1.1 Our privacy obligations and commitments
Cancer Council Victoria is required to comply with the following laws when collecting, holding, using and disclosing personal information, including sensitive and health information: Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles in that Act (APPs), the Health Records Act 2001 (Vic) (Health Records Act) and the Health Privacy Principles (HPPs) in that Act. Cancer Council Victoria is committed to protecting personal and health information in accordance with those laws:
- in providing support and advice services to persons with cancer, their families, health professionals, and the community, carrying out cancer research, conducting fundraising and advocacy activities (Services); and
- maintaining the Victorian Cancer Registry on behalf of the Victorian Department of Health, to which the Improving Cancer Outcomes Act 2014 (Vic) also applies.
2.1 What is personal information?
Personal information is information or an opinion, whether it is true or not, about an individual whose identity is apparent, or can be reasonably ascertained, from that information or opinion.
2.2 What is sensitive information?
Sensitive information is a subset of personal information which is afforded a higher level of protection under the APPs. This includes information which relates to an individual's race or ethnic origin, political opinions or memberships of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or union, sexual preferences or practices, criminal record, health information, genetic information that is not otherwise health information about an individual and biometric information. Our collection, use and disclosure of personal information, including sensitive information, will comply with the APPs.
2.3 What is health information?
Health information is personal information that is also information or an opinion about the physical, mental or psychological health of an individual, including an illness, disability or injury of an individual, an individual's expressed wishes for the future provision of their healthcare, or a health service provided to an individual. Health information also includes personal information that is collected to provide a health service or in connection with the donation of an individual's body parts, organs or body substances, or personal information that is genetic information about an individual that is predictive of the individual's health. Our collection use and disclosure of health information will also comply with the HPPs.
3. What personal information do we collect?
3.1 Types of information we collect
We collect personal information from individuals both to whom we provide, and who help us provide, our Services. This includes persons with cancer and their next of kin, employees, job applicants, donors, research study participants, recipients of support services, participants in advocacy campaigns, participants in education and training programs, health promotion projects or fundraising campaigns, health professionals, suppliers, volunteers, users of our social media pages and applications and our contractors and service providers.
The personal information we collect will depend on who you are and the purpose for which it is collected. We only collect personal information that is reasonably necessary to perform our functions or activities.
The kinds of personal information we may collect when dealing with you may include:
- your name, date of birth and gender;
- your contact information including address, postcode, email, telephone number and mobile number;
- your details regarding ethnicity, country of birth, whether you are an Aboriginal or Torres Strait Islander or language spoken at home;
- payment or billing information (including bank account details, credit card details, billing address and invoice details) for donations or the supply of our Services;
- your current location, if you are using one of our mobile applications and consent to this collection;
- details relating to the Services we have supplied you; and
- your username and password for accounts set up on our website including your Social ID if you choose to use it.
We may also collect the following types of personal information from you if you are a:
Person affected by cancer and next of kin:
- your health information and medical history in particular your history with, and relationship to, cancer including the type of cancer you have or your next of kin has suffered, your/their treatments, genetic and biometric information and biometric templates; and
- health information that is reported to and maintained on the Victorian Cancer Registry, which we administer. We may also collect government related identifiers, such as your Medicare number, in relation to the Victorian Cancer Registry. For further information about the Victorian Cancer Registry click here.
- health information and medical history, family history of cancer, genetic and biospecimen samples, biometric information, lifestyle information; and
- your opinions via surveys and questionnaires.
Job applicant, employee or contractor:
- your employment history, qualifications, resume and job references;
- your fitness for work, including police checks and security information from government agencies or departments (including Working with Children checks), health assessments and other personal information as part of your job application (only if appropriate and in compliance with the law);
- your banking details to process payments such as wages; and
- government related identifiers, such as your Tax File Number in compliance with the law.
Public participant in Cancer Council Victoria fundraising and support schemes and campaigns:
- your opinions via surveys and questionnaires;
- your insurance policies and details, which are only collected in limited circumstances such as where qualification for a particular Cancer Council Victoria program requires you to have certain insurances (for example, the Holiday Break Program); and
- details relating to donations you have made to us.
3.2 Dealing with us anonymously or using a pseudonym
Where practicable, you can deal with us anonymously or using a pseudonym. You can also choose to not provide us with some or all of your personal information. This may affect our ability to help or service you as fully as we would like. As required by law, you will not be anonymous to us if your health information is reported to the Victorian Cancer Registry.
4. How do we collect your personal information?
4.1 From you
Where reasonably practicable, we will collect your personal information directly from you. This may be in person (for example, where you purchase a retail product in-store or attend an event), on the telephone (for example, if you contact Cancer Council 13 11 20, or if you answer a telephone-based research questionnaire), by mail (for example, if you complete research study documentation or a survey) or online (for example, if you participate in an online survey, sign up for an event online or set up an account with us).
4.2 From the Victorian Cancer Registry
The Victorian government places an obligation on the proprietor of any Victorian hospital, private hospital, prescribed registered funded agency or prescribed health service establishment to disclose to the Victorian Cancer Registry information about any patient who has cancer. The aim of the Victorian Cancer Registry is to keep up-to-date and accurate information on all cancers in Victoria. This information is used to improve cancer prevention, control and treatment. Cancer Council Victoria is responsible for administering the Victorian Cancer Registry. For further information about the Victorian Cancer Registry including what data is collected and how data is registered click here.
4.3 From the Victorian Family Cancer Program
Through the Victorian Cancer Registry, Cancer Council Victoria also operates the Victorian Family Cancer Program (VFCP). The VFCP clinicians analyse cancer information to help make accurate cancer risk assessment and provide surveillance advice to their patients.
The type of information that is collected through the VFCP includes the name and signature of the person who has consented to the verification of their family’s history of cancer, along with the name and any history of cancer of relevant family members. All information is stored in a secure document management system throughout the verification process, and the person who requested the verification is not provided with access to identifiable information about their family members.
Post-verification, all information provided about the family and their history of cancer are de-identified and outcomes returned to the requesting family cancer centre. CCV does not retain or store any identifiable personal information about relevant family members after the verification has been processed. For further information about the VFCP, please contact the Victorian Cancer Registry using the details contained here.
4.4 From others
We may collect personal information from third parties such as contractors (including fundraising service providers) who provide Services to us and from health professionals and your next of kin (for example where you have consented, or are unable to provide us with your personal information directly or if a waiver has been granted).
This allows us to:
- maintain the continuity of your browsing session (eg. maintaining a shopping cart);
- remember your details and preferences when you return;
- use Google Analytics to collect information such as demographics and interests, visits to our websites, length of visit and pages viewed; and
- tailor our advertising through advertising networks on other websites.
You can set your browser to notify you when you receive a Cookie and this will provide you with an opportunity to either accept or reject it in each instance. Please note that if you do this, it may affect some of the functions on our website.
We may also gather your IP address as part of our business activities and to assist with any operational difficulties or support issues with our Services. This information does not identify you personally.
When you use our mobile applications, we may collect information from you, such as your profile, location and other relevant information, which is used to provide our Services. By providing us with this information, you are consenting to our collection and use of this information.
4.6 Social networking services
We use social networking services such as Twitter, Facebook and YouTube to engage interactively with you, our stakeholders, and the broader community. Where you have connected or communicated with us using these services (or where we have communicated with you), we may collect personal information about you which is relevant to that engagement (such as your networking name and the content of your comment or action). We will only collect this information for the purposes of facilitating our communications with you, providing customer support, and internally evaluating the effectiveness of our communications strategies. We may also use social networking services to recruit consenting participants for research related surveys with other partnering institutions. In such cases, personal information collected may be shared with those institutions with the consent of participants.
The social networking services will also handle your personal information for its own purposes. These services have their own privacy policies. You can access the privacy policies for Twitter, Facebook and YouTube on their websites.
5. Why do we collect your personal information and how do we use it?
In addition to collecting and using your personal information in order to carry out our Services, we collect and use your personal information for the purposes explained below:
5.1 Research purposes
Cancer Council Victoria may collect personal information to conduct and/or fund research into cancer causes, as well as prevention, diagnosis, treatment and survivorship. This may be directly from you with your consent or indirectly if there is a waiver of consent, including from the Victorian Cancer Registry. For information on disclosure for research, please see item 6.1.
Personal information collected for research purposes is not used for direct marketing unless your consent is obtained for that purpose.
Research studies which require ethics approval from an Australian Human Research Ethics Committee (HREC) may have additional obligations in relation to collection of personal information. Such projects will comply with the conditions of the ethics approval by the relevant HREC.
5.2 Direct marketing purposes
We may use personal information, including your name, contact phone number, address and email address, to send marketing and promotional information by post, email, social media or telephone including SMS. You may opt-out of receiving direct marketing communications from us at any time. If you do not opt-out, we will assume we have your ongoing consent to send information and communications.
If you wish to stop receiving direct marketing communications from us, please tell us at any time by following the opt-out instructions on the communication we send you or you can contact us using the details set out in item 11.1.
5.3 Other general purposes
Depending on what Services we are carrying out, we may collect personal information for a number of purposes, including:
- employment or engagement: to manage queries from or about a prospective, current or past employee or contractor;
- support services: to provide you with information and support services, and to evaluate and report on these services;
- health promotion: to provide information about cancer risk factors, such as UV exposure, tobacco and obesity, and to seek your support for relevant campaigns;
- education and training programs: to facilitate your participation, including through making travel and other logistical arrangements;
- volunteering and other support: to enable individuals to assist us with volunteering, community fundraising, advocacy and other activities where we seek the community’s assistance; and
- other purposes: to communicate with individuals in relation to our operations, activities, objectives or their enquiries, to verify their identity, to improve and evaluate our programs and Services and to comply with applicable laws.
In some cases, we may collect personal information as agent for Cancer Council Australia and other affiliate State and Territory Cancer Councils (for example, where we are the lead State on a national fundraising campaign).
Whenever practicable, we will provide you with a collection statement setting out the purpose for the collection and how you can contact us regarding your personal information.
6. Who do we disclose personal information to?
In order to carry out our Services and statutory functions and for the collection and purposes explained above, we may disclose appropriate personal and health information to others as set out below.
6.1 Disclosure for research
We may disclose your personal and health information, including data on the Victorian Cancer Registry, to researchers to conduct research studies into the causes of cancer, as well as diagnosis, treatment and cures. Typically, information provided for research projects is de-identified unless consent is obtained. Disclosure of personal and health information for research purposes will be subject to our legal obligations, as well as our strict internal policies and codes of practice including our Research Code of Practice which is based on the Australian Code for the Responsible Conduct of Research. For more information about disclosure of data on the Victorian Cancer Registry for research purposes click here.
6.2 Other general disclosures
Depending on how you engage with us, we may also make the following more general disclosures:
- external support services: to health care professionals, lawyers, counsellors, auditors, financiers, volunteers, agencies and not-for-profits that provide us or you with support services (only in limited and appropriate circumstances necessary to carrying out our Services);
- other charities: we may provide de-identified statistical information to other charities for marketing purposes;
- contractors and service providers: who perform services on our behalf, such as mailing houses, printers, information and web-based technology services providers (including interstate or offshore cloud computing service providers in Victoria and New South Wales , as well as offshore providers in Singapore or the United States), archiving services, database contractors and marketing agencies to perform services on our behalf;
- partners in our education and training programs: who may liaise with you to facilitate your participation and provide post-program support; and
- Cancer Council Australia and other affiliate State and Territory Cancer Councils.
We may also disclose data on the Victorian Cancer Registry to other third parties such as authorised health care professionals. For more information about other disclosures of data for other purposes click here.
7. Do we transfer or disclose personal information outside of Victoria and Australia?
- From time to time, we may disclose personal and health information, including but not limited to data on the Victorian Cancer Registry, to individuals and organisations who are located outside of Victoria and Australia. The locations of such individuals and organisations change from time to time and depending on the particular project or activity being engaged in, however Cancer Council Victoria will take steps to ensure that such individuals and organisations are subject to laws that apply in that location to sufficiently protect personal information; or
- a binding scheme or a contract with us which requires them to protect the information we disclose in a substantially similar way to the privacy obligations that we have.
Otherwise, we may disclose or transfer the information in compliance with the other provisions of HPP9 and/or APP8 as applicable.
The kinds of individuals and organisations to whom we may transfer/disclose information outside of Victoria include the third parties noted in section 6 above, such as contractors and service providers, partners in our education, research and training programs, and other affiliate Cancer Councils within Australia. Given the global nature of our research, we may also disclose de-identified information to organisations and researchers overseas.
8. How do we store and secure personal information?
We store personal and health information in both hardcopy and electronic form. We take reasonable steps to protect it from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Some of the ways we do this include:
- storage of electronic information using a password protected electronic database;
- storage of hardcopy information on secure premises only accessible by authorised people;
- using Secure Socket Layer (SSL) certificates for encrypting your credit card and debit card numbers;
- financial information is encrypted on our servers and access to this information is restricted to authorised Cancer Council Victoria staff; and
- backing up and archiving information using secure archiving services within Victoria.
Where personal information is stored with a third party, we have arrangements which require those third parties to maintain the security of the information. We take reasonable steps to protect the privacy and security of that information. Because of the nature of our Services and functions, and the purposes for which we collect personal and health information, we are generally required to retain and hold much of this information for certain periods prescribed by relevant laws. For example, under HPP4, health information collected by Cancer Council Victoria as a health service provider cannot be destroyed for at least seven years and we will securely archive the information that we are not actively using.
If you communicate with us via email or over the internet we cannot guarantee its security.
If you believe that any of the personal information we may hold about you has been compromised in any way please let us know immediately so that we can investigate by contacting us on the details at item 11 at the end of this policy.
9. Can you access personal information that we hold about you?
9.1 Research participants
If you are a participant in Cancer Council Victoria research studies, you have the right to request access to certain information about you that is collected and held by us. This will include genetic information that is health or sensitive information about you. You also have the right to ask for certain information to be corrected. Access to some types of personal information, such as DNA sequences, is not generally granted.
9.2 General access
We will, upon your request, and subject to any exemptions in applicable privacy laws, provide you with access to the personal information that we hold about you. We will need to first identify you and know the type/s of information you require access to. We will endeavour to deal with access requests within 30 days. We may charge for our reasonable costs incurred in giving access to the information. If we deny access to any part of the personal information that is requested, we will notify you of our reasons in writing and how you can complain.
9.3 Access to data on the VCR
For more information about how to access your data on the VCR please click here.
10. How can you update and correct your personal information?
You can ask Cancer Council Victoria to correct or update personal information we hold about you at any time. We will need to verify your identity before making any corrections or changes to your information. We also have obligations to take reasonable steps to correct personal information we hold once we have been notified that it is inaccurate, out-of-date, incomplete or irrelevant or misleading for the purpose for which it is held.
If you require access to, or wish to update your personal information, please contact us on the details provided below. If we refuse your request, we will notify you in writing of our reasons and explain how you can complain.
11. How can you contact us or complain about our handling of your personal information?
11.1 Our contact details
Cancer Council Victoria
615 St Kilda Road, Melbourne, VIC 3004
Telephone: 03 9514 6100
11.2 Complaints to Cancer Council Victoria
If you wish to make a complaint about our handling of your personal information, please contact us on the details set out in item 11.1. To provide you with an appropriate response, we may need you to provide us with more information about your complaint and to verify your identity. We will investigate your complaint and endeavour to provide you with a response within 30 days of receipt of your complaint. If we cannot respond in the timeframe specified, we will contact you and explain the reason for the delay and give you a new timeframe for our response.
If you are not satisfied that we have resolved your complaint you can request that the matter is escalated to the Chief Executive Officer at the contact details set out in item 11.1.
11.3 External complaints about personal information
If you are still not satisfied that your complaint has been resolved by us, you may make a complaint to the Office of the Australian Information Commissioner (OAIC) which deals with complaints under the Privacy Act 1988 in relation to personal information. The OAIC can be contacted at:
Website: https://www.oaic.gov.au/about-us/contact-us/Telephone number: 1300 363 992
In writing: Office of the Australian Information Commissioner, GPO Box 5218, Sydney, NSW, 2001
11.4 External complaints about health information
For complaints about health information which is not covered under the Privacy Act 1988, such as the health information on the Victorian Cancer Registry, you can contact the Victorian Health Complaints Commissioner (who deals with complaints about the handling of health information under the Health Records Act), on the following details:
Telephone number: 1300 582 113
In writing: Health Services Commissioner, 26th Floor, 570 Bourke Street, Melbourne VIC 3000