top of page
Psychological assessment before cosmetic surgery




1.1                   PACSS Pty Ltd ABN 45 628 474 199 (we, us or our) has adopted this Privacy Policy to ensure that we have standards in place to                               protect the Personal Information that we collect about individuals that is necessary and incidental to:

     (a)                    Providing the system and services that we offer; and

     (b)                    The normal day-to-day operations of our business.

1.2                   This Privacy Policy follows the standards of both:

     (a)                    The Australian Privacy Principles set by the Australian Government for the handling of Personal Information under the Privacy                                 Act 1988 (Cth) (Privacy Act); and

     (b)                    The regulations and principles set by the European Union’s General Data Protection Regulation (GDPR) for the handling of                                        Personal Data.

1.3                   By publishing this Privacy Policy, we aim to make it easy for our customers and the public to understand what Personal                                            Information we collect and store, why we do so, how we receive, obtain, store and/or use that information, and the rights of                                   control an individual has with respect to their Personal Information in our possession.


2.1                   Our Privacy Policy deals with how we handle “personal information” and “personal data” as it is defined in the Privacy Act and the                            GDPR respectively (Personal Information).

2.2                   We handle Personal Information in our own right and also for and on behalf of our customers and users.

2.3                   Our Privacy Policy does not apply to information we collect about businesses or companies, however it does apply to information                          about the people in those businesses or companies which we store.

2.4                   The Privacy Policy applies to all forms of information, physical and digital, whether collected or stored electronically or in                                        hardcopy.

2.5                   If, at any time, an individual provides Personal Information or other information about someone other than himself or herself, the                            individual warrants that they have that person’s consent to provide such information for the purpose specified.

2.6                   We consider the protection of privacy of children very important. We do not knowingly collect personal data from children under                          the age of 16 without obtaining parental consent. If we learn that Personal Information has been collected on the service from                                persons under 16 years of age without verifiable parental consent, then we will take the appropriate steps to delete such                                          information.


3.1                   Without limitation, the type of information we may collect is:

     (a)                    Personal Information.  We may collect personal details such as an individual’s name, location, date of birth, nationality, family                                 details and other information defined as “Personal Information” in the Privacy Act that allows us to identify who the individual is;

     (b)                    Health Information. We may collect information about the health, injuries, medical histories, surgical procedures, prescriptions                               and other information about an individual defined as “health information” in the Privacy Act;

     (c)                    Contact Information.  We may collect information such as an individual’s email address, telephone & fax number, third-party                                   usernames, residential, business and postal address and other information that allows us to contact the individual;

     (d)                    Medical Information. We may collect information such as an individua’s medical history, medical board registration details,                                       surgical procedures,

     (e)                    Financial Information.  We may collect financial information related to an individual such as any bank or credit card details                                       used to transact with us and other information that allows us to transact with the individual and/or provide them with our                                         services;

     (f)                     Statistical Information.  We may collect information about an individual’s habits, movements, trends, decisions, associations,                                   memberships, finances, purchases and other information for statistical purposes; and

     (g)                    Information an individual sends us.  We may collect any personal correspondence that an individual sends us, or that is sent to                               us by others about the individual’s activities.

3.2                   We may collect other Personal Information about an individual, which we will maintain in accordance with this Privacy Policy.

3.3                   We may also collect non-Personal Information about an individual such as information regarding their computer, network and                                browser. Where non-Personal Information is collected the Australian Privacy Principles and the GDPR do not apply.



4.1                   Most information will be collected in association with an individual’s use of our psychological preoperative screening assessment                         and support services (PACSS) an enquiry about PACSS or generally dealing with us.  However, we may also receive Personal                                   Information from sources such as advertising, an individual’s own promotions, public records, mailing lists, contractors, staff,                                     recruitment agencies and our business partners.  In particular, information is likely to be collected as follows:

     (a)                    Registrations/Subscriptions.  When an individual registers or subscribes for an account, connection, newsletter or other                                           process whereby they enter Personal Information details in order to receive or access something, including a transaction;

     (b)                    Supply.  When an individual supplies us with goods or services;

     (c)                    Contact.  When an individual contacts us in any way;

     (d)                    Third Parties. We may request third parties to provide or allow us access to and collection of information that the third parties                                  hold and are authorised or entitled to disclose;

     (e)                    Publicly Available. We may source information from publicly available information sources;

     (f)                     Access.  When an individual accesses us physically we may require them to provide us with details for us to permit them such                               access; and/or

     (g)                    Pixel Tags. Pixel tags enable us to send email messages in a format customers can read and they tell us whether mail has                                       been opened.

4.2                   As there are many circumstances in which we may collect information both electronically and physically, we will endeavour to                                ensure that an individual is always aware of when their Personal Information is being collected.

4.3                   Where we obtain Personal Information without an individual’s knowledge (such as by accidental acquisition from a client) we will                          either delete/destroy the information, or inform the individual that we hold such information, in accordance with the Australian                              Privacy Principles and the GDPR.


5.1                   In general, the primary principle is that we will not use any Personal Information other than for the purpose for which it was                                     collected other than with the individual’s permission.  The purpose of collection is determined by the circumstances in which the                           information was collected and/or submitted.

5.2                   We will only process Personal Information when we can identify a lawful basis to do so. It is always our responsibility to ensure                              that we can demonstrate which lawful basis applies to the particular processing purpose.

5.3                   The most common lawful bases relied upon are:

     (a)                    Consent: we will only rely upon express, clear and informed consent. Any consent provided may specify and/or restrict the                                     purpose and can be withdrawn at any time without penalty. We will keep a record of when and how we got consent from an                                   individual.

     (b)                    Legitimate interests: we will only rely upon an identifiable legitimate interest where we can demonstrate that the processing of                               Personal Information is necessary to achieve it by balancing it against the individual’s interests, rights and freedoms. We will                                   keep a record of our legitimate interests’ assessments.

5.4                   If it is necessary for us to disclose an individual’s Personal Information to third parties in a manner compliant with the Australian                              Privacy Principles and the GDPR in the course of our business, we will inform you that we intend to do so, or have done so, as                                  soon as practical.

5.5                   We will not disclose or sell an individual’s Personal Information to unrelated third parties under any circumstances, unless the                                prior written consent of the individual is obtained.

5.6                   We will only use de-identified information for any statistical, research or similar purposes.

5.7                   Information is used to enable us to operate our business, especially as it relates to an individual.  This may include:

     (a)                    The provision of goods and services between an individual and us;

     (b)                    Verifying an individual’s identity;

     (c)                    Communicating with an individual about:

          i                       Their relationship with us;

          ii                      Our goods and services;

          iii                      Our own marketing and promotions to customers and prospects;

          iv                     Competitions, surveys and questionnaires;

     (d)                    Investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of                                  any of our terms and conditions or that an individual is or has been otherwise engaged in any unlawful activity; and/or

     (e)                    As required or permitted by any law (including the Privacy Act).

5.8                   The individual shall have the right to object at any time to the processing of their Personal Information for direct marketing                                       purposes, which includes profiling to the extent that it is related to such direct marketing. If we receive such a request, we will                                stop the processing of Personal Information for direct marketing purposes immediately without charge or penalty.

5.9                   There are some circumstances in which we must disclose an individual’s information:

     (a)                    Where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful activity that a                                                   governmental authority should be made aware of;

     (b)                    As required by any law (including the Privacy Act); and/or

     (c)                    In order to sell our business (in that we may need to transfer Personal Information to a new owner).

5.10                  We will not disclose an individual’s Personal Information to any entity outside of Australia that is in a jurisdiction that does not                                 have a similar regime to the Australian Privacy Principles or an implemented and enforceable privacy policy similar to this                                       Privacy Policy. We will take reasonable steps to ensure that any disclosure to an entity outside of Australia will not be made until                           that entity has agreed in writing with us to safeguard Personal Information as we do.

5.11                  We may utilise third-party service providers to communicate with an individual and to store contact details about an individual.                              These service providers may be located outside of Australia.

5.12                  An individual who uses PACSS from outside of Australia will be sending information (including Personal Information) to Australia                            where our servers are located. That information may then be transferred within the Australia or back out of the Australia to other                            countries outside of the individual’s country of residence, depending on the type of information and how it is stored by us. These                            countries may not necessarily have data protection laws as comprehensive or protective as those in your country of residence,                              however our collection, storage and use of Personal Information will at all times continue to be governed by this Privacy Policy.


6       OPTING “IN” OR “OUT”

6.1                   An individual may opt to not have us collect and/or process their Personal Information.  This may prevent us from offering them                              some or all of our services and may terminate their access to some or all of the services they access with or through us.  They                                will be aware of this when:

     (a)                    Opt In.  Where relevant, the individual will have the right to choose to have information collected and/or receive information                                   from us (for clarity, consent must involve an unambiguous positive action to opt in); or

     (b)                    Opt Out.  Where relevant, the individual will have the right to choose to exclude himself or herself from some or all collection                                 of information and/or receiving information from us.

6.2                   If an individual believes that they have received information from us that they did not opt in or out to receive, they should contact                          us using the details as set out in section 11 below.


7.1                   We have appointed a Data Protection Officer to oversee the management of this Privacy Policy and compliance with the                                            Australian Privacy Principles, the Privacy Act and the GDPR.  This officer may have other duties within our business and also be                                assisted by internal and external professionals and advisors.

7.2                   We will take all reasonable precautions to protect an individual’s Personal Information from unauthorised access.  This includes                              appropriately securing our physical facilities and electronic networks.

7.3                   We use SSL encryption to store and transfer Personal Information. Despite this, the security of online transactions and the                                        security  of communications sent by electronic means or by post cannot be guaranteed.  Each individual that provides                                              information to us via the internet or by post does so at their own risk.  We cannot accept responsibility for misuse or loss of, or                                unauthorised access to, Personal Information where the security of information is not within our control.

7.4                   We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to                                  disclose an individual’s Personal Information to in accordance with this policy or any applicable laws), unless otherwise required                            by the Privacy Act and the GDPR.  The collection and use of an individual’s information by such third parties may be subject to                                separate privacy and security policies.

7.5                   If an individual suspects any misuse or loss of, or unauthorised access to, their Personal Information, they should let us know                                  immediately.

7.6                   We are not liable for any loss, damage or claim arising out of another person’s use of the Personal Information where we were                               authorised to provide that person with the Personal Information.

7.7                   Where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of,                            or access to, Personal Information, then:

     (a)                    We will immediately establish the likelihood and severity of the resulting risk to wider rights and freedoms of natural persons;

     (b)                    If we determine there is a risk from the security breach, then we will immediately notify the relevant supervisory authority and                               provide all relevant information on the particular breach, and by no later than 72 hours after having first become aware of the                                   breach;

     (c)                    If we determine there is a high risk from the security breach (a higher threshold than set for notifying supervisory authorities),                                we will immediately notify the affected individuals and provide all relevant information on the particular breach without undue                                delay.

7.8                   We will document the facts relating to any security breach, its effects and the remedial action taken, and investigate the cause of                          the breach and how to prevent similar situations in the future.


8.1                   Users of PACSS can update their Personal Information from within their account or profile at any time to ensure it is accurate and                            complete.

8.2                   Subject to the Australian Privacy Principles and the GDPR, an individual has the right to request from us the Personal Information                            that we have about them, and we have an obligation to provide them with such information as soon as practicable, and by no                                  later than 28 days of receiving the written request. The individual is free to retain and reuse their Personal Information for their                                own purposes. We may be required to transmit the Personal Information directly to another organisation if this is technically                                    feasible.

8.3                   If an individual cannot update their own information, we will correct any errors in the Personal Information we hold about an                                    individual within 28 days of receiving written notice from them about those errors, or two months where the request for                                            rectification is complex.

8.4                   It is an individual’s responsibility to provide us with accurate and truthful Personal Information. We cannot be liable for any                                      information that is provided to us that is incorrect.

8.5                   Where a request to access Personal Information is manifestly unfounded, excessive and/or repetitive, we may refuse to respond                          or charge an individual a reasonable fee for our costs incurred in meeting any of their requests to disclose the Personal                                            Information we hold about them. Where we refuse to respond to a request, we will explain why to the individual, informing them                            of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within 28                                  days.

8.6                   We may be required to delete or remove all Personal Information we have on an individual upon request in the following                                          circumstances:

     (a)                    Where the Personal Information is no longer necessary in relation to the purpose for which it was originally collected and/or                                   processed;

     (b)                    When the individual withdraws consent;

     (c)                    When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;

     (d)                    The processing of the Personal Information was otherwise in breach of the GDPR;

     (e)                    The Personal Information has to be erased in order to comply with a legal obligation; and/or

     (f)                     The Personal Information is in relation to a child.

8.7                   We may refuse to delete or remove all Personal Information we have on an individual where the Personal Information was                                       processed for the following reasons:

     (a)                    To exercise the right of freedom of expression and information;

     (b)                    To comply with a legal obligation for the performance of a public interest task or exercise of official authority.

     (c)                    For public health purposes in the public interest;

     (d)                    Archiving purposes in the public interest, scientific research historical research or statistical purposes; or

     (e)                    The exercise or defence of legal claims.


9.1                   If an individual has a complaint about our handling of their Personal Information, they should address their complaint in writing to                          the details below.

9.2                   If we have a dispute regarding an individual’s Personal Information, we both should first attempt to resolve the issue directly                                    between us.

9.3                   An individual shall have the right to seek a judicial remedy where he or she considers that his or her rights under the GDPR have                            been infringed as a result of the processing of his or her Personal Information in non-compliance with the GDPR. Any                                                proceedings should be commenced in Victoria, Australia, where we are established.

9.4                   If we become aware of any unauthorised access to an individual’s Personal Information we will inform them at the earliest                                        practical opportunity once we have established what was accessed and how it was accessed.

10                    CONTACTING INDIVIDUALS

10.1                  From time to time, we may send an individual important notices, such as changes to our terms, conditions and policies. Where                              such information is materially important to the individual’s interaction with us, they may not opt out of receiving these                                                communications.


11.1                  All correspondence with regards to privacy should be addressed to:


Data Protection Officer


4/8 Banksia Drive

Byron Bay NSW 2481


You may contact the Data Protection Offer via email in the first instance.

12                    ADDITIONS TO THIS POLICY

12.1                  If we decide to change this Privacy Policy, we will post the changes on our webpage at                                      Please refer back to this Privacy Policy to review any amendments.

12.2                  We may do things in addition to what is stated in this Privacy Policy to comply with the Australian Privacy Principles and the                                    GDPR, and nothing in this Privacy Policy shall deem us to have not complied with the Australian Privacy Principles and the GDPR.

bottom of page