CareSync Exchange is a secure electronic patient health information sharing system that provides clinicians with critical patient health information at the point of care.
CareSync Exchange is operated on behalf of the government of the State of Victoria, Australia, by the Department of Health (referred to hereafter as “the department”)
In these Terms of Use, the words “you” and “your” refer to the person using CareSync Exchange.
In these Terms of Use, the words “we” refer to the department.
Any person who uses CareSync Exchange should be aware that their conduct is subject to these Terms of Use as well as any other obligations you may have under applicable law. If these Terms of Use are inconsistent with your obligations under law, those obligations will prevail over these Terms of Use to the extent of the inconsistency.
These Terms of Use apply to the following categories of users:
Victorian public sector employees
Health service employees
Contractors engaged by either the department or health services
The department may amend these Terms of Use at any time. The update information (appearing at the bottom of this document) indicates the date on which these Terms of Use were last amended.
You agree to use CareSync Exchange system in accordance with this policy.
Failure to comply with this policy may result in disciplinary action, which may include termination of your employment. Refer to your local human resources contact representative for further information.
CareSync Exchange must not be used for any purpose that breaches any law, infringes the civil or human rights of any person, breaches Health Services policies, or breaches the Code of Conduct for Victorian Public Sector Employees.
Without limiting any other health service or department policies, you must not:
Access CareSync Exchange if you are not authorised to access or use the system.
Use CareSync Exchange for a purpose other than to inform clinical care for a patient or to operate and maintain the system (e.g. use for research is not permitted).
Use CareSync Exchange to engage in conduct, which is defamatory, obscene, indecent, offensive, discriminatory, harassing, racist, sexist, abusive, bullying, or threatening.
Distribute confidential, security classified, personal or private information, including via social media sites.
Interfere with or damage the CareSync Exchange systems, including creating, downloading, opening or sending a virus or other malicious code.
Use CareSync Exchange for personal profit or gain, including the conduct of personal business.
Forward CareSync Exchange information to unauthorised external parties, applications or systems (e.g. personal email accounts).
Copy or store CareSync Exchange information on the local drive of a PC, notebook or other devices, unless you are a departmental employee or contractor responsible for the operation and maintenance of CareSync Exchange and this is required as part of your duties.
Take screenshots of health information on CareSync Exchange.
Users are bound by the applicable Privacy and Data Protection Act 2014 (Vic), Health Records Act 2001 (Vic), Child Wellbeing and Safety Act 2005 (Vic) and Family Violence Protection Act 2008 (Vic) and must ensure that they are familiar with their obligations in relation to these Acts.
Routine monitoring, auditing and reporting on CareSync Exchange is conducted to identify security risks, including unauthorised access, misuse, viruses and prohibited or otherwise inappropriate activity. It is not necessary for the department or health service to seek a user’s permission or otherwise further notify the user before such monitoring, auditing or reporting may occur.
Where a user believes that a person has inappropriately used CareSync Exchange, the user must report the suspected misuse to their Health Service Senior Responsible Officer (SRO) or the department.
Where in the course of monitoring, auditing and reporting a user has been found to be in breach of this Terms of Use, the department and/or health service may suspend the user’s account(s) and secure access to CareSync Exchange for the duration of any investigation in respect of the suspected breach and thereafter.
Users are required to take reasonable steps to protect the CareSync Exchange information.
Passwords must not be shared. They must not be based on personal names or recognised words or recycled and they must be kept confidential.
All users are required to adhere to their local organisational policies with respect to the use of clear screen practices to prevent unauthorised viewing or access.
CareSync Exchange information must not be copied and stored on the local drive of a PC, notebook or other devices. Users from the department or its contractors, may however copy CareSync Exchange information onto other devices if required to operate and maintain CareSync Exchange and it is in accordance with the department’s information management policies.
Users must take care to protect CareSync Exchange from theft or unauthorised access.
Users are not permitted to take screenshots of CareSync Exchange but may print from it. Any printed materials from this system will be subject to the Health Records Act 2001 and any local organisational policies in relation to the collection, handling, storage and safe destruction of health records.
The following outlines the privacy collection notice in relation to the department’s policy on its access, use and storage of any personal information you provide to the department when accessing and using CareSync Exchange.
How we collect and use your information
The department collects personal information from you through CareSync Exchange. This includes your name, your user role within your health service or user role assigned by the department, as well as your user activity within the system.
We collect personal information directly from you through the CareSync Exchange when you log in to access and use CareSync Exchange.
We may also collect information about you through CareSync Exchange from another person or health service. For example:
your details may be provided to us by your health service.
your details may be included because of your roles, responsibilities or positions held by you are included in documents or information submitted by or on behalf of a health service to CareSync Exchange.
your details may be provided to department by a health service when reporting potential misconduct in accessing CareSync Exchange or complying with their statutory reporting requirements.
Why we collect personal information
We collect personal information in CareSync Exchange for purposes which include to:
administer your CareSync Exchange access and register you as a user of CareSync Exchange
manage any change, or perform any other administrative tasks related to the health service you are connected to
identify you, including by reference to other information we hold
manage your identity and the identity of other users
audit and monitor user access of the system to ensure it is appropriate
perform the functions and exercise the powers conferred on us under any legislation that we administer
otherwise assist us in interacting more efficiently with you whose activities are subject to legislation administered by us, or as an authorised representative of another person or entity who is, or whose activities are, regulated by us.
Your information will not be collected for any secondary use purposes such as research.
Use or disclosure of information
Personal information about you may be used or disclosed in accordance with our Privacy Policy and by the department when we:
make information available through CareSync Exchange for access by any person authorised to view them in CareSync Exchange
where required or permitted by law.
We may disclose your personal information for the purposes for which we have collected it, including:
to other service providers who we engage to assist us with our activities and functions in maintaining and administering CareSync Exchange
to patients who request a user activity report that specifies who has accessed their CareSync Exchange record pursuant to section 134ZT(3)(c) of the Health Services Act 1988
as required or authorised by a law of the Commonwealth, State or Territory.
We may also disclose your personal information to a third party where:
you have consented to the disclosure
you would reasonably expect us to disclose the personal information
we reasonably believe the disclosure is necessary for law enforcement activities.
Handling information
We store personal information collected by CareSync Exchange in compliance with our obligations under the Health Services Act 1988 (Vic), Privacy and Data Protection Act 2014 (Vic) and Health Records Act 2001 (Vic).
The information is securely stored to prevent loss, unauthorised access, misuse, modification, or disclosure. The steps the department takes to secure personal information includes password protection and access privileges, audit logs and warning notices.
When your health service or the department de-activates your account, or terminates or withdraws your authority to access or use CareSync Exchange:
you will no longer have access or be able to use it, and you may not seek to access or use the account for any purposes
we will retain all information that you have submitted to CareSync Exchange in accordance with the Public Records Act 1973 (Vic).
Last updated: June 2025