PatientVR was designed from the ground up with your and personal and health information privacy and protection in mind. The security of Health Information and Personally Identifying Information (PII) is a serious responsibility which we do not take lightly, especially since PatientVR users are often children.
All companies claim “Your privacy is important to us!” when they are reporting a data breach. We have taken proactive steps and fundamental design decisions to ensure we will never have to report your data has been breached. Because your privacy really is important to us.
The best way to adhere to the Australian Privacy Principals, The Privacy Act 1988, the NSW PPIP and HRIP Acts, other Health specific privacy regulations, and most importantly user expectations – is to not collect any data at all.
For this reason, PatientVR has no user accounts or passwords. It collects no user data, PII, or sensitive information. It keeps no logs and makes no backups. It has no user data storage capabilities. It does not connect to the internet. It does not store or send data to any external service or platform.
PatientVR cannot have a data breach, because it does not collect any data.
PatientVR is an app that runs on Meta Quest headsets, and is delivered via the Meta Quest Horizon App Store. An account with Meta is required for the device owner to download the app, but details of the Meta account downloading the app is not available to Mobiddiction or PatientVR staff. Typically PatientVR is run on headsets owned by Hospital Departments or Community or Healthcare Support Groups, and information about users of those shared devices is never collected, recorded, or stored by the app. The Quest devices collect some usage data, such as how often the app is opened, average app use durations, and when app updates are downloaded, but since the app cannot identify who’s using it there is no data available about individual user behaviour.
PatientVR adheres to the most strict interpretation of Privacy By Design. We cannot possibly breach your trust or privacy, because we intentionally built the app so it cannot collect any private or sensitive information about you.
Compliance Notes: Since we collect no information at all and specifically no Personally Identifiable Information (PII) or Health Information, this removes any requirement for an Information Security Management System (ISMS) or certification under standards like ISO27001 or IRAP, and means we cannot have any disclosure or data breach reporting obligations since there is no data to be disclosed. We also do not need Data Loss Prevention (DLP) System or a Security Incident and Event Monitoring (SIEM) System, since there is no platform or system storing any data or information. Since there is no information stored, SOC2 or SOC3 audits and reports are not relevant or applicable.
References:
OAIC – Australian Privacy Principles
Federal Register of Legislation – Privacy Act 1988
OAIC – Guide to The Privacy Act
OAIC – Guide to health privacy
