Compliance Is Non-Negotiable
We build and operate IRIS to the standards health services expect — with a clear boundary: no patient data, ever.
Applicable Frameworks
| Framework | Scope | Our Posture |
|---|---|---|
| Privacy Act 1988 (Cth) | Australian organisations handling personal information | ✓ Compliant |
| Australian Privacy Principles (APPs) | All 13 principles | ✓ Implemented |
| Notifiable Data Breaches (NDB) Scheme | Eligible data breaches | ✓ Procedures in place |
| GDPR | EU-based staff | ✓ Compliant |
| SOC 2 Type II | Infrastructure security | Inherited — Render & AWS |
| ISO/IEC 27001:2022 | Information security management | Inherited — Render & AWS |
What We Handle — and What We Don't
In Scope — Workforce Data
- • Staff names and contact details
- • Employment and role data
- • Schedules, shifts, and leave
- • Qualifications and skills
- • Availability preferences
Out of Scope — We Don't Store or Process
- • Patient identifiers, MRN, date of birth
- • Clinical notes, diagnoses, treatments
- • Health records or My Health Record data
- • Payment card data or Medicare numbers
- • Any other health information as defined by legislation
Need More Detail?
See our Privacy Policy, Trust Centre, and Data Residency pages — or contact us for procurement and assurance discussions.
Ready to see IRIS in action?
Start a free trial, try the live demo, or book a guided walkthrough with our team.
Or email us at office@intelligentroster.com