FSHD MEDICAL EDUCATION PORTAL PRIVACY POLICY (PRIVACY ACT)

1. SECTION 1 – RESPONSIBILITIES AND OVERVIEW

1.1 Introduction

1.2 Definitions

1.2.1 The Act defines:

(a) “personal information” as information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(i) whether the information or opinion is true or not; and
(ii) whether the information or opinion is recorded in a material form or not.

(b) “health information” as:

(i) information or an opinion about:

(A) the health, including an illness, disability or injury, (at any time) of an individual; or

(B) an individual’s expressed wishes about the future provision of health services to the individual; or

(C) a health service provided, or to be provided, to an individual; that is also personal information;

(ii) other personal information collected to provide, or in providing, a health service to an individual;
(iii) other personal information collected in connection with the donation, or intended donation, by an individual of his or her body parts, organs or body substances;
(iv) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual.

(c) “sensitive information” means:

(i) information or an opinion about an individual’s:

(A) racial or ethnic origin; or

(B) political opinions; or

(C) membership of a political association; or

(D) religious beliefs of affiliations; or

(E) philosophical beliefs; or

(F) membership of a professional or trade association; or

(G) membership of a trade union; or

(H) sexual orientation or practices; or

(I) criminal records;
that is also personal information; or
(ii) health information about an individual; or
(iii) genetic information about an individual that is not otherwise health information; or
(iv) biometric information that is to be used for the purpose of automated biometrics verification or biometric identification; or
(v) biometric templates.

1.2.2 In this policy, unless otherwise indicated by the context, FSHD:

(a) “collects” PSHI only if it collects such PSHI for inclusion in a record or generally available publication, which includes gathering, acquiring or obtaining PSHI from any source and by any means;

(b) “holds” PSHI if it has possession or control of a record that contains the PSHI, extending beyond physical possession of a record to include a record that FSHD has the right or power to deal with;

(c) “uses” PSHI information where it handles or undertakes an activity with the information, within FSHD’s effective control; and

(d) “discloses” PSHI where it makes it accessible to others outside FSHD and releases the subsequent handling of the information from its effective control.

1.2.3 In this policy, unless otherwise indicated by the context: 

(a) “APP or APPs” means the Australian Privacy Principles which are the cornerstone of  the privacy protection framework in the Act and govern standards, rights and obligations  around: 

(i) the collection, use and disclosure of personal information; 

(ii) an organisation or agent’s governance and accountability; 

(iii) integrity and correction of personal information; and 

(iv) the rights of individuals to access their personal information. 

(b) “Commissioner” means the Office of the Australian Information Commissioner  (OAIC). 

(c) “consent” means express consent or implied consent. 

(d) “de-identification” means the PSHI is no longer about an identifiable individual or an  individual who is reasonably identifiable. 

(e) “information security” involves all measures used to protect any information  generated by an entity or individual, that is not intended to be publicly available, from  compromise, loss of integrity or unavailability. 

(f) “personal information security” means the reasonable steps FSHD will take to  protect PSHI from misuse, interference and loss, as well as unauthorised access,  modification or disclosure. 

(g) “PJ Lab” means Peter Jones and Takako Jones Lab forming part of the University of  Nevada, Reno School of Medicine, an overseas recipient. 

(h) “PSHI” means personal, sensitive and health information. 

(i) “Saliva Research Test” means the method of collecting DNA through a person’s  saliva for genetic testing for the purposes of research into a treatment and cure for  Facioscapulohumeral Dystrophy. 

(j) “Saliva Research Test Kit” means the kit issued by FSHD to you and identified in  clause 2.5 for the purposes of conducting the Saliva Research Test. 

(k) “unsolicited PSHI” occurs when FSHD receives PSHI in circumstances where it has  not taken any active steps to collect the PSHI.

1.3 Management of Personal, Sensitive, Health and Confidential Information (Relating to an Individual)

1.3.1 FSHD is committed to the responsible and transparent handling of personal, sensitive, health  and confidential information and to protecting the right to privacy of individuals. 

1.3.2 FSHD will not engage in a practice that breaches any relevant privacy or data protection  legislation in Australia or other jurisdiction in which FSHD operates; except where the Australian  or international jurisdiction legislation specifically requires or allows the practice. 

1.3.3 The policy also applies to unsolicited information received.

1.3.4 FSHD will offer you the option of not identifying yourself or you using a pseudonym where it is  practical to do so. 

1.4 Privacy Officer

1.4.1 FSHD’s Privacy Officer is responsible for updating FSHD’s privacy policies, conducting regular  staff training, receiving and responding to questions about FSHD’s privacy policies, handling  complaints, maintaining records and responding to any data breaches that occur.

1.4.2 The Privacy Officer can be contacted as follows:

The Privacy Officer

FSHD Global Research

PO Box A296, Sydney South NSW 1235

Sydney NSW 2000

Email: admin@fshdglobal.org

1.4.3 In the event the complaint is not resolved internally, you may also lodge a complaint with the  Office of the Australian Information Commissioner (OAIC). Contact details can be found at  OAIC’s website: oaic.gov.au

1.5 Safeguards

1.5.1 FSHD takes all reasonable steps to ensure that the PSHI it holds is protected from loss, misuse, interference as well as unauthorised access, modification or disclosure. Reasonable steps include:

(a) ongoing training;

(b) implementation of and regular reviews of internal practices, procedures and systems;

(c) keeping employee access and authorisation up-to-date; and

(d) updating IT systems and practices.

1.5.2 PSHI collected is stored:

(a) electronically within an external internet-based server and also an internal server as back up; and

(b) personal and sensitive information relating to our donor base, is stored within a password secure CRM program.

1.5.3 PSHI collected by FSHD is only accessible by authorised employees and contractors who may require access in connection with the purposes described in this policy.

1.5.4 FSHD uses a range of hardware and software security measures to protect its information and your PSHI.

1.6 Access Authorisation

1.6.1 FSHD grants access to employees based on their employment duties and responsibilities.

1.6.2 The Privacy Officer in collaboration with FSHD’s Chief Executive Officer (CEO) is responsible for determining which employees and/or contractors require access to PSHI and the level of access they require. In the case of employees, access will be limited to senior management, This is determined on a case by case basis.

1.6.3 Once a determination is made in respect of an employee’s authorisation access, FSHD’s CEO, who also acts as FSHD’s internal information technology manager will impose the approved authorisation access levels.

1.6.4 Employees and/or contractors who are authorised to access PHSI in accordance with this clause 1.6 will be managed by FSHD’s Chairperson and/or CEO.

1.7 Exclusions

1.7.1 The policy does not apply to personal information or data which has been manifestly made public by the data subject or is legitimately already within the public domain.

2. SECTION 2 – COLLECTION, USE AND DISCLOSURE OF AND ACCESS TO PERSONAL, SENSITIVE AND/OR HEALTH INFORMATION (PSHI)

2.1 Collection of PSHI

2.1.1 FSHD may only collect personal information where it is reasonably necessary for one or more of its functions or activities.

2.1.2 FSHD may only collect sensitive information in accordance with clause and the individual concerned consents to the collection, unless one of the following exceptions apply:
(a) collecting sensitive information as required or authorised by law;
(b) collecting sensitive information where a permitted general situation exists;
(c) collecting sensitive information where a permitted health situation exists;
(d) collecting sensitive information for an enforcement related activity; or
(e) collection of sensitive information by a non-profit organisation.

2.1.3 FSHD will only solicit and collect PSHI by lawful and fair means and directly from the individual, unless an exception applies.

2.1.4 PSHI may be collected from you when:
(a) you register for the Site;
(b) you complete a patient survey;
(c) your register your interest to participate in a clinical trial;
(d) you register to receive our newsletter;
(e) you attend an FSHD event advertised on the Site; and
(f) you make a donation through the Site.

2.1.5 Solicited PSHI

FSHD solicits PSHI where it explicitly requests another entity or an individual to provide PSHI, or it takes active steps to collect PSHI. FSHD shall only solicit PSHI in accordance with clauses 2.1.1 and 2.1.2.

2.1.6 Unsolicited PSHI

(a) In the event FSHD receives unsolicited PSHI, it is required to, within a reasonable period after receiving such PSHI, decide whether or not it could have collected the PSHI through solicited means.
(b) If FSHD determines that it could not have solicited the PSHI and the PSHI is not contained in a Commonwealth record, FSHD will take all reasonable steps to destroy or de-identify the PSHI as soon as practicable and if it is lawful to do so.
(c) If FSHD determines that it could have solicited the PSHI, or the information is contained in a Commonwealth record, or FSHD is not required to destroy or de-identify the PSHI because it would be unlawful or unreasonable to do so, FSHD shall be entitled to hold the PSHI and shall deal with it in accordance with this policy.

2.2 Use and Disclosure of PSHI

2.2.1 PSHI is of no value to FSHD unless the business can make use of it. PSHI may be used for the following purposes:
(a) aid further research into Facioscapulohumeral Dystrophy;
(b) aid with the objectives of FSHD and more specifically, the Site;
(c) to raise funds through corporate donors;
(d) to communicate with you regarding developments and improvements; and
(e) updates on medical research and new versions and features of the Site and proposed or actual clinical trials.

2.2.2 FSHD will take all reasonable steps, at the time of collection and at the time the PSHI is used or disclosed, to ensure that the PSHI we hold is:
(a) accurate;
(b) up-to-date;
(c) complete;
(d) relevant; and
(e) not misleading.

2.2.3 For the purposes of clauses 2.2.2 and 2.3.2, these words have the following meanings:
(a) “accurate” means the PSHI that does not contain an error or defect or is otherwise misleading.
(b) “complete” means the PSHI held by FSHD presents a true or full picture having regard to the purpose for which it is collected, used or disclosed.
(c) “relevant” means the PSHI held by FSHD has a bearing upon or connection to the purpose for which the PSHI is collected, used or disclosed.
(d) “up-to-date” means that the PSHI held by FSHD is current for the purpose for which it is collected, used or disclosed.

2.2.4 FSHD may undertake regular reviews of the PSHI it holds to ensure its quality.

2.2.5 In order to achieve the objectives of FSHD and in particular, the objectives of the Medial Education Portal, FSHD may need to disclose your PSHI to third parties. The third parties include but are not limited to:
(a) third parties that require information to undertake the business of FSHD and/or fulfil the objectives of the Site;
(b) agents and contractors that support FSHD and have verified that they comply with all applicable privacy laws and principles, including but not limited to:
(i) service providers;
(ii) financial organisations;
(iii) support services; and
(iv) government agencies.

2.2.6 FSHD can only use or disclose your PSHI for a purpose for which it was collected, that is, in a way that you, as the owner of the PSHI, would expect. This is known as the ‘primary purpose’.

2.2.7 In addition, FSHD can use or disclose your PSHI if one of the exceptions apply. This is known as the ‘secondary purpose’ and such exceptions include but are not limited to:
(a) you consented to a secondary use or disclosure;
(b) you would reasonably expect the secondary use or disclosure, and that it is related to the primary purpose of collection or, in the case of sensitive information, directly related to the primary purpose;
(c) the secondary use or disclosure of the personal information is required or authorised by or under an Australian law or a court/tribunal order;
(d) a permitted general situation exists in relation to the secondary use or disclosure of the personal information by FSHD;
(e) FSHD is an organisation and a permitted health situation exists in relation to the secondary use or disclosure of the personal information by FSHD;
(f) FSHD reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body; and
(g) FSHD may disclose biometric information or biometric templates if it is not an enforcement body, the recipient of the information is not an enforcement body and disclosure is conducted in accordance with guidelines made by the Commissioner for the purposes of APP 6.3.

2.2.8 FSHD is permitted to disclose personal information (other than sensitive information) to a related body corporate. A related body corporate is defined by the Corporations Act 2001 (Cth). Two bodies corporate are related if one is a:
(a) holding company of the other; or
(b) subsidiary of the other; or
(c) subsidiary of a holding company of the other.

2.2.9 Cross-border disclosure
(a) For the purposes of this clause 0, “overseas recipient” means a person who receives PSHI from FSHD and is not:
(i) in Australia or an external Territory;
(ii) FSHD disclosing the PSHI; and
(iii) the individual to whom the PSHI relates.
(b) FSHD shall only disclose PSHI to an overseas recipient once it has taken all reasonable steps to ensure that the overseas recipient does not breach the APPs and is satisfied that the overseas recipient agrees to comply with this policy.
(c) The PSHI that FSHD collects from you as a result of you completing the Questionnaire and/or Saliva Research Test Questions referred to in clause 2.5 will likely be disclosed to an overseas recipient, namely PJ Labs, particularly in circumstances where you consent to engaging in the Saliva Research Test process. The disclosure of the PSHI to and use by PJ Labs is governed by this policy and more specifically referred to in clause 2.5.3.

2.2.10 Direct marketing
(a) FSHD will not use or disclose PSHI that it holds for the purpose of direct marketing, that is, the use or disclosure of PSHI to communicate directly with an individual to promote goods and services, unless an exception applies.
(b) You may “opt out” of receiving communications from FSHD at any time by using the “unsubscribe” link in emails, or by contacting the Privacy Officer.

2.3 Access to and correction of PSHI

2.3.1 Access by FSHD employees and contractors
(a) FSHD has a detailed policy and set of procedures to ensure that only authorised personnel have access to your PSHI and that your PSHI remains confidential and is only used for appropriate purposes and in accordance with the policy.
(b) Employees and contractors of FSHD are only permitted to access, use and/disclose PSHI if it is necessary to fulfill their employment and/or contractual obligations to FSHD.
(c) Any employees and contractors of FSHD who are required to access, use and/disclose PSHI in accordance with clause 2.3.1(a) are restricted to those employees and/or contractors that are:
(i) approved and authorised in accordance with the procedures set out in clause 1.6 of this policy;
(ii) in senior management roles / positions within FSHD; and
(iii) must only access, use and/or disclose PSHI in accordance with this policy.
(d) FSHD employees and contractors have their own login credentials which are not shared amongst colleagues or third parties.
(e) Authorised employees of FSHD and/or contractors who provide services in relation to its information systems including the development and maintenance of the Site and any associated cloud computing will have access to internal and external information technology servers which may, from time to time, include access to PSHI. Such employees and contractors are not authorised to use and/or disclose PSHI to any third party without the prior written consent of FSHD, such consent to be determined by FSHD in its sole and absolute discretion.

2.3.2 Accessing and updating your own PSHI
(a) You have a general right to access your PSHI collected and stored by FSHD in accordance with this policy.
(b) Registered users of the Site may access and update their PSHI from time to time using their personal login on the Site. You have the right to correct PSHI that FSHD holds about you if it is:
(i) inaccurate;
(ii) out of date;
(iii) incomplete;
(iv) irrelevant; or
(v) misleading.
(c) FSHD may refuse the right for users to access their information that is subject to any legal restrictions.
(d) If there are any aspects of your personal information that cannot be updated directly by you or that you are unable to access, then you can request access and correction of your personal information by completing a “Request to Access and/or Correct PSHI Form” and submitting it to the Privacy Officer by post and/or email. The Form can be obtained by contacting the Privacy Officer.
(e) A request to access and/or correct PSHI must be made only by the person to which the PSHI relates or by a person who is duly authorised in writing by such person to act on their behalf, for example, a legal guardian or authorised agent.
(f) FSHD reserves the right to request from you and/or a person authorised by you, information and/or documentation to verify identity and the reason for access/correction. Such information/documentation may include:
(i) name and contact details;
(ii) copies of photo identification;
(iii) reason for access/correction; and
(iv) a written authorisation from you to FSHD.
(g) FSHD shall respond to a request for access or correction of PSHI within 30 days of FSHD receiving all information and/or documentation it requests from you and/or any person authorised to act on your behalf.
(h) If FSHD has a valid reason to refuse you access to your PSHI, it will communicate the reason(s) in writing and advise you how to make a complaint.
(i) If FSHD has a valid reason to refuse your request to correct your PSHI, it will communicate the reason(s) in writing, detail your right to request a statement be associated with your PSHI and advise you how to make a complaint.
(j) FSHD will take all reasonable steps to associate any written statement you provide pursuant to sub-clause 2.3.2(i)above, with your PSHI.
(k) Requesting access to your PSHI is free, however, FSHD may need to charge you for providing you access. FSHD shall disclose any such charge prior to processing your request and discuss with you any options available to potentially minimise the charge.

2.4 Removing PSHI from FSHD Premises

2.4.1 If FSHD deems it necessary for an employee or contractor to work from a location other than an official FSHD site or place of business, PSHI may be accessed and/or removed under the following circumstances:
(a) remote working conditions imposed by the Federal and/or State/Territory governments due to the COVID-19 pandemic;
(b) attending external meetings / conferences where access to FSHD’s computer systems is required; and
(c) delivery of PSHI from FSHD business premises to third party premises for the purposes of carrying out the objectives of FSHD and in the particular, the Portal.

2.4.2 All FSHD employees and contractors are required to abide by the following safeguards when accessing, using or disclosing PSHI whilst working from a location other than an official FSHD site or place of business:
(a) take all reasonable steps to keep PSHI secure;
(b) not printing PSHI and if required to be printed, securing same until the pages containing the PSHI can be irretrievably destroyed;
(c) ensuring all business mobile phones, laptops, data storage devices and remote desktop clients are secured and password protected with strong and varied passwords;
(d) ensuring all devices, virtual private networks and firewalls have necessary updates and the most recent security patches (including operating systems and antivirus software);
(e) employees and contractors must only use work/business email accounts for work related emails
(f) implementing multi-factor authentication for remote access systems and resources (including cloud services);
(g) only accessing trusted networks or cloud services;
(h) ensuring they are up-to-date with any changes to FSHD’s cyber security policy;
(i) receive education and partake in all training offered by FSHD with respect to cyber security practices and physical security of PSHI;
(j) if employees or contractors experience any issues accessing FSHD’s business platform, they must only contact FSHD’s IT department or consultants.

2.5 Sharing of PSHI with PJ Labs

2.5.1 When registering on the Site, you will be asked to complete an ‘About You’ questionnaire (the Questionnaire). Your responses to the Questionnaire and any PSHI contained within those responses will be held by us in accordance with this policy.

2.5.2 During the Questionnaire process referred to in clause 2.5.1, you will be asked whether you wish to participate in a Saliva Research Test. If you choose and consent to participating in the Saliva Research Test, you must complete additional questions to proceed (Saliva Research Test Questions). Your responses to the additional questions and any PSHI contained within those responses will be held by us in accordance with this policy.

2.5.3 By answering the Questionnaire and the Saliva Research Test Questions, you consent to FSHD:
(a) sending a Saliva Research Test Kit to your residential address by post; and
11
MADISON MARCUS LAW FIRM
(b) providing your contact information, including but not limited to your full name, email address, date of birth and country of origin to PJ Labs to notify PJ Labs that a Saliva Research Testing Kit has been issued to you by FSHD.

2.5.4 Your contact information referred to in clause 2.5.3(b) will be sent by FSHD to PJ Labs by email.

2.5.5 You acknowledge that:
(a) you are responsible for posting the Saliva Research Testing Kit containing your saliva sample to PJ Labs at your own cost;
(b) PJ Labs will assess the saliva sample / DNA and prepare a report; and
(c) PJ Labs will send the report to you directly to the email address provided by you as part of the Questionnaire and/or Saliva Research Test Questions.

2.5.6 FSHD is in no way responsible or liable for PJ Labs issuing your report to an unrelated third party. By accepting this policy, you hold FSHD harmless against any loss or damage suffered by you as a result of your report being issued by PJ Labs to an individual or organisation, other than yourself or contrary to your directions.

2.6 Destruction or de-identification of PSHI

2.6.1 FSHD is required to destroy or de-identify PSHI once it no longer requires such information for a primary or secondary purpose.

2.6.2 PSHI is deemed destroyed when it can no longer be retrieved.

2.6.3 In the event that FSHD is unable to irretrievably destroy PSHI held in electronic format, FSHD will take all reasonable steps to put the PSHI ‘beyond use’. PSHI is ‘beyond’ use if FSHD:
(a) is not able, and will not attempt, to use or disclose the PSHI;
(b) cannot give any other entity access to the PSHI;
(c) surrounds the PSHI with appropriate technical, physical and organisational security which includes, at a minimum, access controls;
(d) commits to take reasonable steps to irretrievably destroy the PSHI if, or when, it becomes possible.

2.6.4 If FSHD considers that PSHI could provide further value or utility to FSHD or a third party, FSHD may de-identify such PSHI rather than destroy it. The decision as to destruction or de identification is at the sole and absolute discretion of FSHD.

3. SECTION 3 – YOUR RIGHTS

3.1 Requests for access to and amendment of PSHI

3.1.1 You may make a request to access and/or amend your PSHI in accordance with clause 2.3.2.

3.2 Request for restrictions on uses and disclosures of PSHI

3.2.1 You may request restrictions on the use and disclosure of your own PSHI. Such requests should be made in writing to the Privacy Officer.

3.2.2 The Privacy Officer will consider the request for restriction and determine whether such request is reasonable in the circumstances. The Privacy Officer’s decision will be communicated to you in writing.

3.3 Sharing of results from Saliva Research Test– consent and rights

3.3.1 You are not obligated to share with or provide a copy of the results from your Saliva Research Test referred to in clause 2.5 to FSHD.

3.3.2 If you voluntarily decide to share or provide a copy of the results from your Saliva Research Test to FSHD, you must do so by logging into your personal login on the Site and uploading a copy of your Saliva Research Test results to the designated area within your login. You acknowledge that the cost of sharing or providing a copy of your results to FSHD shall be borne by you and FSHD shall not be liable to reimburse you.

3.3.3 You acknowledge that if you voluntarily decide to share your Saliva Research Test results as outlined in clause 3.3.2, you will automatically become a member of the “FSHD Medical Research & Clinical Trial Readiness Program”, without requiring you to acknowledge or accept your membership.

3.3.4 You accept full responsibility for uploading your results to your personal login and ensuring your results are uploaded correctly and are accessible by FSHD.

3.3.5 If your results are not received by FSHD or are received by an unintended recipient, that is, any recipient other than FSHD, you agree and acknowledge that you shall hold FSHD harmless against any cause of action against FSHD for any loss or damage suffered by you as a result.

3.3.6 FSHD will hold your Saliva Research Test results as uploaded by you in accordance with Error! Reference source not found. in its secure cloud together with your other PSHI and otherwise in accordance with this policy.

3.3.7 In the event that your Saliva Research Test results are required to be used and/or disclosed by FSHD, FSHD shall only do so after such results are de-identified and the use and/or disclosure of the de-identified data is in accordance with this policy.

3.3.8 By voluntarily providing your Saliva Research Test results to FSHD in accordance with this clause 0, you consent to FSHD disclosing:
(a) disclosing the de-identified data with research laboratories conducting research into a treatment and cure for Facioscapulohumeral Dystrophy; and
(b) connecting you to the research laboratories when clinical trials become available.

3.3.9 You may at any time prior to the de-identification process being completed by FSHD, request FSHD to destroy your Saliva Research Test results. By accepting this policy, you acknowledge that once the de-identification process has been completed by FSHD, any request by you to destroy your Saliva Research Test results may be impractical or impossible for FSHD to action.