Privacy Policy for Practice AI
Effective Date: October 2025
Last Updated: October 2025
1. Introduction
This Privacy Policy outlines how Practice AI ("we", "us", "our") collects, uses, stores, and protects personal information through the use of Practice AI, an AI-powered medical scribe tool used in clinical settings across New Zealand. We are committed to complying with the NZ Privacy Act 2020 and the Information Privacy Principles (IPPs), ensuring the responsible and ethical use of AI in healthcare.
2. Purpose of Data Collection
We collect personal information solely for the purpose of assisting healthcare providers in documenting clinical consultations. This includes transcribing spoken interactions into structured clinical notes to support accurate and efficient patient care.
3. Types of Information Collected
-Patient Information: Name, date of birth, medical history, symptoms, diagnoses, treatments, and other health-related data.
- Provider Information: Name, role, and clinical notes generated during consultations.
- Metadata: Time stamps, device information, and usage logs for system performance and auditing.
4. Legal Basis for Processing
We process personal information under the following legal bases:
- Consent: Patients must be informed and provide explicit consent before their data is processed by the AI scribe.
- Health Service Provision: Data is processed to support the delivery of health services, in accordance with IPPs 1–4 and 10.
5. Patient Consent
Before using Practice AI, patients are informed about the nature and purpose of data collection and processing. Consent is obtained explicitly, either in written or verbal form, and documented appropriately. Patients have the right to with draw their consent at any time, subject to legal and clinical obligations.
6. Data Storage and Sovereignty
All personal data is stored securely within New Zealand DIA approved jurisdictions with equivalent privacy protections. We do not store or process data in locations that compromise New Zealand’s data sovereignty, including Māori data sovereignty considerations.
7. Data Security
We implement robust security measures including:
- End-to-end encryption
- Role-based access controls
- Regular security audits
- Secure cloud infrastructure compliant with HISO 10064:2017 guidelines
8. Use and Disclosure of Information
Personal information is used only for the purpose for which it was collected. We do not use data for secondary purposes such as training models unless explicit consent is obtained. We do not sell or share personal data with third parties.
9. Accuracy and Fairness
We ensure that AI-generated notes are reviewed by qualified healthcare professionals. Regular audits and feedback loops are in place to monitor accuracy, fairness, and bias in AI outputs.
11. Privacy Impact Assessment (PIA)
We regularly conduct Privacy Impact Assessments to identify and mitigate risks associated with AI use. This includes engagement with Māori communities and other stakeholders to uphold fairness and cultural safety.
12. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, including:
- Supporting clinical documentation and continuity of care
- Meeting legal, regulatory, and contractual obligations
- Conducting audits, quality assurance, and system improvements
Retention Periods:
- Audio Recordings (if applicable): Retained only until transcription is complete and verified, unless otherwise required for clinical or legal purposes.
- System Logs and Metadata: Retained for up to 1 month for security, auditing, and performance monitoring, unless a longer period is required by law.
Deletion and Anonymisation:
- Personal data is securely deleted or anonymised once it is no longer required.
