Privacy Statement and myHMRI Terms of Use Statement
1. APPLICATION
1.1 This Policy applies to any information collected, obtained, held or disclosed by HMRI Directors, officers, employees, volunteers and HMRI Affiliates, (HMRI Representatives) in the course of carrying out activities on behalf of HMRI.[1]
1.2 The Policy applies to all visitors to the HMRI or myHMRI web sites or any social media platform controlled by HMRI and other persons who interact with HMRI or whose personal information HMRI may deal with in carrying out its activities.
2. INTRODUCTION & INTENT
2.1 At all times, HMRI endeavours to only collect or hold personal information required for the function or activity which HMRI is carrying out.
2.2 This Privacy Statement is intended to provide further details of the ways in which HMRI collects, stores and discloses personal information which is collected through digital media and in general commercial and operational activities.
3. COLLECTION GENERALLY
Supporters - website and myHMRI visitors
3.1 The types of information HMRI may collect and hold relating to donors or supporters of HMRI and other visitors to the HMRI or myHMRI website includes (without limitation):
• Names and contact details such as telephone numbers, addresses and email addresses;
• Banking or credit card details and donation history; and
• Personal information that you provide in forms (including electronic forms) completed, conversations and other correspondence.
3.2 We collect and hold the types information described above for the primary purpose of processing payments, issuing receipts, conducting surveys and seeking donations as well as to undertake marketing activities such as communicating information to you regarding HMRI, including fundraising events and research activities. HMRI may also use your personal information for secondary purposes closely related to the primary purpose
HMRI Affiliates
3.3 In addition to the information referred to at 3.1 above, the types of information HMRI may collect and hold relating to affiliates who visit the myHMRI website includes information about your work location, your research and research team.
3.4 The additional information that HMRI collects on HMRI affiliates via myHMRI is for the primary purpose of HMRI operational plans, services, performance monitoring and reporting to government and other stakeholders. HMRI may also use such information for secondary purposes closely related to the primary purpose.
General activities
3.5 HMRI may collect and hold personal information and/ or sensitive information about individuals who we deal with on a commercial basis such as visitors, suppliers, contractors and individuals in organisations to which we provide goods and services, or from which we acquire goods and services.
3.6 The type of personal information collected may include names, positions, contact details, licence or registration numbers, ABN, bank details, insurance details and other information relevant to dealings with HMRI.
3.7 HMRI collects personal information regarding employees which includes names, contact details, banking and superannuation details and other employment related information. The collection, storage, access and disclosure of such information is guided by the HMRI Technology and Information Access policy.
4. COLLECTION THROUGH HMRI WEBSITE
4.1 The HMRI websites, https://hmri.org.au and https://my.hmri.org.au, are hosted in Australia. There are a number of ways in which we collect information though our website.
Web analytics
4.2 We use google analytics to collect data about visitors’ interaction with our website. The purpose of collecting data in this way is to improve your experience when using our site. We also use this data to understand and report on which content pages and downloads are accessed by visitors.
4.3 The types of data we collect with these tools include:
· visitor’s device’s IP address (collected and stored in an anonymised format);
· web behavior and website engagement including:
o search terms and pages visited on our website;
o date and time, downloads, time spent on page, and bounce rate;
o referring domain and out link if applicable;
· device type, operating system and browser information;
· demographics;
· geographic location (city).
Cookies
4.4 Cookies are small data files transferred onto computers or devices by websites for record-keeping purposes and to enhance functionality on the website. Most browsers allow the visitor to choose whether to accept cookies or not. If you do not wish to have cookies placed on your computer, please set your browser preferences to reject all cookies before accessing our website.
4.5 HMRI collects statistics on visitor traffic to our website through cookies. These are anonymous and do not identify visitors. We may also anonymously track your visits to our website by using information collected by others, who have access to your browser information.
4.6 The cookies from our website are generally created HMRI, Google Analytics, Wordpress, Microsoft and Blackbaud (without limitation).
5. EMAIL LISTS, REGISTRATIONS AND FEEDBACK
5.1 HMRI may collect information that you provide to us when signing up to mailing lists and registering for our events, or when submitting feedback on your experience with our website.
5.2 HMRI uses Blackbaud to manage mailing lists and event registrations. You can access Blackbaud’s privacy policy here https://www.blackbaud.com.au/company/privacy-policy/pacific#:~:text=Blackbaud%20will%20not%20knowingly%20collect,or%20impractical%20to%20do%20so. https://www.blackbaud.com.au/company/privacy-policy
5.3 HMRI uses Microsoft Dynamics CE to manage mailing lists and event registrations.
5.4 HMRI uses Stripe as its payment gateway. You can access Stripe’s privacy policy here: https://stripe.com/au/privacy
5.5 HMRI uses the services of Hotjar to collect voluntary feedback on your experience with our website. You can access Hotjar’s privacy policy here https://www.hotjar.com/legal/policies/privacy/.
6. COLLECTION THROUGH DIGITAL PLATFORMS & SOCIAL NETWORKING SERVICES
6.1 HMRI uses social networking services such as Twitter, Facebook, Instagram, Linkedin, Google and YouTube, to communicate with the public about HMRI activities and research. When you communicate with us using these services we may collect your personal information, but we only use it to help us to communicate with you and the public.
6.2 The social networking service that you interact with may also handle your personal information for its own purposes. These services have their own privacy policies. You can access the privacy policies for the relevant social networking service on their websites.
6.3 HMRI may also collect information which persons disclose to other online platforms relating to support, fundraising activities and donations to HMRI.
7. HOLDING PERSONAL INFORMATION (STORAGE & SECURITY)
7.1 HMRI uses physical security and electronic measures to ensure that personal information is protected from misuse, interference and loss; and from unauthorised access, modification and disclosure.
Physical copies of information
7.2 Personal information may be collected in paper-based documents and converted to electronic form for storage (with the original paper-based documents either archived or securely destroyed).
7.3 Personal information held in paper-based form is securely stored at the HMRI Facility or in the case of archived records, at a secure external storage facility located in Australia.
Electronic copies of information
7.4 Personal information collected by HMRI in the course of its activities or for the Research Register is held on our cloud storage, on servers located in Australia. We retain effective control over any personal information held on our cloud, and the information is handled in accordance with the Australian Privacy Principles.
7.5 Donations and registrations made on the HMRI website use encryption methods and credit card data is stored using systems compliant with the Payment Card Industry Data Security Standard.
7.6 HMRI holds a licenses to REDcap platform which is hosted on Microsoft Azure in Australia. HMRI holds a license to OpenSpecimen platform which is hosted on AWS in Australia. Personal information collected by Affiliate Researchers may be uploaded or inputted into databases using HMRI instances of OpenSpecimen and/or Redcap.
Electronic security measures
7.7 HMRI maintains computer and network security by using firewalls, user identifiers and passwords to control access to our IT systems in accordance with the HMRI Technology and Information Access Guidelines.
7.8 HMRI takes steps to protect the security of the personal information we hold in HMRI ICT from both internal and external threats and assesses the effectiveness of these steps by:
• classifying data assets and establishing appropriate control in accordance with the Information Security data Classification and Handling Manual;
• maintaining records of access to HMRI ICT;
• requiring employees who access personal information to give undertakings to keep confidential information secure;
• keeping activity logs and regularly assessing the risk of misuse, interference, loss, and unauthorised access, modification or disclosure of that information;
• taking measures to address any identified risks, for example, we keep a record (audit trail) of when someone has added, changed or deleted personal information held in our electronic databases and regularly check that staff only access records when they need to;
• conducting regular internal and external audits to assess whether we have adequately complied with or implemented these measures; and
• destroying personal information in a secure manner when HMRI no longer needs it.
8. DISCLOSURE TO SERVICE PROVIDERS AND OTHERS
8.1 HMRI uses a number of service providers to whom we disclose personal information. These include providers that host our website servers, develop web-based platforms, manage our IT and facilitate fundraising activities.
8.2 To protect the personal information we disclose to service providers we:
• enter into an agreement (which may be a confidentiality agreement), or MOU which requires the service provider to only use or disclose the information for the purposes of the contract or MOU; and
• include special privacy requirements in the contract or MOU, where necessary.
8.3 HMRI otherwise discloses personal information held about an individual or corporation to persons or organisations that the individual or organisation authorises us to disclose information to or where required or authorised by law.
8.4 8.4 HMRI may share personal and research information which HMRI Affiliates enter into myHMRI with its partner organisations, the University of Newcastle, the Hunter New England Local Health District and the Calvary Mater Newcastle. Such information may also be used to report to government and industry organisations, with any sensitive information only being provided in de identified form.
8.5 Health research participant personal health information is not shared with anyone outside of HMRI without the express consent of the participant.
9. MARKETING ANALYSIS AND REMARKETING
9.1 Marketing and seeking support for the future growth and development of HMRI are important in ensuring that HMRI continues to conduct world class research. HMRI may, from time to time, communicate with individuals and organisations regarding fundraising including information on how donations have been spent and seeking support for future HMRI research and support activities.
9.2 From time to time, HMRI may provide name and address details of an individual or organisation who support HMRI, to another organisation who may wish to communicate with that individual or organisation to provide information that may be of interest to them (for example like-minded charities).
9.3 Third party agencies who HMRI may provide such information to are Conexumlist fa, List Factory or Tedirex. You can access the respective privacy polices via their websites, or by contacting HMRI (see contact details below).
9.4 The type of information HMRI may provide to these agencies may include supporter’s name, address timing and value of donations.
9.5 If you would like to prevent HMRI from providing name and address details to any other organisation you can contact us - see ‘Contact us’ below. Alternatively, HMRI will provide an opportunity to “OPT OUT” by following the instructions in our email or print communications.
10. ACCESS AND COMPLAINTS RELATING TO CONFIDENTIAL INFORMATION
10.1 You have the right to ask for access to personal information that we hold about you, and ask that we correct that personal information. You can ask for access or correction by contacting us and we must respond within 30 days. If you ask, we must give you access to your personal information, and take reasonable steps to correct it if we consider it is incorrect, unless there is a law that allows or requires us not to.
10.2 We will ask you to verify your identity before we give you access to your information or correct it, and we will try to make the process as simple as possible. If we refuse to give you access to, or correct, your personal information, we must notify you in writing setting out the reasons.
Making a complaint
10.3 If you wish to complain to us about how we have handled your personal information you should first notify us in writing. If you would like to lodge a complaint, you can contact us - see ‘Contact us’ below.
10.4 If we receive a complaint from you about how we have handled your personal information we will determine what (if any) action, we should take to resolve the complaint.
10.5 If we decide that a complaint should be investigated further, the complaint will be handled by a more senior officer than the officer whose actions you are complaining about.
11. CONTACT HMRI
11.1 If you do not wish HMRI to collect or hold your personal information, would like to access and correct your personal information or would like to make a complaint, you can contact us by:
Website: hmri.org.au
Email: privacy@hmri.org.au
Telephone: (02) 4042 0000
Post: The Proper Officer
Hunter Medical Research Institute
1 Kookaburra Circuit
New Lambton Heights NSW 2305
[1] Any non-employee of HMRI should also refer to their employer’s policies and procedures relating to privacy.