assessment.
• Case Identification: Your claim number or case reference to link you to the correct matter.
• Sensitive Health Information: As provided by the Referrer, this includes your medical history, clinical records, diagnostic imaging, specialist reports, claim‑related documentation, and other health information directly relevant to the medicolegal assessment. We collect this information on the basis that the Referrer has obtained your consent or is otherwise permitted by law to provide it to us for the purpose of the assessment.

 

De‑identified information

We may de‑identify personal and health information that we hold by removing or altering details so that individuals are no longer identifiable or reasonably identifiable in the context in which the information will be used. Once information has been appropriately de‑identified, we may handle it as de‑identified information for purposes such as analytics, service and quality improvement, research and technology development, as described below.

3. How We Use Your Information

Primary use of personal information

Your personal information is used only as reasonably necessary to deliver our medicolegal services and to meet our legal, regulatory and professional obligations.

For Referrers, we use your information to:

• Create and manage your account on the MEDirect platform.
• Process your service requests and book assessments.
• Communicate with you regarding case progress, scheduling, and report delivery.
• Securely deliver court‑ready reports.
• Process invoices and manage payments.

 

For Medical Experts, we use your information to:

• Verify your identity, credentials, and qualifications.
• Match your expertise with suitable assessment requests.
• Facilitate communication regarding assessment details and scheduling.
• Provide you with the necessary case documents to conduct your assessment.
• Process payments for your professional services.

 

For Examinees, we use your information to:

• Facilitate the medicolegal assessment requested by the Referrer.
• Communicate with you about your appointment details, if required.
• Provide your relevant medical and case information securely to the assigned Medical Expert for their review.
• Ensure your assessment and the resulting report are accurately associated with your legal or insurance matter.

We do not use your sensitive health information for marketing purposes.

Use of de‑identified information (including for AI)

Important note on consent
This Privacy Policy does not itself constitute consent to the use of identifiable health information for AI training or other secondary purposes. Where we propose to use identifiable health information for such purposes, we will obtain your express, informed consent separately, in accordance with the Privacy Act 1988 (Cth).

We may use technical and organisational measures to de‑identify medical, legal and case information that we handle, as part of our normal privacy‑protective handling of personal and health information. Once data has been appropriately de‑identified so that individuals are not identifiable or reasonably identifiable in the relevant context, we may use it to:

• analyse and improve our services, workflows and platform performance
• produce statistics and insights about how our services are used
• develop, train, test and validate tools that assist with document handling, categorisation, quality assurance and other platform features, including AI‑enabled tools
• support research, innovation and service design, in a way that does not identify any individual.

We may disclose de-identified information to trusted service providers (including technical, analytics and AI service providers) solely to perform services on our behalf.
These providers:

• may only process information on our documented instructions
• must not use the information to train their own AI models or develop their own products
• must not attempt to re-identify any individual
• must implement safeguards to minimise re-identification risk.

Our approach to de‑identification and use of de‑identified data is designed to be consistent with the Privacy Act 1988 (Cth), the Australian Privacy Principles and applicable state and territory health‑records laws.

We do not use your identifiable health information to train or commercialise AI models unless we are permitted or required by law and, where required, we have obtained your explicit consent.

Optional consented uses

In some circumstances we may ask for your explicit consent to use certain identifiable information (for example, particular documents or audio) to help us test or validate new technologies, such as AI‑enabled tools. Providing consent for these uses is entirely optional and is not required for you to receive medicolegal services. If you give consent, you can withdraw it at any time, and we will stop using your information for that purpose, subject to technical and legal limitations.

AI transparency
AI-enabled tools used by MEDirect are designed to support administrative, document-handling and quality-assurance processes. These tools do not replace clinical judgement, legal advice or expert assessment.

4. Disclosure of Your Information

We share your personal information only with those who require it to facilitate the medicolegal process or to support our operations, or where the law requires it.

• Examinee information is disclosed only to the accredited Medical Expert assigned to the case and subsequently to the instructing Referrer as part of the final report or any necessary clarifications.
• Referrer and Medical Expert information (for example, name, specialty, organisation) may be shared with one another to the extent necessary to manage the assessment and associated communications.

• We may share information with trusted service providers who perform functions on our behalf, such as secure IT hosting, transcription, document processing, analytics, or AI-enabled services. These providers:
  • act only on MEDirect’s instructions

• • are contractually prohibited from using MEDirect data for their own purposes
  • must not use the data to train their own AI models or develop independent products
  • must implement appropriate security and confidentiality controls
  • are prohibited from attempting to re-identify de-identified information.

These providers may be located in jurisdictions including Australia, the United States, the European Union, or other regions where our technical providers operate.

Where personal information is disclosed overseas, we take reasonable steps to ensure recipients handle the information consistently with the Australian Privacy Principles, including through contractual controls, security requirements and restrictions on use.

• We may disclose information where required or authorised by Australian law, regulation, or a court or tribunal order, including to regulators, complaint bodies, insurers or other third parties as legally necessary.

• Overseas Processing Safeguards: MEDirect may use trusted service providers located in Australia or overseas to support the operation of our platform, including providers of cloud infrastructure, document processing, analytics, AI-enabled services and other technical services. Where personal information is disclosed to a service provider outside Australia, MEDirect takes reasonable steps to ensure the recipient handles the information in a manner consistent with the Australian Privacy Principles. These steps may include:
  • contractual privacy and confidentiality obligations
  • restrictions on the provider’s use of the information
  • requirements to implement appropriate security controls
  • prohibitions on attempting to re-identify de-identified information
  • restrictions on using MEDirect data to train external AI models or products

Where practicable, we seek to ensure that service providers process personal information only for the purposes of providing services to MEDirect and not for their own independent purposes. MEDirect remains accountable under the Privacy Act 1988 (Cth) for personal information disclosed overseas where required by Australian law.

We may disclose de‑identified information to service providers, research partners or analytics tools for the purposes described in Section 3. Such information does not identify individuals.

5. Security of Your Information

Protecting your information is core to our platform. MEDirect uses a combination of technical, organisational and contractual measures designed to protect your information from misuse, interference and loss, and from unauthorised access, modification or disclosure, including:

• End‑to‑end encryption for documents and communications in transit and at rest.
• Secure hosting primarily on infrastructure located in Australia. Some authorised service providers supporting the platform may access or process information from other jurisdictions in accordance with this Privacy Policy.
• Information security frameworks aligned to ISO 27001, SOC 2, HIPAA and relevant Australian standards.
• Full, immutable audit trails for case activity and document handling.
• Staff training, confidentiality obligations and access on a “need‑to‑know” basis.

While no system is 100% risk‑free, our security controls are designed to minimise the risk of unauthorised access, misuse, or disclosure.

6. Data Retention, De‑identification and Deletion

We retain personal information only for as long as necessary to:

• provide our services
• manage our relationship with Referrers, Medical Experts and Examinees
• comply with legal, regulatory and professional obligations (including limitation periods and record‑keeping requirements)
• resolve disputes and enforce our agreements.

When personal information is no longer required for these purposes, we will take reasonable steps to securely destroy it or de‑identify it in accordance with APP 11 and applicable health records legislation.

Where appropriate, we may retain data in a de‑identified form (so that it no longer relates to an identified or reasonably identifiable individual in the relevant context) for legitimate business purposes, including analytics, service improvement, research and AI‑assisted tools. We assess and manage the risk of re‑identification having regard to the nature of the data, the environment in which it will be used and any other data that may be available to those who have access to it.

De‑identified data is not subject to the same access and correction rights because it can no longer be linked to you.

7. Your Rights: Access, Correction and Consent

You have rights regarding the personal information we hold about you, including the right to:

• request access to the personal information we hold about you
• request corrections if you believe the information is inaccurate, out‑of‑date, incomplete, irrelevant or misleading
• withdraw consent for certain uses of your information where our processing is based on consent (for example, optional consented AI‑related uses as described above)
• lodge a complaint if you believe your privacy rights have been breached.

Requests can be made by contacting us at TalkToUs@MEDirect.com.au. We will respond within a reasonable timeframe and in accordance with our legal obligations.

For security and privacy reasons, we may need to verify your identity before providing access or making corrections.

8. Complaints and Oversight

If you have concerns about how your information is handled, please contact our Privacy Officer at the email below. We take all complaints seriously and will investigate them promptly and fairly.

• Email: TalkToUs@MEDirect.com.au

If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by using the contact details published on the OAIC website.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, services or legal obligations. The most recent version will always be available on our website and will include the “Last updated” date at the top.

We encourage you to review this Privacy Policy periodically to stay informed about how we handle your personal information.

10. Contact Us

For any questions about this Privacy Policy or how we handle your personal information, please contact:

MEDirect Pty Ltd
Email: TalkToUs@MEDirect.com.au
Phone: 1300 001 633