Privacy Policy

Your personal information, our commitment 

This is the Privacy Policy (Policy) for Royal Perth Hospital Medical Research Foundation Incorporated (ABN 62 314 475 885) (referred to as we, us, our or the Foundation). 

Your privacy and the protection of your personal information are very important to us. This policy outlines how we collect, use and disclose your personal information in compliance with the Privacy Act 1988 (Cth), which includes the Australian Privacy Principles (privacy laws).The Foundation is committed to ensuring that any personal information we collect is obtained lawfully, transparently and with your consent, whenever it is practical for us to do so. By providing personal information to us, you consent to us collecting, using and disclosing your personal information as described in this Policy. 

The Foundation requires that all aspects of our business operations and all of our employees, officers and contractors must comply with this Policy and applicable privacy laws. 

We may change this Policy from time to time, without notice, to reflect changes to privacy laws or our business operations. We will deem that you have agreed to such changes if you continue to access our services following any changes. If you do not accept the terms of this Policy, as amended from time to time, in whole or part, you must not access our services. 

You may also obtain a copy of an up-to-date version of this Policy by contacting us at the contact details listed above. 

How you can contact us 

If you have any questions, comments, requests or concerns in relation to this Policy or the way we handle your personal information, please contact us by: 

Email: info@rphresearchfoundation.org.au 

Telephone: (08) 6375 5800 

Post: PO Box 2323, East Perth WA 6892 

What is personal information? 

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable: 

  • Whether the information or opinion is true or not; and 

  • Whether the information or opinion is recorded in a material form or not. 

Some examples of personal information include a person’s name, home address, email address, date of birth or bank account details. 

Certain types of personal information are given a higher level of protection under privacy laws, this is called ‘sensitive information’. Some examples of sensitive information are information about a person’s health, ethnic origin, religious beliefs or criminal record. 

This Policy does not apply to personal information about the employment of current or former employees. Current or former employees of the Foundation should refer to their individual contract of employment, their direct report or other relevant internal policies for more information. 

Generally, the Foundation collects, holds, uses and discloses personal information for purposes related to our primary functions or activities, which includes: 

  1. Working collaboratively with researchers, doctors, scientists, universities and research institutes; 

  2. Providing grants for post-doctoral and practitioner fellowships, infrastructure grants and various other research grants; and 

  3. Foster community engagement and increase philanthropic support to our hospitals. 

We may also collect, hold, use and disclose personal information to undertake activities which are associated with our functions and activities, for example: 

  1. Undertaking general business and administrative operations (e.g. recruitment, account management, facility management); 

  2. Planning, developing, improving and expanding our facilities and services; 

  3. Marketing and promotional activities; 

  4. Carrying out investigations or considering complaints; 

  5. Insurance-related purposes; 

  6. Complying with our legal and regulatory obligations; and 

  7. Managing and supporting fundraising and philanthropic initiatives. 

Why does the Foundation collect, hold, use and disclose personal information? 

What types of personal information do we collect? 

The types of personal information we collect from you depends on the circumstances in which the information is collected. 

Generally, we collect personal information from people enquiring about or engaging with our business functions and activities, specifically this includes: 

  1. Grant applicants and recipients – name and contact details, project proposals, eligibility information, communications between us, details of any associated organisation and financial information; 

  2. Donors and sponsors – name and contact details, communications between us, engagement history and information about authorised representatives; 

  3. Key stakeholders – name and contact details, communications between us and engagement history; 

  4. Event attendees – registration details, dietary and accessibility requirements, and other information relevant to participation in the event; and 

  5. Contractors and job applicants – name and contact details, qualifications, work history, background checks, reference information from your nominated referees, driver’s licence number, tax file number, superannuation and financial information. 

The Foundation generally does not require you to disclose any sensitive information to us (such as health information). However, if we require sensitive information about you for the purpose of performing our functions and activities, we will always ask for your consent. 

We may also obtain photos, video and other visual/audio recordings where necessary to maintain the safety and security of our premises. Unless otherwise authorised by law, we will notify you of such recordings either directly or through clear signage. 

In addition to the types of personal information identified above, the Foundation may collect personal information as otherwise permitted or required by law. 

When you visit our website 

Where you use the Foundation’s website, we may collect web site usage information using Google Analytics, such as the IP address you are using, the name of your Internet service provider, your browser version, the website that referred you to us and the next website you go to, the pages you request, the date and time of those requests and the country you are in. 

Except where you provide it to us via the website, we do not collect personal information such as your name, mailing address, email address or phone number when you are browsing our website. 

The Foundation may use tracking technology such as “cookies” on the website and in emails you receive from us. The use of cookies is an industry standard and helps us monitor the effectiveness of our advertising and how visitors use the website. A “cookie” is a small data element stored by your web browser on your computer system. The website “cookies” do not store your email address or other personal information about you. We use this technology to generate statistics and measure site activity to improve the usefulness of visits to our website. 

The Foundation’s website contains links to other sites. This Policy applies to the Foundation’s website and not to any linked sites. We encourage you to read the privacy policies of each website. 

How do we collect your personal information? 

Generally, the Foundation collects personal information directly from you (e.g. when you telephone, email, mail, fax us or complete an online form on our website). This ensures that you have control over what personal information we are collecting about you. 

However, the Foundation may also collect your personal information from third parties or other sources where you have consented to such collection or in circumstances you would reasonably expect. The most common sources from which we may collect your personal information are: 

  1. From publicly available sources, including the Foundation’s social media pages; 

  2. From government departments and authorities; 

  3. From third parties (for example, from referees if you apply for a position as an employee with us); and 

  4. From tertiary institutions, such as universities, about students and academics who conduct work on the Foundation’s premises. 

What if you choose not to provide us with personal information? 

Where practical we will give you the option of not identifying yourself, or using a pseudonym, when dealing with us. 

How do we use and disclose your personal information? 

The purposes for which we use and disclose your personal information will depend on the circumstances in which we collect it. Whenever practical we endeavour to inform you why we are collecting your personal information, how we intend to use that information and to whom we intend to disclose it, at the time we collect your personal information. 

We may use or disclose your personal information: 

  1. For the purposes for which we collected it (and related purposes which would be reasonably expected by you); 

  2. For other purposes to which you have consented; and 

  3. As otherwise authorised or required by law. 

Generally, we collect, use and disclose your personal information so that we can work together, operate our programs, and further our mission and objectives. 

Some of the specific purposes for which we use personal information are as follows: 

  1. To process donations; 

  2. To maintain contact with our donors; 

  3. To recognise the support of our major donors in our publications, subject to their prior consent; 

  4. To add you to our mailing list or to respond to your request for information (including via the Foundation’s website or via an email you send to us); 

  5. To provide you with newsletters, promotional material or other information about the Foundation and its activities (including by electronic messages such as email and SMS); 

  6. To inform our supporters about our work and mission; and 

  7. To verify your identity. 

We take reasonable steps to ensure that personal information is only accessed by authorised personnel and disclosed strictly for the purposes for which it was collected, or as required by law. Disclosures are subject to our internal access controls and record-keeping obligations under law. 

In certain circumstances we disclose your personal information to third parties that we engage, or we are engaged by, in the ordinary course of our business. Such third parties include (without limitation): 

  1. Our project partners and other businesses with whom we have commercial relationships; 

  2. Professional advisors (e.g. lawyers, business adviser and auditors); and 

  3. Contracted service providers involved in providing or administering our products and services (e.g. software and technology service providers). 

We do not intentionally disclose your personal information to overseas recipients. However, some of our technology service providers (such as analytics or cloud hosting providers) may process data overseas. Where this occurs, we take reasonable steps to ensure those recipients handle personal information in accordance with Australian privacy laws. 

Do we use your personal information for direct marketing? 

We may also use and disclose your personal information for the purpose of direct marketing to you where: you have consented to us doing so, or you would reasonably expect us to, use or disclose the information for that purpose; 

If you wish to unsubscribe to our direct marketing, or change your contact preferences, you may do so by contacting us using the contact details at the beginning of this Policy or by following the opt-out instructions provided in the communication. 

Automated Use of Personal Information 

The Foundation does not use personal information in any automated process or profiling processes that makes, or is substantially connected to making, decisions which could reasonably be expected to significantly affect your rights or interests. 

Security 

The security of your personal information is important to us. The Foundation will take reasonable steps to protect your personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. 

We manage your personal information in accordance with the Acceptable Use of Information and Communications Technology Policy published by the Department of Health. 

We store personal information on computer databases and/or in hard copy and will take reasonable commercial physical and electronic security measures to protect any records that we hold which contain your personal information. 

We use a number of physical, administrative and technical measures to safeguard and protect your personal information including: 

  1. The use of third party cybersecurity software and security tools, where appropriate; 

  2. Storing electronic information on a server based in Australia, subject to the arrangements of our technology and service providers 

  3. Storing hardcopy information on secure premises with controlled or restricted access 

  4. Implementing access controls to limit access to electronic systems on which personal information is processed and stored to authorised personnel only; 

  5. Requiring all authorised officers, employees and contractors to comply with information security requirements, including password management and information security awareness training, as applicable to their role; and 

  6. Monitoring and regularly reviewing our practice against our own policies and against industry standards, where appropriate. 

When the personal information we hold is no longer required for the purposes it was collected, and we are not legally obligated to retain it, we will take reasonable steps to destroy it in a secure manner or permanently de-identify it. 

In the event personal information held by us has been accessed, disclosed without authorisation, or is lost, we will take immediate action to contain, assess and remediate the incident in accordance with our risk management plan. If a data breach is likely to cause you serious harm, we will contact you, and any relevant regulators, as soon as possible (unless the law requires or authorises otherwise). 

Should you become aware of a security breach involving the Foundation, please notify us immediately. 

Can you request corrections to your personal information?  

We will endeavour to take reasonable steps to ensure that the personal information that we collect is accurate, up-to-date and complete, including (without limitation): 

  1. Ensuring that updated and new personal information is promptly added to relevant existing records; 

  2. Reminding individuals to update their personal information when we engage with them. 

If you think that the personal information we hold about you might be out of date and needs to be corrected, please contact us using the contact details provided above. We will aim to respond to your request within 30 days of our receipt of the request, but in any event, within a reasonable period after the request is made. 

If, having regard to the purpose for which it is held, we are satisfied that personal information we hold is inaccurate, out-of-date, incomplete, irrelevant or misleading, or if the individual about whom the information relates makes a request, we will take reasonable steps to correct the information. 

We will only refuse to correct personal information in accordance with our obligations under privacy law. If we refuse to correct personal information in accordance with privacy law, we will provide a written notice to the requestor setting out: 

  1. The reasons for the refusal (except where it would be unreasonable to provide the reasons); 

  2. The mechanisms available to make a complaint about the refusal; any other matter prescribed by the regulations; and 

  3. Offer to insert a statement into the relevant record identify the requestor’s statement that the information is inaccurate, out-of-date, incomplete, irrelevant or misleading. 

We will not charge fees for requests for the correction of personal information or for associating the statement with the personal information. 

Can you get access to view your personal information? 

You can request access to view the personal information we hold about you by contacting us using the contact details at the beginning of this Policy. 

Generally, we will need the following information to process your request: 

  1. Your name and contact details; 

  2. Whether the personal information relates to your or another person (if the information relates to another person, you will need to demonstrate that you have their authority to act on their behalf); 

  3. What information you are seeking to access (e.g. dates, location, subject matter and any other information that will help us identify the information you are seeking); 

  4. The reason/s you wish to access this information; 

  5. Your preferred method of receiving information (e.g. in writing via email or relayed in person); and 

  6. Any other information as necessary to assist us in responding to your request. 

We will aim to respond to your request within 30 days of our receipt of the request, but in any event, within a reasonable period after the request is made. Our response will confirm whether we approve or refuse your request and will be based on the requirements under the privacy laws. 

In some circumstances, we may be required or authorised by law to refuse a request for access. If this occurs, we will write to you to explain our reasons and explain the escalation options available to you. 

Some examples of when you might be denied access are if: 

  1. Access will pose a threat to the life or health of someone; 

  2. Access would have an unreasonable impact on another person’s privacy; 

  3. Information relates to anticipated or existing legal proceedings; or 

  4. Giving access would be unlawful. 

We may charge reasonable fees to cover our costs to respond to your request for personal information, including third party costs such as postage costs. The fees will be determined on a case-by-case basis and we will inform you of the likely fees before they are incurred. 

Complaints 

If you have a complaint about the way in which we have handled any privacy issue, including your request for access or correction of your personal information, you should contact us. Our contact details are set out below. To assist us in processing your complaint, it is helpful (and sometimes necessary) for you to provide us with the following information: 

  1. Your name; 

  2. Your preferred contact details; 

  3. A description of your concern/complaint; 

  4. The action you would like the Foundation to take; and 

  5. Any supporting information. 

We will consider the issues you have raised and, where appropriate, undertake an investigation into your complaint. The Foundation will endeavour to respond within 30 days (or such other time as agreed). 

Our response will explain: 

  1. The outcome of the investigation; 

  2. The action is proposed to prevent similar complaints in the future (where applicable); and 

  3. How you can escalate your complaint with external organisations. 

If you are unhappy with the way we have handled your complaint, you may approach an independent adviser or contact the Office of the Australian Information Commissioner for guidance on alternative courses of action that may be available. 

The Office of the Australian Information Commissioner can be contacted by: 

Email: enquiries@oaic.gov.au 

Post: Office of the Australian Information Commissioner 

GPO Box 5218, Sydney NSW 2001 

Telephone: 1300 363 992 

Online: www.oaic.gov.au/privacy/privacy-complaints