The NHMRC Clinical Trials Centre (CTC) is committed to handling personal information (including health and other sensitive information) in accordance with applicable privacy laws, including the Australian Privacy Principles (APPs) set out in the Australian Privacy Act 1988 (Cth) and, where relevant, the EU General Data Protection Regulation ((EU) 2016/679) (GDPR).
A reference to “personal information” includes “personal data” as defined in the GDPR.
In addition to APPs and GDPR, we also comply with the ICH Guidelines for Good Clinical Practice with respect to the use, protection and security of health information collected, as well as guidelines issued by the National Health and Medical Research Council of Australia (NHMRC) in respect of health information that may be accessed in the conduct of research.
What types of personal information do we collect and why?
We collect personal information reasonably necessary for one or more of our functions or activities as medical research organisation. The types of personal information we generally collect includes your name, date of birth, address and other contact details such as your telephone numbers and email address. Depending upon the purpose of our interaction with you, we may collect additional personal information. More detail about the personal information (including sensitive information) we collect and why is set out below.
Human Research Studies and Clinical Trials
If you participate in the research and clinical trial activities and programs that CTC conducts,
we (or an approved third-party operating on our behalf) will collect personal information to record your involvement and to process the results of the research and clinical trials. We may also request to contact you regarding participation in future research studies.
The information we collect from you will generally be sensitive information because it will be your health information and could include information about your racial or ethnic origin.
Personal information collected may include:
- Gender, nationality, heritage, and date of birth;
- Medical history and treatments;
- Medicare number (or similar) and private health insurance information;
- Current medications and treatments;
- Health services and treatments;
- Symptoms, test results and hospital care; and
- Consequential health factors.
The information is collected for the purposes of medical research and analysis pertaining to the research study or trial, to comply with laws and regulatory guidelines relating to medical research and clinical trials, and to substantiate the findings and publication of research results.
We may also collect personal information of health practitioners and health providers who are involved in the care of study participants (e.g. general practitioners, physiotherapists, other healthcare service providers). The information collected may include name, address, contact details, professional qualifications, experience, and interaction records with us (as part of the particular research study or trial). This information is collected for the purpose of administration, management and operation of CTC and the particular research study or trial.
We may also collect the personal information of medical experts, researchers and other professionals advising on, overseeing, or assisting in the conduct of a particular research study or trial. The information collected may include name, address, contact details, professional qualifications and experience, and registration information.
From time to time we may collate and analyse statistical data from information we have previously collected for the purposes of future research, or advising on healthcare policy to Governments and decision-makers. In these cases, the data will be de-identified and aggregated before it is disclosed to third parties.
As part of the ordinary course of business, we may capture and record personal information from our dealings with partners, collaborators and service providers. Such information is collected for administrative, management, and audit purposes.
We may collect personal information (e.g. name and contact details) from those who contact us (by phone or in person) or access our websites (refer to ‘How do we collect and hold your personal information’ section below). Such information is collected in order to deal with you and improve our services.
We also collect personal information from donors and supporters of CTC. Information collected may include name, contact details and payment details.
We may collect personal information when we are canvassing recruitment of staff and PhD students.
You may also supply personal information to us when applying for a job with us, and we may collect your personal information from third-parties (e.g. referees) as part of the assessment and recruitment process. The information collected may include educational and academic background, work history, skill-set and capabilities. We may collect similar personal information from volunteers who apply to work with us.
Can you deal with us anonymously?
Where lawful and practical, you will be given the option to deal with us without identifying yourself or by using a pseudonym (e.g. when inquiring about the activities that we undertake). If we do not collect personal information about you, you may be unable to participate in or have access to our research programs, events or activities.
We try to recognise the contributions of our supporters in the presentation of research by our scientists, in our annual Research Report.
How do we collect and hold your personal information?
Research Studies and Clinical Trials
We aim to collect your personal information directly from you:
- When you first make contact with us (e.g. phone, in person, email or via our website);
- When you agree to participate in a research study or trial (e.g. through the study information/consent process); and
- When dealing with us as part of ordinary business.
We may collect your personal information from a third-party, such as your medical or health provider (e.g. clinician, hospital) and an information document (including requisite privacy disclosures) will be given to you by that provider.
This information (which is unlikely to contain personal information) is collected to monitor the activity on our websites (including the popularity of certain pages and information presented on our websites, and linkages to information), to consider improvements to the delivery, presentation and types of information on our websites (including cost/benefit analysis).
Holding your personal information
We hold personal information in paper-based and electronic records and systems.
Personal information collected in paper-based documents may be converted to electronic form for storage (with the original paper-based documents either archived or securely destroyed).
CTC uses physical security and other measures to ensure that personal information is protected from misuse, interference and loss, and from unauthorised access, modification and disclosure.
Personal information held in paper-based form is generally securely stored at our offices, and when archived, the records are held at an external storage facility in Australia.
Our databases and their contents remain at CTC or with data processors or servers acting on our behalf and responsible to us, that comply with requirements Australian privacy laws and GDPR, where relevant, in relation to Personal Information storage.
We maintain computer and network security by using firewalls, user identifiers and passwords to control access to our computer systems.
Donations and registrations made on CTC website use encryption methods and credit card data is stored using systems compliant with the Payment Card Industry Data Security Standard.
How do we disclose your personal information?
Where necessary, we may disclose your personal information to our staff and approved third-parties (e.g. organisations that assist with our research and educational activities, agents, collaborators and independent IT service providers).
Our staff must comply with privacy and confidentiality terms as part of their employment with us.
We may also disclose your personal information as directed or permitted by law or court order.
Whenever possible, your personal information will be de-identified (and aggregated with others) before disclosure.
Depending on the circumstances and the location where a research project is being conducted or coordinated, this may involve a cross-border disclosure. We do not disclose your personal information to overseas recipients, but we may store some personal information on servers owned by companies based in the Australia, United States of America or other countries. Some of these countries may not be deemed to provide an adequate level of protection for your personal information under GDPR. However, to ensure that your personal information does receive an adequate level of protection, we will put in place appropriate contractual arrangements to ensure that your personal information is treated in a way that is consistent with the requirements of the Australian Privacy Act, meets GDPR requirements or relies on the US Privacy Shield.
It is unlikely that personal information collected outside a research project (such as information collected during the ordinary course of business activities) will be disclosed outside of CTC.
We have put in place measures to protect the security of your information, and to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access (by physical and technical safeguards) to your personal information to those staff, related parties, and approved third-parties (e.g. organisations that assist with our research and educational activities, agents, collaborators and independent IT service providers) who have a business or legal need to know.
We have also put in place procedures to deal with any suspected data breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
Keep you Informed
We may use your personal information to keep in touch with you and tell you about our research, but we will not do so if you tell us not to.
Where you receive electronic communications such as project communications and newsletters from us, you may opt out of receiving further communications by following the opt-out instructions provided in the communication.
Correcting your Personal Information
We endeavour to ensure that any personal information we hold about you is accurate, complete and up-to-date whenever we use it. You can assist us with this by letting us know if your details change or if you notice errors or discrepancies in information. If you consider any Personal Information we hold about you is not accurate, or is incomplete or out-of-date, you may request we amend our records. Please note that it is generally not possible to make changes to research data.
Please provide sufficient information, so that our Privacy Officer can consider your concerns and contact you. Typically, we will respond to your complaint within 10 – 20 business days.
If you are not satisfied with our response, or you consider that we may have breached the Australian Privacy Principles or the Privacy Act 1988 (Cth), you are entitled to make a complaint to the Office of the Australian Information Commissioner. The Office of the Australia Privacy Commissioner can be contacted by telephone on 1300 363 992 or full contact details can be found online at www.oaic.gov.au.
This policy was last updated November 2018