Children's Medical Research Institute Privacy Policy

1. OVERVIEW

Children's Medical Research Institute (CMRI) is committed to protecting your privacy and handling your personal information in accordance with applicable privacy laws and regulations applicable to your location, including the Privacy Act 1988 (Cth) (Privacy Act) and the General Data Protection Regulation (GDPR) in Europe, as amended from time to time.

2. SCOPE

This Privacy Policy explains the kind of information we may collect about you, how we may use that information, whether we will disclose it to anyone, and how you can contact us to select ways we interact with you and to correct the information we collect.

3. THE INFORMATION WE COLLECT

“Personal information” is information or data which identifies you as an individual or from which your identity can be reasonably ascertained.

We only collect personal information if it is reasonably necessary for one or more of our functions or activities as a medical research organisation and registered charity.

Depending on the purpose of our interaction with you, we may collect the following types of personal information (whether in electronic or hard copy form):

• Name
• Date of birth
• Contact details such as mailing or street address, email address, and telephone numbers
• Gender
• Education and employment histories
• Personal interests
• Family stories
• Bank/credit card details

Details about the purposes for which we collect personal information, how it is stored and disclosed, are provided below.

Some personal information is also “sensitive information.” Sensitive information includes your health information (including genetic information or biometric information), information about your racial or ethnic origins, your political opinions, your political associations, your religious beliefs/affiliations, your philosophical beliefs, whether you are a member of a trade or professional association or trade union, your sexual orientation/practices or your criminal record.

We do not collect your sensitive information as part of our regular business activities. We will only collect sensitive information with your prior written consent or otherwise as permitted by law.

4. HOW WE COLLECT INFORMATION AND HOLD DATA

We collect personal information in various ways, both directly and indirectly.

Direct collection occurs when you contact us or we contact you, such as via telephone, manual or online donation forms, registrations, transactions, merchandise orders, event participation, or contests like raffles. At events, we may take your picture and ask for personal details. We also collect personal information through application forms when seeking volunteers, or filling student or paid staff roles.

Indirect collection involves using physical or online sources, such as information directories, company websites, or social media postings. CMRI may also collect personal information from publicly available sources such as online information directories, online social media sources, telephone directories or company websites. Additionally, we track visitors to our websites and social media platforms using cookies or registered identification (discussed further below). 

We may receive personal information from third parties, such as partners, family members, or friends who have obtained it from you. If we collect your personal information from someone other than you, we will take reasonable steps to contact you to ensure you are or have been made aware of the information collected, the purposes for which we are collecting your personal information, and other matters as required by law.

5. HOW WE HOLD YOUR INFORMATION

We hold personal information electronically and in hard copy form, both at our own premises and with the assistance of our service providers. We take reasonable and appropriate security steps to protect the personal information we hold from misuse, loss, unauthorised access, modification or disclosure.

Digital records are maintained on our secure network. We maintain network security by using a network firewall, encrypted transmission of electronic data, up-to-date anti-virus software, regular monitoring of all network traffic, and strict access control policies on electronic data including authorisation of user logins and password levels. Donor, participant or customer payments made on the CMRI website use Secure Socket Layer (SSL) certificates, which is a generally accepted standard for secure commerce transactions.

Physical records are secured in locked locations with restricted physical access and use of security alarms, or in the case of archived records, at an external storage facility in Australia. If you send us your bank/credit card information on a physical document, we will enter this information into our secure online payment systems (see below), and then securely destroy all physical records.

We also take measures to destroy or de-identify personal information that is no longer needed for any lawful purpose.

We will take reasonable steps to protect your personal information, but please be aware that we cannot guarantee its security, particularly when transmitted through our website or other online methods. While we make efforts to safeguard this information, transmitting data over the Internet carries some risks, and we cannot guarantee complete protection.

6. FOR WHAT PURPOSES DO WE COLLECT, HOLD AND USE PERSONAL INFORMATION?

We may collect, hold or use your personal information for purposes which are directly related to one or more of our functions or activities.

These purposes include:

• seeking financial support for our medical research activities through donations or in-kind contributions;
• processing of donations or merchandise and product orders, including issuing tax receipts and tax invoices;
• registration for an event, contest or activity and acknowledgement of your participation;
• using images and personal or family stories in our newsletters or on our websites;
• recruitment of volunteer roles, student positions, paid staff or contractor roles;
• conducting surveys on particular topics;
• informing you about our work and activities;
• conducting scientific research in accordance with ethics and governance approvals (see below);
• updating our records and to keep your contact details up to date;
• enhancing your experience of our websites and social media;
• any other purposes that we notify you of, or that you consent to;
• to comply with any law, regulation, lawful and binding determination, or in cooperation with any lawful direction of a governmental authority; and
• otherwise as permitted by law.

We may also use personal information collected in any way to contact you for any of our purposes and to seek your participation in future in any one of these activities.

We sometimes conduct activities under different brand names, including Children’s Medical Research Institute®, Jeans for Genes®, The Great Cycle Challenge, Bake It Blue®, or CellBank Australia. We may contact you regarding any of these branded activities.

Where you no longer wish to receive some or any communications from us, you may contact us at any time to change your preferences or opt out. To do this, please use the contact details provided at the end of this Privacy Policy.

7. USING DONOR HEALTH INFORMATION IN OUR SCIENTIFIC RESEARCH

For our research project, we may collect and use health information for our research projects, including information is provided to us by third party research collaborators (such as other research organisations, biobanks or hospitals). We may work with other reputable research or private organisations to achieve the aims of our research.

8. HOW AND WHEN WE MAY DISCLOSE PERSONAL INFORMATION

In connection with the purposes set out above, we may provide your personal information to:

8.1 Our staff

We will only disclose your personal information to our staff (which include our paid employees, students, volunteers and contractors) to the extent necessary for them to perform their duties and for required business functions or activities. We ensure our staff are bound by and comply with our policies and procedures regarding personal information and confidentiality.

8.2 Our external service providers

We may be required to disclose your personal information to our external service providers, such as organisations who assist us with printing and mailing, data analysis and processing, email, social media or telephone contacts, advertising and marketing, and IT services. We only disclose your personal information to the extent necessary for these services to be performed.

We take reasonable steps to ensure that your personal information is protected and handled by third party service providers in accordance with applicable privacy laws. This includes putting in place appropriate contractual terms with these third parties.

Our websites may contain links to other websites that we do not control. Our Privacy Policy does not apply to these other websites. If we refer you to a third-party service provider, they are responsible for informing you about their own privacy policy. We are not responsible for the privacy practices or the content of these websites.

8.3 Processing information when you make a donation

Our online fundraising activities are managed by third party service providers, and donations are processed using third-party payment processors. These processors collect and use personal information according to their privacy policies. We do not receive or store your financial information related to our online fundraising.

The personal information collected, stored and used by these third-party platforms may include identification information, contact details and financial details such as payment method information. This information may be used for purposes such as confirming your identity, verifying the accuracy of information you provide, processing payment transactions, sending transaction notices, and delivering requested information and support.

CMRI does not share or exchange a donor's personal information with other charities.

8.4 Other lawful purposes

At any time, we may be required by law or legal demand to provide personal information to another party, such as a regulatory authority.

8.5 Disclosure outside of Australia

We may disclose your personal information to third-party service providers that are located, or process data, outside of Australia and with whom we have a business relationship. The primary purpose of disclosing personal information overseas is to facilitate our business operations. Prior to engaging with an overseas party, we will take steps to ensure that the overseas party has data security arrangements to protect the information and is obliged to protect your personal information under privacy standards substantively the same as those that apply in Australia. The countries to which we are likely to disclose personal information include, but are not limited to, the United States of America, the United Kingdom and Germany.

9. YOUR RIGHTS TO ACCESS AND MAKE CHANGES TO YOUR PERSONAL INFORMATION

CMRI takes reasonable steps to ensure the personal information we collect is accurate, complete and up to date.

If you would like to access the personal information we hold about you, please contact us using the details below. For security purposes, we will ask you to verify your identity, such as by providing your date of birth or answering a security question, before we share any information.

If you believe any of the personal information we hold about you is incorrect or incomplete, you can request an update. You may also ask us to delete or de-identify your information. We will take reasonable steps to ensure accuracy and completeness, though we may still need to retain the original record.

In some cases, we may refuse access or changes if required by privacy or other relevant laws. If we cannot make the requested changes, you may provide a statement outlining your concerns, which we will attach to our records. We will also inform you of our reasons for any refusal.

If you would like to update your communication preferences for our fundraising activities, including the topics and frequency of contact, please let us know.

To authorise another person (including family members) to access your details, please notify us in writing, and we will record your request.

10. WHAT HAPPENS IF YOU DO NOT PROVIDE US WITH THE PERSONAL INFORMATION WE REQUEST?

Where lawful and practicable, you may choose to remain anonymous or interact with us without providing personal information. However, if you choose not to provide some or all of the requested details, we may be unable to offer certain services or respond effectively.

For example, if you do not provide the required personal information when donating or purchasing merchandise, products, or services, we may be unable to process your transaction correctly or issue a tax-deductible receipt or invoice. Similarly, if you apply for a volunteer or paid position and do not provide the necessary information, we may be unable to process your application or respond in a timely manner.

When necessary and where reasonably possible, we will inform you of any consequences of not providing certain information.

11. USE OF DIGITAL SERVICES AND COOKIES

Like many websites, we collect information about your usage when you view our websites or social media pages. Some of this data may be stored on your device in form of cookies or similar files.

We use cookies and other tracking tools to gather aggregated statistical data, such as the number of visitors, their location (country, city or region), browser and operating system, and which webpages are viewed and for how long. This helps us improve our services and enables remarketing or similar audience features to reach previous visitors.

Cookies also help maintain browsing continuity - such as keeping items in your shopping cart - and remember your details and preferences for a better user experience. They may also allow us to contact you with relevant information in the future.

Most internet browsers, including Microsoft Edge and Google Chrome, allow you to delete cookies, block them entirely, or receive a warning before one is stored. Check your browser’s help section for instructions. However, blocking cookies may affect certain website functions.

We may use external service providers to analyse this data and allow them to use cookies for targeted messaging when you visit other websites. You may opt out of this advertisement targeting technology by using the opt out page of the Australian Digital Advertising Alliance at www.youronlinechoices.com.au or by contacting the CMRI Privacy Officer.

12. DATA BREACH

If we believe a data breach may have occurred, we will carefully review the situation within 30 days of becoming aware of the potential issue. If it is confirmed that a breach has occurred and where required by law, we will notify the Australian Privacy Commissioner and any affected individuals, ensuring we meet our legal responsibilities.

13. WHAT SHOULD YOU DO IF YOU HAVE A COMPLAINT ABOUT A BREACH OF PRIVACY?

If you have any questions, comments, or concerns about our Privacy Policy or how we handle your personal information, please contact the CMRI Privacy Officer (details below) and provide relevant details so we can investigate and address the issue. We will treat your enquiry or complaint confidentially and respond within a reasonable timeframe.

If your concerns are not resolved to your satisfaction, you may contact the Office of the Australian Information Commissioner at www.oaic.gov.au and on 1300 363 992.

14. HOW TO CONTACT US

15. CHANGES TO THIS PRIVACY POLICY

CMRI may amend this Privacy Policy from time to time, with or without notice to you. We encourage you to review this Privacy Policy from time to time. Any changes will be updated on our websites. (The revised versions will take effect immediately upon publication).

Policy updated – January 2025