Enter your email address below for further information.
These Terms of Service apply only to GP clinics that use Surely’s record access service through their Practice Management System (PMS).
1.1 These terms of service govern the relationship between you and Surely regarding the integration of your Practice Management System with the Surely Service and the sharing of Patient Data via the Surely Service in response to a Patient Record Request.
1.2 By accepting these terms of service, you consent to be bound by these terms of service, our Privacy Policy and your completed Registration Form, which together form a binding agreement between you and us (Agreement).
1.3 If you are accepting these terms of service on behalf of a Practice, you confirm that you have the authority to act on behalf of that entity.
1.4 From time to time we may need to make changes to these terms of service. We will notify you of any by emailing you, and will be bound by the updated terms unless you notify us in writing that you wish to terminate this Agreement, with effect from effective date of such change.
1.5 All capitalised terms used in these terms of use are defined in clause 14 below.
2.1 This Agreement shall commence on the date that you accept these terms of service, and shall continue until terminated by either you or us in accordance with these terms of service (Term).
3.1 You consent to:
a. The integration of your Practice Management System with the Surely Service via one or more application programming interfaces (Integration) throughout the Term of your Agreement; and
b. The sharing of Patient Data: (i) from your Practice Management System to the Surely Service (via the Integration) for the sole purpose of enabling us to fulfil an Approved Patient Record Request; and (ii) by the Surely Service to the Requestor in accordance with an Approved Patient Record Request, (Permitted Purpose).
3.2 If you wish to suspend or revoke either or both consents specified in clause 3.1, at any time throughout the Term, you must notify us in writing of such suspension or revocation, (including the details of the relevant suspension or revocation). We will action the relevant suspension or revocation as soon as practicable (and, in any event, within 72 hours) of receipt of such notification from you.
4.1 As soon as practicable (and in any event, within 12 hours) of receipt by any of your Healthcare Professionals of a Record Request Notification, you will ensure that the relevant Healthcare Professional responds to the Record Request Notification by either approving or declining the request via the link contained in the request.
4.2 In connection with each Record Request Notification, you agree to:
a. Ensure that the relevant Healthcare Provider approves the Record Request Notification, unless there is a valid and lawful reason for declining the request; and
b. Notify Surely promptly upon becoming aware of any concerns with the validity of any Record Request Notification or any issues in the Practice Management System that affect you (or the relevant Healthcare Professional’s) ability to respond to a Record Request Notification.
4.3 Upon approval by a Healthcare Professional of a Record Request Notification (an Approved Patient Record Request), you acknowledge and agree that the relevant Patient Data may be shared by your Practice Management System with the Surely Service, via the Integration.
5.1 Surely will ensure that all Patient Data shared to the Surely Service in response to an Approved Patient Record Request is processed:
a. Only for the Permitted Purpose;
b. in accordance with these terms of service and our Privacy Policy;
c. in compliance with all applicable Data Privacy Laws, and is only retained by Surely on the Surely Platform for a period of no more than 72 hours from the time that the relevant Patient Data is shared by the Practice Management System to the Surely Service via the Integration
5.2 We will not:
a. Access, copy, modify, manipulate, store or otherwise use (in any manner or form) Patient Data for any purpose other than the Permitted Purpose; or
b. Permit any Patient Data to be transferred or made available to any person other than as necessary to fulfil Permitted Purpose, without your express prior written approval.
5.3 We acknowledge and agree that we are responsible for obtaining (and/or ensuring that the Requestor obtains) all consents and other authorizations necessary (to the extent required under Data Privacy Laws) to ensure that:
a. Patient Data included in any Approved Patient Record Request is lawfully disclosed to the Surely Service and the Requestor in connection with the Permitted Purpose; and
b. You, the relevant Healthcare Professional, the Surely Service and the Requestor can lawfully process the Patient Data in the manner anticipated by this Agreement.
6.1 All Patient Data will be (and will remain) owned by you (or the relevant individual, as applicable).
7.1 Each party shall take any steps reasonably requested by the other party to assist and support the other party:
a. in the event of an investigation or other control measures by any Regulatory Body to the extent that such investigation or other measures relate to the Patient Data;
b. in the event of the exercise of any claims by data subjects or third parties related to the data sharing and processing in connection with this Agreement; and
c. in notifying, consulting with and obtaining approvals from Regulatory Bodies where required to comply with Data Privacy Laws.
8.1 Subject to our rights under this Agreement (including the Permitted Purpose), we will keep the Patient Data received by the Surely Service confidential at all times and will not on-sell, disclose or distribute the Patient Data to any third party without your prior written approval
8.2 We may disclose the Patient Data where and to the extent required by law or any Regulatory Body.
9.1 We will implement and maintain appropriate technical and organisational measures to:
a. Protect against or unlawful processing of, or the accidental loss or destruction of, Patient Data that is shared with the Surely Service; and
b. Ensure a level of security appropriate to the risk of a Personal Data Breach.
10.1 To the extent a party becomes aware of any Personal Data Breach or if it has reason to believe that a Personal Data Breach may have occurred, that party must:
a. immediately notify the other party (in accordance with clause 10.2), subject to the notification duty requirements imposed under applicable Data Privacy Laws;
b. Act promptly to:
(i). investigate the Personal Data Breach and no later than 24 hours after becoming aware of the Personal Data Breach;
(ii). For any incident for which notification is required by applicable Data Privacy Laws, provide the other party with the information set out in clause 10.2, or if it is not possible to provide all of that information within 24 hours then provide that information in phases without undue further delay; and
(iii). With the prior consent of the other parties, take measures to prevent further Personal Data Breaches, and mitigate or remedy the Personal Data Breach.
10.2 The notifying party (under clause 10.1) shall summarise in reasonable detail the impact of the Personal Data Breach, including describing to the extent this is known to the notifying party, the nature of the Personal Data Breach, categories and numbers of data subjects and Personal Data records concerned, estimated risk and the likely consequences of the Personal Data Breach and the measures taken or proposed to be taken to address the Personal Data Breach.
10.3 Neither party shall issue any public notice that relates to a suspected or actual Personal Data Breach without the other parties’ prior written approval or as otherwise required by law.
10.4 Each party shall maintain records of any actual or suspected Personal Data Breach in accordance with commercially accepted industry practices and shall make such records reasonably available to the other party.
11.1 You will notify each of your Healthcare Professionals of the terms of this Agreement. You will be responsible for any failure of your Healthcare Professionals to comply with these terms of service (as if it were a breach by you).
12.1 Either party may terminate this Agreement by giving one month’s written notice of termination to the other party.
12.2 Without limiting either party’s other rights under this Agreement, a party may terminate this Agreement with immediate effect by written notice to the other party if the other party has breached any term of the Agreement and, only where the breach can be remedied, fails to remedy the breach within 14 days of written notice of the breach.
12.3 Upon termination of this Agreement:
a. We will cease to issue any further Patient Record Notifications to you;
b. Any Patient Record Notifications issued to you prior to termination will be completed by you and Surely in accordance with this Agreement, and we will delete all of your Patient Data from the Surely Service within 72 hours of termination.
12.4 Any clause of this Agreement that expressly or by implication is intended to survive termination of this Agreement, will survive termination of this Agreement.
13.1 Where a party is required to notify another party under this Agreement or provide information to another party, this obligation shall be deemed to have been fulfilled if such notification or information has been provided (by email) to:
a. in the case of the Practice, to the contact name and email address provided by you to us in your Registration Form (or such updated contact name and/or email address that you notify to us from time to time throughout the Term); and
b. in the case of Surely, to support@surely.nz (or such updated email address that we notify to you from time to time throughout the Term).
13.2 We will not be liable under or in connection with this Agreement for any loss if and to the extent such loss is or represents punitive, special, consequential, indirect, or exemplary loss or damages.
13.3 You agree that provider of your Practice Management System shall have no liability to you (and you agree not to take any claim directly against the provider of your Practice Management System) for, or in connection with, the sharing of Patient Data by your Practice Management System with the Surely System for the Permitted Purpose.
13.4 No waiver of any provision in this Agreement by either party will be taken to be a continuing waiver of any matter by that party.
13.5 You will not assign or otherwise transfer any of your rights or obligations under this Agreement to any other person without our prior written consent.
13.6 The agreements and undertakings made by the parties under this Agreement are given in consideration for the other party entering into this Agreement.
13.7 This Agreement records the entire agreement of the parties relating to the matters dealt with in this Agreement.
13.8 This Agreement is governed by the laws of New Zealand. The parties submit to the exclusive jurisdiction of the New Zealand courts in respect of all matters relating to this agreement.
14.1 In this Agreement, unless the context indicates otherwise:
Approved Patient Record Request has the meaning given to it in clause 4.3.
Data Privacy Laws means privacy laws that either you or we are legally obliged to comply with, including the New Zealand Privacy Act 2020, the Health Information Privacy Code 2020.
Healthcare Information has the meaning given to it in the Health Information Privacy Code 2020.
Healthcare Professional means: (i) if the Practice is a sole practitioner, you; or (ii) if the Practice engages multiple healthcare professionals, each healthcare professional engaged by the Practice.
Patient Record Request means a request received by the Surely Service from a Requestor for Patient Data stored on your Practice Management System.
Patient Data means data (including Personal Data and Health Information) relating to an individual.
Personal Data means information relating to an identified or identifiable natural person included in the Patient Data and made shared with the Surely or the Surely Platform by you in connection with this Agreement.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to or use of Personal Data.
Practice Management System means the indici patient management system operated by you.
Practice, you or your means the medical practice specified on the Registration Form and which has accepted these terms of service.
Privacy Policy means the Surely privacy policy, available at https://www.surely.nz/privacy-policy.
Record Request Notification means notification issued within your Practice Management System to the relevant Healthcare Professional containing: (i) the details of the Patient Record Request; and (ii) a link through which the relevant Healthcare Professional must either approve or decline the relevant request.
Registration Form means the [Surely online form completed by (or on behalf of) the Practice].
Requestor means a customer of Surely (for example, an insurance company) who has entered into a customer agreement with Surely to access and use the Surely Service.
Regulatory Body means any government departments and regulatory, statutory and other bodies, entities and committees which, whether under statute, rule, regulation, code of practice or otherwise, are entitled to regulate, investigate or influence the matters relating to the security of data, personal data, privacy protection or other laws, and includes the New Zealand Privacy Commissioner.
Surely, we, us and our means Eightwire Limited (trading as Surely).
Surely Service means the Surely software platform designed to streamline health record sharing, developed and operated by Surely.
14.2 In this Agreement, unless the context requires otherwise:
a. An obligation not to do something includes an obligation not to allow that thing to be done;
b. Reference to “includes” or “including” means includes or including without limitation; and
c. A reference to a person includes an individual, body corporate or unincorporated body of persons, and a reference to a company includes a person.
Need help or have a question?
Email us at support@surely.nz or reply to your original request email.
We’re here to help — whether you’re a patient, provider, or partner.
Copyright Eightwire Ltd. © 2025 All rights reserved.