Thursday 8 December, 2016
1.1 Our privacy obligations and commitments
Cancer Council Victoria (CCV) is a not for profit company limited by guarantee. CCV is required to comply with the following laws when collecting, holding, using and disclosing personal information, including sensitive and health information: Privacy Act 1988 (Cth)(Privacy Act) and the Australian Privacy Principles in that Act (APPs), the Health Records Act 2001 (Vic) (Health Records Act) and the Health Privacy Principles (HPPs) in that Act.
We are committed to protecting personal and health information in accordance with these laws:
in providing support and advice services to persons with cancer, their families and the community, carrying out cancer research, conducting fundraising and advocacy activities (Services); and
maintaining the Victorian Cancer Registry, to which the Improving Cancer Outcomes Act 2014(Vic) also applies.
2.1 What is personal information?
Personal information is information or an opinion, whether it is true or not, about an individual whose identity is apparent, or can be reasonably ascertained, from that information or opinion.
2.2 What is sensitive information?
Sensitive information is a subset of personal information which is afforded a higher level of protection under the APPs. This includes information which relates to an individual's race or ethnic origin, political opinions or memberships of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or union, sexual preferences or practices, criminal record or health information about an individual. Our collection, use and disclosure of personal information, including sensitive information, will comply with the APPs.
2.3 What is health information?
Health information is personal information that is also information or an opinion about the physical, mental or psychological health of an individual, a disability of an individual, an individual's expressed wishes for the future provision of their healthcare, or a health service provided to an individual. Health information also includes personal information that is collected to provide a health service or in connection with the donation of an individual's body parts, organs or body substances, or personal information that is genetic information about an individual that is predictive of the individual's health. For the avoidance of doubt, CCV also treats genetic and biometric information as health information. Our collection, use and disclosure of health information will comply with the HPPs.
3. What personal information do we collect?
3.1 Types of information we collect
We collect personal information from individuals both to whom we provide, and who help us provide, our Services. This includes persons with cancer and their next of kin, employees, job applicants, donors, research study participants, recipients of support services, participants in advocacy campaigns, health promotion projects or fundraising campaigns, health professionals, suppliers, volunteers, users of our social media pages and applications and our service providers.
The personal information we collect will depend on who you are and the purpose for which it is collected. We only collect personal information that is reasonably necessary to perform our functions or activities.
The kinds of personal information we may collect when dealing with you may include:
your name, date of birth and gender;
your contact information including address, email, telephone number and mobile number;
your details regarding ethnicity eg country of birth, whether you are an Aboriginal or Torres Strait Islander or language spoken at home;
payment or billing information (including bank account details, credit card details, billing address and invoice details) for donations or the supply of our Services;
your current location, if you are using one of our mobile applications and consent to this collection;
details relating to the Services we have supplied you; and
your username and password for accounts set up on our website including your Social ID if you choose to use it.
We may also collect the following types of personal information from you if you are a:
Person affected by cancer and next of kin:
your health information and medical history in particular your history with and relationship to cancer including the type of cancer you have or your next of kin has suffered, your/their treatments, genetic and biometric information and biometric templates; and
health information that is reported to and maintained on the Victorian Cancer Registry, which we administer. We may also collect government related identifiers, such as your Medicare number, in relation to the Victorian Cancer Registry. For further information about the Victorian Cancer Registry click here.
health information and medical history, family history of cancer, genetic and biometric information, lifestyle information.
Job applicant or employee:
your employment history, qualifications, resume and job references;
your fitness for work, including police checks and security information from government agencies or departments (including Working with Children checks), health assessments and other personal information as part of your job application (only if appropriate and in compliance with the law);
your banking details to process payments such as wages; and
government related identifiers, such as your Tax File Number in compliance with the law.
Public participant in CCV fundraising and support schemes and campaigns:
your opinions via surveys and questionnaires;
your insurance policies and details, which are only collected in limited circumstances such as where qualification for a particular CCV program requires you to have certain insurances (for example, the Holiday Break Program); and
details relating to donations you have made to us.
3.2Dealing with us anonymously or using a pseudonym
Where practicable, you can deal with us anonymously or using a pseudonym. You can also choose to not provide us with some or all of your personal information. However, doing so may mean that we are unable to assist you fully with your query or provide you with the relevant Services. By law, you will not be anonymous to us if your health information is reported to the Victorian Cancer Registry.
4. How do we collect your personal information?
4.1 From you
Where reasonably practicable, we will collect your personal information directly from you. This may be in person (for example, where you purchase a retail product in-store or attend an event), on the telephone (for example, if you contact Cancer Council 13 11 20, or if you answer a telephone-based research questionnaire), by mail (for example, if you complete research study documentation or a survey) or online (for example, if you participate in an online survey, sign up for an event online or set up an account with us).
4.2 From the Victorian Cancer Registry
The Victorian government places an obligation on the proprietor of any Victorian hospital, private hospital, prescribed registered funded agency or prescribed health service establishment to disclose to the Victorian Cancer Registry information about any patient who has cancer. The aim of the Victorian Cancer Registry is to keep up-to-date and accurate information on all cancers in Victoria. This information is used to improve cancer prevention, control and treatment. CCV is responsible for administering the Victorian Cancer Registry. For further information about the Victorian Cancer Registry including what data is collected and how data is registered click here.
4.3 From the Victorian Family Cancer Registry
The Victorian Family Cancer Registry (VFCR) is an opt-in register for family members assessed as having a high risk of developing cancer due to a genetic predisposition. Two important VFCR services are cancer verifications to help family cancer centres with risk assessments and a surveillance appointment reminder service for its members. The types of information we may collect for the purposes of the VFCR could include your name, contact details, date of birth, your gender and position in the family, any cancer diagnosed and at what age, cancer related gene test results and details for recommended follow up appointments. We only collect such personal information with your informed consent. For further information about the VFCR, click here.
We may collect personal information from third parties such as contractors (including fundraising service providers) who provide Services to us, health professionals and your next of kin (where you have consented to or are unable to provide us with your personal information directly).
This allows us to:
Maintain the continuity of your browsing session (eg. maintaining a shopping cart);
Remember your details and preferences when you return;
Use Google Analytics to collect information such as demographics and interests, visits to our websites, length of visit and pages viewed; and
Tailor our advertising through advertising networks on other websites.
You can set your browser to notify you when you receive a Cookie and this will provide you with an opportunity to either accept or reject it in each instance. Please note that if you do this, it may affect some of the functions on our website.
We may also gather your IP address as part of our business activities and to assist with any operational difficulties or support issues with our Services. This information does not identify you personally.
When you use our mobile applications, we may collect information from you, such as your profile, location and other relevant information, which is used to provide our Services. By providing us with this information, you are consenting to our collection and use of this information.
5. Why do we collect your personal information and how do we use it?
In addition to collecting and using your personal information in order to carry out our Services, we collect and use your personal information for the purposes explained below:
5.1 Research purposes
CCV may collect personal information to conduct and/or fund research into cancer causes, as well as prevention, diagnosis, treatment and survivorship. This may be directly from you with your consent or from the Victorian Cancer Registry. For information on disclosure for research, please see item 6.1.
Personal information collected for research purposes is not used for direct marketing unless your consent is obtained for that purpose.
Research studies which require ethics approval from an Australian Human Research Ethics Committee (HREC) may have additional obligations in relation to collection of personal information. Such projects will comply with the conditions of the ethics approval by the relevant HREC.
5.2 Direct marketing and opting out
We may use personal information, including your name, contact phone number, address and email address, to send marketing and promotional information by post, email, social media or telephone including SMS. You may opt-out of receiving direct marketing communications from us at any time. If you do not opt-out, we will assume we have your ongoing consent to send information and communications.
If you wish to stop receiving direct marketing communications from us, please tell us at any time by following the opt-out instructions on the communication we send you or you can contact us using the details set out in item 11.1.
5.3 Other general purposes
Depending on what Services we are carrying out, we may collect personal information for a number of purposes, including:
Employment: to manage queries from or about a prospective, current or past employee;
Support services: to provide with information and support services, and to evaluate and report on these services;
Health promotion: to provide information about cancer risk factors, such as UV exposure, tobacco and obesity, and to seek your support for campaigns;
Volunteering and other support: to enable individuals to assist us with volunteering, community fundraising, advocacy and other activities where we seek the community’s assistance; and
Other purposes: communicating with individuals in relation to our operations, activities and objectives, to verify their identity, to improve and evaluate our programs and Services and to comply with applicable laws.
In some cases, we may collect personal information as agent for Cancer Council Australia and other affiliate State and Territory Cancer Councils (for example, where we are the lead State on a national fundraising campaign).
Whenever practicable, we will provide you with a collection statement setting out the purpose for the collection and how you can contact us regarding your personal information.
6. Who do we disclose personal information to?
In order to carry out our Services and statutory functions and for the collection and purposes explained above, we may disclose appropriate personal and health information to others as set out below.
6.1 Disclosure for research
We may disclose your personal and health information, including data on the Victorian Cancer Registry, to researchers to conduct research studies into the causes of cancer, as well as diagnosis, treatment and cures. Typically information provided for research projects is de-identified unless consent is obtained. Disclosure of personal and health information for research purposes will be subject to our legal obligations, as well as our strict internal policies and codes of practice including our Research Code of Practice which is based on the Australian Code for the Responsible Conduct of Research. For more information about disclosure of data on the Victorian Cancer Registry for research purposes click here.
6.2 Other general disclosures
External support services: to health care professionals, lawyers, counsellors, auditors, financiers, volunteers, agencies and not-for-profits that provide us or you with support services (only in limited and appropriate circumstances necessary to carrying out our Services);
Other charities: we may provide de-identified statistical information to other charities for marketing purposes;
Contractors and service providers: who perform services on our behalf, such as mailing houses, printers, information technology services providers (including interstate or offshore cloud computing service providers in New South Wales, Singapore or the United States), archiving services, database contractors and marketing agencies to perform services on our behalf;
Corporate partners: who may wish to provide special offers to Cancer Council supporters. (Please note, you are entitled to opt out of this communication at any time by using the contact details at item 11.1 or by following the opt-out instructions on the communication); and
Cancer Council Australia and other affiliate State and Territory Cancer Councils.
We may also disclose data on the Victorian Cancer Registry to other third parties such as authorised health care professionals. For more information about other disclosures of data for other purposes click here.
7. Do we transfer or disclose personal information outside of Victoria?
From time to time, we may disclose personal and health information, including data on the Victorian Cancer Registry, to individuals and organisations who are located outside of Victoria and Australia.
They may be in locations where they are subject to laws that apply in that location or to a binding scheme or a contract with us which requires them to protect the information we disclose in a substantially similar way to the privacy obligations that we have. Otherwise, we may disclose or transfer the information in compliance with the other provisions of HPP9 and/or APP8 as applicable.
The kinds of individuals and organisations to whom we may transfer/disclose information outside of Victoria include the third parties noted above, such as contractors and service providers, and other affiliate Cancer Councils within Australia. We may also disclose de-identified information to researchers in Europe, Asia or the United States.
8. How do we store and secure personal information?
We store personal and health information in both hardcopy and electronic form. We take reasonable steps to protect it from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Some of the ways we do this include:
storage of electronic information using a password protected electronic database;
storage of hardcopy information on secure premises only accessible by authorised people;
using Secure Socket Layer (SSL) certificates for encrypting your credit card and debit card numbers;
financial information is encrypted on our servers and access to this information is restricted to authorised CCV staff; and
backing up and archiving information using secure archiving services within Victoria.
Where personal information is stored with a third party, we have arrangements which require those third parties to maintain the security of the information. We take reasonable steps to protect the privacy and security of that information. Because of the nature of our Services and functions, and the purposes for which we collect personal and health information, we generally retain and hold much of this information indefinitely. Under HPP4, health information collected by CCV as a health service provider, cannot be destroyed for at least seven years and we will securely archive the information that we are not actively using.
9. Can you access personal information that we hold about you?
9.1 Research participants
If you are a participant in CCV research studies, access to some types of personal information, such as DNA sequences is not generally granted, and participants are, where applicable, advised of this at the time they commit to taking part in the research study.
9.2 General access
We will, upon your request, and subject to any exemptions in applicable privacy laws, provide you with access to the personal information that we hold about you. We will need to first identify you and know the type/s of information you require access to. We will endeavour to deal with access requests within 30 days. We may charge for our reasonable costs incurred in giving access to the information. If we deny access to any part of the personal information that is requested, we will notify you of our reasons in writing and how you can complain.
9.3 Access to data on the VCR
For more information about how to access your data on the VCR please click here.
10. How can you update and correct your personal information?
You can ask CCV to correct or update personal information we hold about you at any time. We will need to verify your identity before making any corrections or changes to your information. We also have obligations to take reasonable steps to correct personal information we hold once we have been notified that it is inaccurate, out-of-date, incomplete or irrelevant or misleading for the purpose for which it is held.
If you require access to, or wish to update your personal information, please contact us on the details provided below. If we refuse your request, we will notify you in writing of our reasons and explain how you can complain.
11. How can you contact us or complain about our handling of your personal information?
11.1 Our contact details
If you wish to make a complaint about our handling of your personal information, please contact us on the details set out in item 11.1. To provide you with an appropriate response, we may need you to provide us with more information about your complaint and to verify your identity. We will investigate your complaint and endeavour to provide you with a response within 30 days of receipt of your complaint. If we cannot respond in the timeframe specified, we will contact you and explain the reason for the delay and give you a new timeframe for our response.
If you are not satisfied that we have resolved your complaint you can request that the matter is escalated for review by our Chief Operating Officer at the contact details set out in item 11.1.
11.3 External complaints about personal information
If you are still not satisfied that your complaint has been resolved by us, you may make a complaint to:
The Office of the Australian Information Commissioner (OAIC) which deals with complaints under the Privacy Act1988 in relation to personal information. The OAIC can be contacted at:
For complaints about health information which is not covered under the Privacy Act 1988, such as the health information on the Victorian Cancer Registry, you can contact the Victorian Health Services Commissioner (who deals with complaints about the handling of health information under the Health Records Act), on the following details:
Website: www.health.vic.gov.au/hsc/ Telephone number: 1300 582 113 In writing: Health Services Commissioner, 26th Floor, 570 Bourke Street, Melbourne VIC 3000