Cancer Council Victoria Privacy Policy and Collection Statement
Effective date 18 April 2024
This Privacy Policy sets out how Cancer Council Victoria (ABN 61426486715), a not for profit company limited by guarantee (Cancer Council Victoria, we, us or our), will collect and handle your personal information, including sensitive and health information. It describes the types of information we collect and hold, why we do so, how we keep the information secure, how to access and correct the information and how to make a privacy complaint.
1. Our privacy obligations and commitments
Cancer Council Victoria is required to comply with the following laws when collecting, holding, using and disclosing personal information, including sensitive and health information:
- the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) in that Act; and
- the Health Records Act 2001 (Vic) (Health Records Act) and the Health Privacy Principles (HPPs) in that Act.
- Cancer Council Victoria is committed to protecting the personal and health information it collects and handles in accordance with those laws in the course of performing its general services and operations (Services), such as:
- providing support and advice services to persons with cancer, their families, health professionals and the community;
- funding, reviewing or carrying out research or evaluation activities (including biobanking activities);
- conducting our health awareness and cancer prevention programs (including Quitline);
- supplying products to consumers via our e-commerce store; and
- conducting fundraising and advocacy activities; and
- maintaining the Victorian Cancer Registry (VCR) on behalf of the Victorian Department of Health, to which the Improving Cancer Outcomes Act 2014 (Vic) and the Privacy and Data Protection Act 2014 (Vic) Act (PDP Act) also apply.
In this Privacy Policy, references to “you” or “your” are references to persons with cancer and their next of kin who access our Services, employees, job applicants, committee members, donors, research study participants, research grant applicants and recipients, researchers seeking ethical review, research program collaborators and partners, users of Cancer Council Victoria’s Human Research Ethics Committee, recipients of support services, participants in advocacy campaigns, participants in education and training programs, health promotion projects or fundraising campaigns, health professionals, suppliers, volunteers, users of our social media pages, applications and websites, customers of our e-commerce store, our contractors and service providers, and any other individuals we deal with in the course of managing our organisation and providing our Services.
2. Definitions
2.1 What is personal information?
Personal information is information or an opinion, whether it is true or not, about an individual whose identity is apparent, or can be reasonably ascertained, from that information or opinion.
For the purposes of this Privacy Policy, a reference to personal information should be read as including sensitive and health information, unless otherwise specified.
2.2 What is sensitive information?
Sensitive information is a subset of personal information which is afforded a higher level of protection under the APPs. This includes information which relates to an individual's race or ethnic origin, political opinions or memberships of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or union, sexual preferences or practices, criminal record, health information, genetic information that is not otherwise health information about an individual and biometric information. Our collection, use and disclosure of personal information, including sensitive information, will comply with the APPs.
2.3 What is health information?
Health information is personal information that is also information or an opinion about the physical, mental or psychological health of an individual, including an illness, disability or injury of an individual, an individual's expressed wishes for the future provision of their healthcare, or a health service provided to an individual. Health information also includes personal information that is collected to provide a health service or in connection with the donation of an individual's body parts, organs or body substances, or personal information that is genetic information about an individual that is predictive of the individual's health. Our collection use and disclosure of health information will also comply with the HPPs.
2.3 What is health information?
Health information is personal information that is also information or an opinion about the physical, mental or psychological health of an individual, including an illness, disability or injury of an individual, an individual's expressed wishes for the future provision of their healthcare, or a health service provided to an individual. Health information also includes personal information that is collected to provide a health service or in connection with the donation of an individual's body parts, organs or body substances, or personal information that is genetic information about an individual that is predictive of the individual's health. Our collection use and disclosure of health information will also comply with the HPPs.
3. What personal information do we collect?
3.1 Types of information we collect
We collect personal information from individuals we provide our Services to, individuals who help us provide our Services and other individuals who interact with us. For more information about the types of people about whom we may collect personal information, please see the description of ‘you’ and ‘your’ at the beginning of this Privacy Policy.
The personal information we collect will ultimately depend on who you are, how you have engaged with us and the purpose for which it is collected. We only collect personal information that is reasonably necessary to perform our functions or activities.
The kinds of personal information we may collect when dealing with you may include:
- your name, date of birth and gender;
- your contact information including address, postcode, email, telephone number and mobile number;
- your details regarding ethnicity, country of birth, whether you are an Aboriginal or Torres Strait Islander and preferred language spoken at home;
- payment or billing information (including bank account details, credit card details, billing address and invoice details) for donations or the supply of our Services;
- your current location, if you are using one of our mobile applications and consent to this collection;
- details relating to the Services we have supplied you; and
- your username and password for accounts set up on our websites, including your Social ID if you choose to use it
We may also collect the following types of personal information from you if you are a:
Person affected by cancer and next of kin:
- your health information and medical history, in particular your history with, and relationship to, cancer including the type of cancer you have or your next of kin has suffered, your/their treatments, genetic and biometric information and biometric templates
- health information that is reported to and maintained on the VCR, which we administer. We may also collect government related identifiers, such as your Medicare number in relation to the VCR. For further information about the VCR click here; and
- financial information you choose to provide when participating in financial counselling sessions as part of our Financial and Legal Support programs.
Research participant (including those who participate in the Victorian Cancer Biobank's research activities):
- health information and medical history, family history of cancer or disease (research study dependent), infectious disease status, biological samples, biometric and anthropometric information, behavioural and lifestyle information, treatment information (including participation in clinical trials), clinical imaging and digital imaging;
- emergency contact or nominated contact person information;
- other information necessary to perform the study (which you have consented to provide in accordance with the collection statement and consent form relevant to the specific study), or that you have otherwise provided to us in connection with the study. This may also include your sensitive information, depending on the nature of the study.
Job applicant, employee or contractor:
- your employment history, qualifications, resume and job references;
- your fitness for work, including police checks and security information from government agencies or departments (including Working with Children checks, right to work checks (including passport information) and licensing checks (e.g. status of professional qualifications)), health assessments and other personal information as part of your job application (only if appropriate and in compliance with the law)
- next of kin and emergency contact information;
- your banking details to process payments, such as wages;
- superannuation details;
- government related identifiers, such as your Tax File Number in compliance with the law; and
- any other information relevant to your employment or engagement with us.
Public participant in Cancer Council Victoria fundraising and support schemes and campaigns:
- your opinions via surveys and questionnaires;
- your insurance policies and details, which are only collected in limited circumstances such as where qualification for a particular Cancer Council Victoria program requires you to have certain insurances (for example, the Holiday Break Program); and
- details relating to donations you have made or intend to make to us (including bequests), including your name, email and physical address and other personal information you provide to us or that we store in connection with your donation; and
- information relating to any volunteering or fundraising activities you engage in with us.
Participant in Cancer Council Victoria education and training programs:
- your name and your educational and professional background;
- personal information relevant to making travel or event bookings, including visa status and relevant health information (e.g. dietary restrictions);
- photographs for identification purposes; and
- your opinions via surveys and questionnaires.
Health professional, including participants of our Clinical Network program or subscribes to our Health Professional eNews:
- your role or job title;
- information about your profession and qualifications;
- your employing or engaging organisation; and
- your professional interests or areas of expertise.
Member of our Consumer Advisory Network or focus group/interview participant:
- any disability status you may have;
- your LGBTIQA+ identity;
- your role or job title;
- information about your profession and qualifications;
- your employing or engaging organisation;
- your professional interests or areas of expertise;
- your opinions via surveys and questionnaires; and
- any other personal information that you provide to us.
3.2 Dealing with us anonymously or using a pseudonym
Where practicable, you can deal with us anonymously or using a pseudonym. You can also choose to not provide us with some or all of your personal information. This may affect our ability to help or service you as fully as we would like. As required by law, you will not be anonymous to us if your health information is reported to the Victorian Cancer Registry.
4. How do we collect your personal information?
4.1 From you
Where reasonably practicable, we will collect your personal information directly from you. This may be in person (for example, where you purchase a retail product in-store or attend an event), on the telephone (for example, if you contact Cancer Council 13 11 20 or if you answer a telephone-based research questionnaire), by mail (for example, if you complete research study documentation or a survey) or online (for example, if you participate in an online survey, make a donation, register for an online learning program, purchase from our e-commerce store, sign up for an event online or set up an account with us online).
4.2 From the Victorian Cancer Registry
The Victorian government places an obligation on the proprietor of any Victorian hospital, private hospital, pathology laboratory, radiotherapy service or prescribed registry to disclose to the VCR information about any patient who has cancer or a precursor to cancer. The aim of the VCR is to keep up-to-date and accurate information on all cancers in Victoria. This information is used to improve cancer prevention, control and treatment. Cancer Council Victoria is responsible for administering the VCR. For further information about the VCR, including what data is collected by the VCR, click here.
4.3 From the Victorian Family Cancer Program
Through the VCR, Cancer Council Victoria also operates the Victorian Family Cancer Program (VFCP). The VFCP clinicians analyse cancer information to help make accurate cancer risk assessment and provide surveillance advice to their patients.
The type of information that is collected through the VFCP includes the name and signature of the person who has consented to the verification of their family’s history of cancer, along with the name and any history of cancer of relevant family members. All information is stored in a secure document management system throughout the verification process.
Post-verification, all information provided about the family and their history of cancer are de-identified and outcomes returned to the requesting family cancer centre. Cancer Council Victoria has an agreement with each of the family cancer centres which provides that none of the verified information is shared with the patient. Cancer Council Victoria does not retain or store any identifiable personal information about relevant family members after the verification has been processed. For further information about the VFCP, please contact the VCR using the details contained here.
4.4 From others
We may also collect personal information from other third parties such as:
- contractors (including fundraising service providers) who help us to provide our Services;
- organisations or research partners with whom we conduct research or evaluations, if you are a participant in the relevant research or evaluation; or
- health professionals, other organisations holding your records, or your next of kin, for example, where you have consented, or are unable to provide us with your personal information directly (or other grounds permit or require us to collect such information).
4.5 When you access our website
When you access our websites, we or our third-party service providers may use “cookies”.
We may also use software (such as JavaScript), or similar technology.
We may also gather your IP address as part of our business activities and to assist with any operational difficulties or support issues with our Services. This information does not identify you personally.
What are cookies:
Cookies are small data files stored in your device’s memory that do not, of themselves, identify individuals personally but do identify devices.
What cookies do we use and why:
Cookies help us to provide customised services and information. For example, to allow us to:
- maintain the continuity of your browsing session (e.g. maintaining a shopping cart);
- remember your details and preferences when you return;
- use Google Analytics to collect information, such as demographics and interests, visits to our websites, length of visit and pages viewed; and
- tailor our advertising through advertising networks on other websites.
We generally use cookies on our websites for the following purposes:
- Where necessary: These cookies are necessary for the basic functions of the website, and the website will not work in its intended way without them. These cookies do not store any personally identifiable data.
- Functionality: These cookies help to perform certain functionalities. For example, recognising a user that has visited the website before, or remembering any preferences previously selected, such as preferred language or location.
- Analytics: These cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
- Performance: These cookies are used to understand and analyse the key performance indexes of the website which helps in delivering a better user experience for visitors.
- Advertisement: These cookies are used to provide visitors with customised advertisements based on the pages they have visited before and analyse the effectiveness of the ad campaign.
How can you control your cookie preferences?
You can set your browser to notify you when you receive a cookie and this will provide you with an opportunity to either accept or reject it in each instance. Please note that if you do this, it may affect some of the functions on our websites.
Third party cookies
When you visit our website, you may receive cookies that are set by third parties. For example, you may receive a cookie set by Google.
We do not control the setting of these third-party cookies, so we suggest you might wish to check the third-party website for more information about their use of cookies and how to manage them.
4.6 Mobile applications
When you use our mobile applications, we may collect information from you, such as your profile, location and other relevant information, which is used to provide our Services. By providing us with this information, you are consenting to our collection and use of this information.
4.7 Social networking services
We use social networking services such as Facebook, Instagram, Twitter, LinkedIn and YouTube to engage interactively with you, our stakeholders and the broader community. Where you have connected or communicated with us using these services (or where we have communicated with you), we may collect personal information about you which is relevant to that engagement (such as your networking name and the content of your comment or action). We will only collect this
information for the purposes of facilitating our communications with you, providing customer support, telemarketing and internally evaluating the effectiveness of our communications strategies. We may also use social networking services to recruit consenting participants for research related surveys with other partnering institutions. In such cases, personal information collected may be shared with those institutions with the consent of participants.
The social networking services will also handle your personal information for its own purposes. These services have their own privacy policies. You can access the privacy policies for Meta (Facebook and Instagram), Twitter, LinkedIn and YouTube on their websites.
5. Why do we collect your personal information and how do we use it?
We will generally collect and use your personal information in order to carry out, evaluate and improve our Services and to maintain the VCR (as relevant to how you have interacted with us and the type of personal information, we have collected about you). In addition to this, we may also collect and use your personal information for the purposes explained below:
5.1 Research and evaluation purposes
Cancer Council Victoria may collect personal information to conduct and/or fund research, evaluation or research-related services and activities (such as the Victorian Cancer Biobank), typically in relation to factors associated with the development of cancer and other diseases, as well as cancer prevention, diagnosis, treatment, and survivorship. This may be directly from you with your consent or indirectly in accordance with item 4 above, including from the VCR. For information on disclosure for research, please see item 6.1 below.
Personal information collected for research and evaluation purposes is not used for direct marketing unless your consent is obtained for that purpose.
Research studies which require ethics approval from an Australian Human Research Ethics Committee (HREC) may have additional obligations in relation to the collection of personal information. Such projects will comply with the conditions of the ethics approval by the relevant HREC.
5.2 Fundraising and direct marketing purposes
We may use personal information, including your name, contact phone number, address and email address, to send fundraising, marketing and promotional information by post, email, social media or telephone, including SMS. You may opt-out of receiving direct marketing communications from us at any time. If you do not opt-out, we will assume we have your ongoing consent to send information and communications.
If you wish to stop receiving direct marketing communications from us, please tell us at any time by following the opt-out instructions on the communication we send you or you can contact us using the details set out in item 11.1.
5.3 Other general purposes
Depending on what Services we are carrying out, we may collect personal information for a number of additional purposes, including:
- employment or engagement: to manage queries from or about a prospective, current or past employee, volunteer or contractor, including conducting employee and volunteer surveys;
- support services: to provide you with information and support services, and to evaluate and report on these services;
- health promotion: to provide information about cancer risk factors, such as UV exposure, tobacco and obesity, and to seek your support for relevant campaigns;
- education and training programs: to facilitate your participation, including through making travel and other logistical arrangements, and to notify your professional regulatory or other governance body of your course completion (where you have consented to this);
- volunteering and other support: to enable individuals to assist us with volunteering, community fundraising, advocacy and other activities where we seek the community’s assistance;
- safety and security: to ensure we keep our premises safe, such as via general video surveillance; and
- other purposes: to communicate with individuals in relation to our operations, activities, objectives or their enquiries, to verify their identity, to improve and evaluate our programs and Services and to comply with applicable laws.
- In some cases, we may collect personal information as agent for Cancer Council Australia and other affiliate State and Territory Cancer Councils (for example, where we are the lead State on a national fundraising campaign).
- Whenever practicable, we will provide you with a collection statement setting out the purpose for the collection and how you can contact us regarding your personal information.
6. Who do we disclose personal information to?
In order to carry out our Services and statutory functions and for the collection and purposes explained above, we may disclose personal and health information to third parties, as set out below.
6.1 Disclosure for research an evaluation purposes
We may disclose your personal and health information (including data on the VCR) to researchers, research partners or other organisations engaged to conduct or collaborate with us to conduct research into or evaluation projects in relation to factors associated with the causes of cancer and other diseases, as well as prevention, diagnosis, treatment and survivorship.
Typically, information provided for research and evaluation projects is de-identified unless consent is obtained. Disclosure of personal and health information for research or evaluation purposes will be subject to:
- where you have consented to participate in a research and evaluation project, the terms outlined in the participant collection statement and consent form for the relevant project;
- our legal obligations; and
- our strict internal policies and codes of practice, including our Research Policy, which is based on the Australian Code for the Responsible Conduct of Research.
6.2 Other general disclosures
Depending on how you engage with us, we may also make the following more general disclosures:
- external support services: to health care professionals, lawyers, counsellors, auditors, financiers, volunteers, agencies and not-for-profits that provide us or you with support services (only in limited and appropriate circumstances necessary to carrying out our Services);
- other charities: we may provide de-identified statistical information to other charities for marketing purposes;
- contractors and service providers: who perform services on our behalf, such as mailing houses, printers, information and web-based technology services providers (including interstate or offshore cloud computing service providers in Victoria and New South Wales , as well as offshore providers in Singapore or the United States), archiving services, database contractors and marketing agencies to perform services on our behalf;
- partners in our education and training programs: who may liaise with you to facilitate your participation and provide post-program support; and
- Cancer Council Australia and other affiliate State and Territory Cancer Councils.
- We may also disclose data on the VCR to other third parties, such as authorised health care professionals. For more information about other disclosures of VCR data click here.
7. Do we transfer or disclose personal information outside of Victoria and Australia?
From time to time, we may disclose personal and health information, including but not limited to data on the VCR, to individuals and organisations who are located outside of Victoria and Australia.
The kinds of such individuals and organisations to whom we may transfer/disclose information include the third parties noted in item 6 above, such as contractors and service providers, partners in our education, research and training programs and other affiliate Cancer Councils within Australia. Given the global nature of our research, we may also disclose de-identified information to organisations and researchers overseas.
These offshore and interstate locations of such individuals and organisations change from time to time and depending on the particular project or activity being engaged in. However Cancer Council Victoria will take steps to ensure that such individuals and organisations are subject to:
- laws that apply in that location to sufficiently protect personal information; or
- binding scheme or a contract with us which requires them to protect the information we disclose in a substantially similar way to the privacy obligations that we have.
Otherwise, we may disclose or transfer the information in compliance with the other provisions of HPP9 and/or APP8 as applicable.
8. How do we store and secure personal information?
We store personal and health information in hardcopy and/or electronic form. We take reasonable steps to protect it from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Some of the ways we do this include:
- restricting access to personal information to authorised employees that need it and whose accounts are protected with Multi-Factor Authentication (MFA);
- ensuring that employees are subject to confidentiality agreements;
- de-identifying personal information where possible;
- performing regular security updates of servers and workstations to protect personal information from evolving threats;
- storage of hardcopy information on secure premises only accessible by authorised people;
- using Secure Socket Layer (SSL) certificates for encrypting your credit card and debit card numbers – we do not store credit card information;
- financial information is encrypted on our servers and access to this information is restricted to authorised Cancer Council Victoria staff; and
- backing up and archiving information using secure archiving services within Victoria.
Where personal information is stored with a third party, we have arrangements which require those third parties to maintain the security of the information. We take reasonable steps to protect the privacy and security of that information.
Because of the nature of our Services and functions, and the purposes for which we collect personal and health information, we are generally required to retain and hold much of this information for certain periods prescribed by relevant laws. For example, under HPP4, health information collected by Cancer Council Victoria as a health service provider cannot be destroyed for at least seven years and we will securely archive the information that we are not actively using. Where prescribed timeframes do not apply, we give careful consideration as to how long we should retain certain types of personal information, and ensure it is securely destroyed or permanently de-identify once those timeframes end.
If you communicate with us via email or over the internet we cannot guarantee its security. If you believe that any of the personal information we may hold about you has been compromised in any way, please let us know immediately so that we can investigate by contacting us on the details in item 11.1 at the end of this policy.
9. Can you access personal information that we hold about you?
9.1 Research and evaluation participants
If you are a participant in Cancer Council Victoria research or evaluation studies and we have collected your personal information, you have the right to request access to certain information about you that is collected and held by us (including genetic information that is of established clinical significance appropriate to relevant program ethical and consent requirements). You also have the right to ask for certain information to be corrected. Access to some types of personal information, such as full DNA sequences, is not generally granted.
9.2 General access
We will, upon your request, and subject to any exemptions in applicable privacy laws, provide you with access to the personal information that we hold about you. We will need to first identify you
and know the type/s of information you require access to. We will endeavour to deal with access requests within 30 days. We may charge for our reasonable costs incurred in giving access to the information. If we deny access to any part of the personal information that is requested, we will notify you of our reasons in writing and how you can complain.
9.3 Access to data on the VCR
For more information about how to access your data on the VCR, please click here.
10. How can you update and correct your personal information?
You can ask Cancer Council Victoria to correct or update personal information we hold about you at any time. We will need to verify your identity before making any corrections or changes to your information. We also have obligations to take reasonable steps to correct personal information we hold once we have been notified that it is inaccurate, out-of-date, incomplete or irrelevant or misleading for the purpose for which it is held.
If you require access to, or wish to update your personal information, please contact us on the details set out in item 11.1. If we refuse your request, we will notify you in writing of our reasons and explain how you can complain.
11. How can you contact us or complain about our handling of your personal information?
11.1 Our contact details
For all queries, requests and information about our Privacy Policy or our management of personal and health information, please contact our Privacy Officer on the following details:
Address:
Cancer Council Victoria
Level 8, 200 Victoria Parade, East Melbourne, 3002
Telephone: 03 9514 6100
Email: enquiries@cancervic.org.au
11.2 Complaints to Cancer Council Victoria
If you wish to make a complaint about our handling of your personal information, please contact us on the details set out in item 11.1. To provide you with an appropriate response, we may need you to provide us with more information about your complaint and to verify your identity. We will investigate your complaint and endeavour to provide you with a response within 30 days of receipt of your complaint. If we cannot respond in the timeframe specified, we will contact you and explain the reason for the delay and give you a new timeframe for our response.
If you are not satisfied that we have resolved your complaint you can request that the matter is escalated to the Chief Executive Officer at the contact details set out in item 11.1.
11.3 External complaints about personal information
If you are still not satisfied that your complaint has been resolved by us, you may make a complaint to the Office of the Australian Information Commissioner (OAIC) which deals with complaints under the Privacy Act in relation to personal information. The OAIC can be contacted at: Website: https://www.oaic.gov.au/about-us/contact-us/
Telephone: 1300 363 992
In writing: Office of the Australian Information Commissioner, GPO Box 5218, Sydney, NSW, 2001
11.4 External complaints about health information
For complaints about health information which is not covered under the Privacy Act 1988, such as the health information on the Victorian Cancer Registry, you can contact the Victorian Health Complaints Commissioner (who deals with complaints about the handling of health information under the Health Records Act), on the following details:
Website: https://www.vic.gov.au/department-health
Telephone: 1300 582 113
In writing: Health Services Commissioner, 26th Floor, 570 Bourke Street, Melbourne VIC 3000
12. Updates to and availability of this Privacy Policy
This Privacy Policy may be reviewed and amended from time to time to reflect changes to our practices, policies, systems and legal obligations. Any changes to this Privacy Policy will take effect from the date of posting on our website.
A copy of this Privacy Policy is available for download from our website or by contacting the Privacy Officer on the details set out in item 11.1.