Privacy Policy for ConsultAI NZ

1. Purpose of Data Collection

The primary purpose of collecting and processing audio data is to provide the core functionality of the ConsultAI NZ software: to transcribe patient consultations and generate structured notes to assist the GP. This process is intended to reduce the administrative workload on GPs, allowing them to focus on patient care.

2. Information We Process

When you use ConsultAI NZ, we process the following types of information:

• Audio Data: The software captures audio from the consultation environment for real-time processing. This audio contains the spoken conversation during the consultation.
• Transcription Text: The audio data is converted into text transcription using a third-party service (Deepgram).
• Processed Text (Notes): The transcription text is processed by another third-party AI service (OpenAI) to generate a summary or structured note.
• User Account Information: When you register for ConsultAI NZ, we collect information necessary to set up and manage your account, such as your name and email address.
• Usage Data: We may collect information about how you use the ConsultAI NZ software, such as features accessed and frequency of use. This helps us improve the service.

Crucially, the ConsultAI NZ software itself is designed not to permanently store audio data, transcription text, or processed notes unless you, as the GP, explicitly choose to save consultation information manually within the application or export it. The AI processing is temporary and occurs to generate the notes for your immediate review and use.

3. How Information is Processed and Protected

ConsultAI NZ relies on third-party AI services to perform transcription and note generation:

• Deepgram for Transcription: Audio data is sent to Deepgram's service for transcription. Deepgram offers redaction features designed to automatically identify and remove sensitive information, such as Personally Identifiable Information (PII), from the transcription output. Deepgram states they maintain and meet requirements for multiple data privacy compliance frameworks and certifications, including SOC 2, GDPR, HIPAA, CCPA, and PCI. They can act as a Business Associate under US HIPAA legislation, and for GDPR/CCPA, they act as a data "processor" or "service provider". Deepgram is committed to protecting the confidentiality of client information and implements administrative, technical, and physical safeguards. They retain a security advisor and an independent Data Protection Officer.
• OpenAI for Note Generation: The transcription text (after redaction by Deepgram) is sent to OpenAI's service (specifically, via their API, which offers different data handling practices than consumer versions) for processing into structured notes. OpenAI's API terms state that data submitted via the API is generally not used to train or improve their models, unless users explicitly opt-in, and they do not sell user data to third parties. However, be aware that past practices and ongoing discussions have highlighted privacy concerns regarding OpenAI's handling of data, particularly for non-API usage and in relation to GDPR compliance. OpenAI relies on Standard Contractual Clauses (SCCs) for data transfers outside the European Economic Area, but data transfers to the US remain a point of consideration under various privacy laws. We aim to utilise the API versions to benefit from the stated data-not-used-for-training policy.

While these third-party services employ security measures like encryption, it is important to understand that data is processed by them temporarily to provide the transcription and note output.

4. Data Storage

• Temporary Processing: Audio data, transcription text, and generated notes are processed temporarily by Deepgram and OpenAI via their APIs to provide the service's functionality. ConsultAI NZ does not retain these processed data points on its own servers after they have been presented to the GP for review and action.
• Manual Storage by GP: Patient consultation data is only stored long-term if you, the GP user, manually save the generated notes or other information within the ConsultAI NZ application or export it to another system, such as a Patient Management System (PMS). The responsibility for the storage, security, and handling of this manually saved patient data rests with the GP and their practice, in accordance with their legal obligations (see Section 6).

5. Data Location

The third-party AI services (Deepgram and OpenAI) process data on servers located outside of New Zealand. The processing of data outside of New Zealand is governed by the Privacy Act 2020, specifically Principle 12, which places restrictions on disclosing personal information to foreign persons or entities unless certain conditions are met, such as comparable safeguards or the individual's authorisation after being informed of potential differences in protection.

ConsultAI NZ, as the provider of the software, and you, as the GP user, must ensure that the requirements for overseas disclosure are met when using the service to process patient information. We aim to select third-party processors with robust privacy commitments that align with internationally recognised standards (like GDPR readiness and SOC 2 certification mentioned by Deepgram), but it is your responsibility to satisfy yourself that the use of these services complies with your obligations under New Zealand law.

6. GP's Privacy Responsibilities under New Zealand Law

As a GP using ConsultAI NZ, you are the "agency" (or part of the agency, e.g., your practice) under the Privacy Act 2020 and the Health Information Privacy Code 2020 (HIPC 2020). This places significant legal responsibilities on you regarding the collection, use, storage, and disclosure of your patients' health information.

Specifically, you are responsible for:

• Obtaining Consent: You must obtain appropriate informed consent from your patients before recording their consultations and using an AI tool like ConsultAI NZ to process their health information for transcription and note-taking purposes (referencing HIPC 2020 Principles 1, 3, 4). You must explain to patients how their information will be handled, including the use of third-party AI services, the temporary processing of audio and text data, and the fact that data may be processed outside of New Zealand.
• Minimising Collection: Ensuring that only necessary information is collected and processed.
• Accuracy: Reviewing the AI-generated transcription and notes for accuracy before saving or using them, as AI transcription can sometimes make mistakes and you have obligations under HIPC 2020 (Principle 8) regarding the accuracy of health information.
• Storage and Security: Ensuring that any patient information you choose to manually save within ConsultAI NZ or export is stored securely and protected against unauthorised access or disclosure (HIPC 2020 Principle 5).
• Data Retention: Retaining health information only for as long as necessary (HIPC 2020 Principle 9).
• Breach Notification: Understanding and complying with your obligations to notify the Privacy Commissioner and affected individuals in the event of a privacy breach that causes or is likely to cause serious harm.
• Overseas Disclosure Compliance: Ensuring that the use of services that process data outside NZ complies with Privacy Act 2020 Principle 12.
• Privacy Officer: Ensuring your practice has a designated Privacy Officer.

ConsultAI NZ acts as a data processor for you, assisting in the technical processing of audio and text. However, you remain the data controller and are primarily responsible for the lawful and ethical use of the service in accordance with New Zealand privacy and health information laws.

7. Patient Rights

Under the Privacy Act 2020 and HIPC 2020, patients have several rights regarding their health information:

• Right to Access: Patients can request access to their health information.
• Right to Correction: Patients can request correction of inaccurate information.
• Right to Complain: Patients can complain to the Privacy Commissioner if they believe their privacy has been breached.
• Right to Withdraw Consent: Patients can withdraw their consent for the use of AI tools at any time.

As the GP, you are responsible for facilitating these rights and ensuring patients understand how to exercise them.

8. Data Breach Response

In the event of a privacy breach involving patient data processed through ConsultAI NZ:

• You must assess whether the breach is likely to cause serious harm to the affected individuals.
• If serious harm is likely, you must notify the Privacy Commissioner as soon as practicable.
• You must also notify affected individuals if the breach is likely to cause serious harm.
• You should document the breach and your response for future reference.

ConsultAI NZ will cooperate with you in investigating and responding to any privacy breaches involving our service.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on our website and, where appropriate, by email. Your continued use of ConsultAI NZ after any changes indicates your acceptance of the updated Privacy Policy.

10. Contact Information

If you have questions about this Privacy Policy or our privacy practices, please contact us:

11. Regulatory Compliance

This Privacy Policy is designed to comply with the New Zealand Privacy Act 2020 and the Health Information Privacy Code 2020. If you have concerns about our compliance with these laws, you may contact the Office of the Privacy Commissioner at www.privacy.org.nz.