Last updated: December 2020
In this policy, “MCRI”, “we”, “us” or “our” refers to the Murdoch Children’s Research Institute, together with its related bodies corporate, including the Victorian Clinical Genetic Services (VCGS).
We recognise the utmost importance of protecting the privacy and rights of individuals in relation to their personal information. This Privacy Policy has been developed in accordance with the privacy laws and regulations which are applicable to us, including the Privacy Act 1988 (Cth) (Privacy Act) and the Health Records Act 2001 (Vic), and the General Data Protection Regulation (GDPR) in Europe, as amended from time to time.
This Privacy Policy explains how MCRI handles personal information relating to individuals with whom MCRI interacts This includes research participants, donors, customers, patients, medical professionals, consultants and contractors (referred to in this policy as ‘you’). This Privacy Policy does not apply to our acts and practices directly related to a current or former employment relationship between us and an employee, or to an employee record held by us relating to the employee.
1. Personal information and sensitive information
The expression “personal information” means information or an opinion about an identified individual, or an individual who is reasonably identifiable (directly or indirectly). This may include your name, address, telephone number, email address, online identifier (such as an IP address) and your profession or occupation.
Some personal information is also “sensitive information.” Sensitive information includes your health information (including genetic information or biometric information), information about your racial or ethnic origins, your political opinions, your political associations, your religious beliefs/affiliations, your philosophical beliefs, whether you are a member of a trade or professional association or trade union, your sexual orientation/practices or your criminal record.
2. What personal information does MCRI collect and hold?
We only collect personal information if it is reasonably necessary for one or more of our functions or activities. Depending on the nature of your interactions with us, we may collect the following types of personal information (whether in hard copy or electronic form):
• name;
• date of birth;
• contact details such as mailing or street address,
email address, and telephone or facsimile number;
• occupation or job title;
• health and medical history or information (including
biosamples);
• information about your dependents or your
pregnancy (where reasonably necessary);
• any other information relevant to a MCRI research
project you have agreed to participate in;
• bank account or credit card details if you are
making a donation or payment;
• photographs of you or your dependents at a MCRI
fundraising or other event;
• information collected through the use of cookies on
our websites and other tracking technology used on
our social media assets; and
• other information as required to carry out our
functions and activities as an organisation.
Where the personal information is also sensitive information, we will only collect it with your prior consent or otherwise as permitted by law. Usually we will require your consent to be in writing.
We may also collect information from time to time that is not “personal information” (and therefore falls outside of the application of this Privacy Policy) because it does not identify you or any other individual. For example, we may collect anonymous answers to surveys or aggregated information about how people use our website and services.
3. How and when does MCRI collect personal information?
We endeavour to collect your personal information directly from you unless you consent to us collecting it from someone else, it is unreasonable or impracticable to collect it directly from you, or as otherwise permitted by law.
If we collect your personal information from someone other than you, we will take such steps (if any) as are reasonable in the circumstances to ensure that you are or have been made aware of what information has been collected, and the purpose of that collection and such other matters as are required by law. When collecting personal information from you, we may collect it in ways including:
• from your written communications with us;
• during conversations between you and our staff (which includes
paid employees students, contractors and volunteers);
• when you complete documentation, either in hard copy or
electronically, such as via a web page form;
• when you participate in research activities or other activities,
including on the Melbourne Children’s Campus (which includes
MCRI, The Royal Children’s Hospital and the University of
Melbourne); or
• through your access and use of our website (including through the
placement of cookies discussed below).
4. Cookies and other analytics tools
Like most websites, our websites use ‘cookies’ to improve your online experience and to help us to monitor and improve our websites and services for future visitors.
A cookie is a small text file that is placed on your device when you visit a website. Cookies can collect information such as your Internet Protocol (IP) address, the URLs of sites you have visited before or after accessing the website, and how long you have spent on a particular site. Cookies cannot execute programs or be used to access other information on your device.
For example, our websites use Google Analytics, a service which uses cookies in order to collect data and generate reports which help us understand website traffic and webpage usage. Google Analytics transmits the website traffic data to Google servers in the United States, but does not associate your IP address with any other data held by Google.
By using our websites, you give us your permission to the placement of cookies on your device.
If you would like to limit the use of cookies, you can do so by changing your internet browser settings. This means that you can set your preferences regarding the use of cookies before you start browsing, or you can delete cookies once you have finishing visiting a website.
We also use other analytics tools to identify people who visit our websites (including our project-specific websites such as the GenV website) from their social media accounts. This helps us to understand how people arrive at our website and what they may be interested in understanding about us or our work.
5. External sites
Our websites may contain links to external websites. Those websites are not subject to this Privacy Policy. We are not responsible for the privacy practices or the content of any other website and have no knowledge of whether cookies or other tracking devices are used on those sites. You will need to contact those websites directly to ascertain their privacy standards, policies and procedures.
6. For what purposes does MCRI collect, hold and use personal information?
We may collect, hold or use your personal information (including sensitive information) for one or more of the following purposes:
• to provide services to you;
• to verify your identity, respond to your requests or as otherwise
directed by you;
• to provide you with news, information and material (including
marketing material) in relation to our services;
• to promote our programs and activities, including fundraising,
corporate philanthropy and education;
• to undertake medical research as consented to by you, including
research in relation to Cell Biology, Clinical Sciences, Genetics,
Infection & Immunity, Population Health and other research
themes may be determined from time to time;
• to undertake general research or other reasonable research
related activities, including via voluntary surveys and polls;
• to update our records and keep your contact details up to date;
• to process and respond to any complaint made by you;
• to process donations and provide receipts;
• to enhance your experience of our websites and social media;
for the administrative, employment, planning, service
development, quality control and research purposes of MCRI;
• to comply with any law, rule, regulation, lawful and binding
determination, decision or direction of a regulator, or in co-
operation with any governmental authority;
for any other purposes that we notify you of, or that you consent
to; and
• otherwise as permitted by law.
We will not use your personal information in a manner which is unrelated to or inconsistent with the purpose of its original collection, unless you have consented (other than as permitted or required by law).
You may opt out of receiving communications from us in relation to news, marketing and fundraising at any time by contacting us using the contact details set out in section 15 below, or where applicable selecting the unsubscribe option in our electronic communications.
Please note that you cannot opt-out of receiving contractual notifications such as changes to our terms and conditions for the supply of services or other important information.
In relation to sensitive information, we will not use or disclose this for the purposes of direct marketing unless you have expressly consented.
7. What happens if you do not provide us with the personal information we request?
Where possible, we will give you the option to not identify yourself (i.e. to remain anonymous) or deal with us through the use of a pseudonym or to not provide us with your personal information.
If we do request personal information and you decline to provide it, please note that in some cases we may not be able to provide the requested services to you, either to the same standard or at all, and we may not be able to provide you with information about services that you may want, including information about related services. Without your personal information, we may also not be able to work with you on an ongoing basis, issue tax deductible receipts or you may be unable to participate in or have access to our research programs, events and activities.
8. How does MCRI securely hold your personal information?
We will take reasonable and appropriate steps to protect all personal information which we hold from misuse or loss and from unauthorised access, modification or disclosure. We do this by ensuring that our systems, databases and facilities are secure, and our staff (including paid employees, students, volunteers and contractors) are bound by and comply with our policies and procedures regarding personal information and confidentiality, and by putting in place appropriate contractual terms with third parties.
Risks are also mitigated through MCRI’s commitment to de-identifying or destroying any personal information that is no longer required by us, where possible.
While we will take all reasonable and appropriate steps, please note that we cannot guarantee or warrant the security of your personal information. This is particularly so in relation to personal information which you send to us using our website or other online means. Although we will take reasonable steps to protect such information, we are not able to warrant or guarantee the security of any information that you transmit to us over the Internet (including through our website), and you do so at your own risk.
9. Who may MCRI disclose your personal information to?
In connection with the purposes set out in section 6 above, we may provide your personal information (including your health information or other sensitive information), to:
• our staff, which include our paid employees, students, volunteers
and contractors;
• our professional advisors;
• our partners, affiliates, research collaborators, contractors and
consultants;
• any organisation or any authorised person with your expres
consent;
• a person or organisation to whom we are compelled by law, or
otherwise permitted by law, to provide your information; or
• your organisation, if you are acting on behalf of an organisation.
Where we transfer your personal information to a third party, we will take reasonable steps to ensure that your personal information is protected and is handled by that third party in accordance with applicable privacy laws.
If we refer you to a third party service provider, that service provider may also collect and store your personal information. We make no representation or warranties in relation to the privacy practices of any third party service provider and we are not responsible for their collection, use or disclosure of your personal information. Third party service providers you deal with are responsible for informing you about their own privacy practices.
10. Collection and use of your personal information when you make a donation
If you make a donation to us, we may publish your name and the amount of your donation in our annual report or other MCRI publications. We may also communicate your name and the amount of your donation internally, including to our Board members and to the project team for which you have made a donation and/or to our external partner(s) who organise the fundraising event or collaborate on the project for which you have made a donation. This will always be in accordance with your preferences as notified to us at the time of making the donation (if any). If you wish to remain anonymous in our publications or in our communications with our Board members, the third-party fundraiser or collaborators, please advise us of this in writing by contacting the MCRI Privacy Officer (see details in section 15 below) or by sending an email to [email protected] or by calling the philanthropy team (+61 (3) 9936 6362).
11. Does MCRI disclose personal information to anyone outside Australia?
We may be required, from time to time, to disclose your personal information to our international partners and research affiliates or collaborators for the purposes described in section 5 of this Privacy Policy. The locations of our international partners and research affiliates are detailed at section 16.
Where we transfer your personal information to another country, we will take such steps as are reasonable in the circumstances to protect your personal information and to comply with applicable laws, including those relating to cross-border transfers. To the extent that it is reasonable and practical for us to do so (including in relation to disclosures to international research partners), we will de-identify any such personal information prior to overseas disclosure.
12. Your rights in relation to your personal information
We will take reasonable steps to ensure that all personal information we collect, use and disclose is accurate, up-to-date and complete.
You may request access to any personal information we hold about you at any time. There may be instances where we cannot grant you access to the personal information we hold. For example, we may need to refuse access if granting access would interfere with the privacy of others or if it would result in a breach of confidentiality. If that happens, we will give you written reasons for any refusal.
If you believe that personal information we hold about you is incorrect, incomplete or inaccurate, then you may request that we amend it. If the personal information we hold about you in incorrect, incomplete or inaccurate, we will take reasonable steps to correct the information without delay. In some circumstances where we correct or update a record, we may still require retention of the original record.
You can also ask us to delete or de-identify the personal information we hold about you. There may be instances where we cannot agree to your request, such as if we still need the personal information for the purpose for which we collected it, or in order to comply with our legal obligations. If that is the case, we will once again give you written reasons for declining your request.
If you wish to access your personal information, or request that it be corrected or deleted, please make your request by contacting the MCRI Privacy Officer (see details in section 15 below).
13. What is the process for complaining about a breach of privacy?
If you believe that your personal information has not been handled in accordance with this privacy policy or otherwise in accordance with applicable laws, please contact the MCRI Privacy Officer (see details in section 15 below) and provide details of the incident so that we can appropriately investigate and attempt to address it.
We may require any complaint to be made in writing first. We will then endeavour to respond to your complaint as soon as possible and within 30 days (or otherwise in accordance with our legal obligations). You are also entitled to report any privacy breach to the Office of the Australian Information Commissioner.
14. Changes to this Privacy Policy
We reserve the right to change, modify or update this Privacy Policy. Any revision to this Privacy Policy will be published on our website. The revised version shall take effect immediately upon publication.
15. Contacting us about an enquiry or complaint
If you have an enquiry about this privacy policy, or a complaint regarding the handling of your personal information, please contact the MCRI Privacy Officer at:
Privacy Officer
Murdoch Children’s Research Institute
Royal Children’s Hospital
50 Flemington Road
Parkville VIC 3052
Email: [email protected]
P: +613 9936 6337
We will treat your enquiry or complaint confidentially. One of our staff will contact you within a reasonable time after you have made contact with us to discuss your enquiry or complaint and outline options regarding how it may be dealt with. We will aim to ensure that any complaint is resolved in a timely and appropriate manner.
16. Locations of our international partners and research affiliates
Our international partners and research affiliates are located worldwide including, but not limited to:
• New Zealand;
• USA;
• Canada;
• the United Kingdom;
• EU (including, but not limited to, France, Italy, Finland, Sweden, Netherlands, Cyprus);
• Japan;
• Singapore;
• Hong Kong;
• Indonesia;
• Vietnam;
• Fiji;
• Thailand;
• Qatar;
• Mongolia;
• Lao PDR;
• Papua New Guinea;
• Nigeria;
• The Gambia;
• Brazil; and
• Chile.