Security and Compliance
Built for clinical evidence, not just convenience
Informed consent is a legal and ethical obligation. GetConsent is designed from the ground up to produce records that are defensible in court, auditable by regulators, and compliant with Australian and New Zealand healthcare law.
How It Works
The cryptographic hash chain
When a consent session is created, the platform generates a SHA-256 hash of the event payload. Every subsequent event, whether an answer update, a signature, or a submission, includes the hash of the preceding event in its own payload before hashing.
This means that changing any event, at any point in the chain, invalidates all subsequent hashes. An independent verifier can recompute every hash from the raw payloads and detect any discrepancy.
The evidence pack PDF includes the full audit table with all hashes embedded. Verification does not require access to the GetConsent platform.
Hash Chain · Session 4f6dc0ee
prev: genesis
hash: f3c669ea540e2b6b...
prev: f3c669ea...
hash: 18ad506194e662f8...
prev: 18ad5061...
hash: 5005a86ea4fb6bca...
prev: 5005a86e...
hash: c6d829034e4b569a...
prev: c6d82903...
hash: 10bd3c45c5f85c63...
Security by design, not afterthought
Cryptographic audit trail
Every event in a consent session (creation, answer submission, each signature) generates a SHA-256 hash that references the previous event. The resulting chain makes any post-hoc tampering mathematically detectable.
Data sovereignty
Patient data is stored exclusively in Australian AWS regions (ap-southeast-2). No data leaves Australia unless you explicitly configure cross-border access for a multi-country deployment.
Encryption in transit and at rest
All data is encrypted with TLS 1.3 in transit. At rest, patient records use AES-256 encryption managed through AWS KMS with customer-specific key policies.
Healthcare-specific compliance
GetConsent is designed to meet the requirements of the Australian Privacy Act (1988), the My Health Records Act (2012), and the New Zealand Health Information Privacy Code 2020.
Access control
Role-based access control limits every user to exactly the data their role requires. Clinicians see their own patients. Practice managers see their practice. Platform administrators see nothing without explicit elevation.
ASD Essential Eight alignment
GetConsent's internal security posture is managed against the Australian Signals Directorate Essential Eight Maturity Model at Maturity Level 2, with a published roadmap to Level 3.
Compliance frameworks
GetConsent is designed against the specific legal and regulatory requirements of Australian and New Zealand healthcare.
Australian Privacy Act (1988)
GetConsent handles sensitive health information as defined by the Act. Data collection, use, and disclosure are limited to the purposes of consent management and clinical record-keeping.
My Health Records Act (2012)
Consent records generated by GetConsent are structured for FHIR R4 compliant filing to the My Health Record system where practices are connected.
NZ Health Information Privacy Code 2020
For New Zealand practices, GetConsent complies with the Health Information Privacy Code, including secure storage, access controls, and patient rights to access and correction.
Medical Board of Australia guidelines
GetConsent is designed to support the informed consent requirements outlined in the Medical Board of Australia's Good Medical Practice guidelines, including documentation of the consent conversation.
ASD Essential Eight (Maturity Level 2)
GetConsent's internal security posture aligns with the ASD Essential Eight at Maturity Level 2, with a published roadmap to Level 3 by Q4 2026.
ISO 27001 (in progress)
GetConsent is currently working through ISO 27001 certification. The information security management system is in place and under external audit.
Responsible disclosure
If you discover a security vulnerability in GetConsent, please report it to security@getconsent.health. We will acknowledge receipt within 24 hours and aim to resolve confirmed vulnerabilities within 30 days.
Contact our security team