Data Management

Although The Protection Of Personal Information Act does not say anything specific about passwords, you must process personal information securely by employing appropriate technical and organisational measures.

Because the GoodX platform is password protected and the email address and cell phone number are provided voluntarily by the patient, it is assumed that any information that is sent out is sent by the practice staff and is addressed to and accessed by the intended recipient. Data sharing, therefore, aligns with "the appropriate technical and organisational measures". A patient is ultimately responsible for adequately securing their own communication channels, e.g. access controlled cell phone using fingerprints or a password and multi-factor authentication for email accounts. Practices cannot be held responsible for failure on the part of the patient to implement adequate informational security.

Other platforms allow users to use a website and enter a password, e.g. their ID number, to get their statement or invoice. However, these are public access points, and the password protects the data from unauthorised access. GoodX does not have this functionality, and the protection is managed via the practice's platform password as well as the security measures implemented by the patient. 

Finally, the GoodX system is often used to email scripts directly to pharmacies (many of our practices do this to avoid script fraud), and password-protecting the scripts will make this script fraud control measure no longer viable. Furthermore, statements are often sent to lawyers and collection agencies, who would then be unable to open the documents if they were password protected.

It is for these reasons that GoodX has decided not to implement password-protected file attachments.