Privacy Policy
The Institute is committed to protecting individuals’ privacy in compliance with the relevant privacy laws. This policy sets out how QIMR Berghofer collects, holds, uses, discloses, provides access to and amends Personal Information.
2.1 Purpose
The purpose of this policy is to outline QIMR Berghofer’s obligations and expectations regarding the management of Personal Information.
2.2 Scope This policy applies to all Personnel.
3.1 Legal context QIMR Berghofer’s privacy obligations are governed by the Information Privacy Act 2009 (Qld) (IP Act) and its Queensland Privacy Principles (QPP).
In addition, QIMR Berghofer has privacy obligations under other legislation to the extent they apply to its activities, including in circumstances where:
(a) QIMR Berghofer conducts medical research pursuant to the Privacy Act 1988 (Cth);
(b) QIMR Berghofer agrees to be bound contractually to manage Personal Information under the Privacy Act 1988 (Cth) (e.g. under funding agreements); or
(c) a privacy law or other law applies to the type of Personal Information involved, such as tax file numbers, or information (metadata) retained under s187A of the Telecommunications
(Interception and Access) Act 1979 (Cth).
3.2 Principles QIMR Berghofer is committed to the fair collection and handling of Personal Information. QIMR Berghofer respects an individual’s rights to know how their Personal Information will be collected, used, held and disclosed, as well as how it can be accessed and corrected (if necessary).
4.1 Collection
QIMR Berghofer is committed to managing the Personal Information it holds in an open and transparent manner and in accordance with the QPP. To achieve this, QIMR Berghofer will:
(a) only collect Personal Information that is necessary for, or directly related to, its functions or activities;
(b) only collect Sensitive Information if:
(i) the individual consents and the information is reasonably necessary for or directly related to its functions; or
(ii) the collection is otherwise required or authorised by law or court order;
(c) ensure appropriate notification is provided to (or, where applicable, consent obtained from) an individual when collecting Personal Information from that individual;
(d) collect Personal Information in a lawful and fair manner;
(e) collect information from the individual concerned rather than from a third party, unless it is unreasonable or impracticable to do so;
(f) take reasonable steps to ensure that the Personal Information that the Institute collects is accurate, up to date and complete;
(g) if it receives unsolicited Personal Information, other than in a public record, consider whether it could have lawfully collected the information directly, and if not, QIMR Berghofer must, as soon as practicable and if lawful and reasonable to do so, destroy the information or ensure it is deidentified; and
(h) take reasonable steps, where Personal Information is collected about an individual, to notify the individual or otherwise ensure the individual is aware of certain matters, including the purpose of the collection (including why the information is being collected and how it is intended to be used), the law authorising or requiring the collection (where applicable) and any third parties to whom QIMR Berghofer usually discloses the kind of information collected.
Typically, the above information will be provided in the form of a collection statement (often referred to as a privacy notice or privacy statement). Where practicable, individuals should be provided with this notice at or before the time of collection; otherwise, as soon as practicable after collection.
4.2 Use or disclosure of Personal Information
QIMR Berghofer uses Personal Information to discharge its functions under The Queensland Institute of Medical Research Act 1945 (Qld), including but not limited to medical research and related activities of fundraising for medical research, recruitment of Personnel and administration of business and financial systems.
Personal Information will only be used for the purpose for which it was collected, subject to exceptions in the privacy laws.
Personal Information collected for a particular purpose may not be used or disclosed for another purpose, except where the PI Act otherwise permits such use or disclosure.
QIMR Berghofer will not sell, exchange or otherwise disclose Personal Information for commercial gain.
4.3 Storage and security of Personal Information
QIMR Berghofer takes all reasonable steps to protect the Personal Information it holds from misuse, interference or loss and from unauthorised access, modification or disclosure.
QIMR Berghofer will hold Personal Information for as long as necessary in accordance with this policy. QIMR Berghofer takes reasonable steps to destroy or permanently de-identify Personal Information if it is no longer needed for an authorised purpose and the information is not contained in a public record and not required to be retained under an Australian law, court or tribunal order.
4.4 Disclosure of Personal Information outside Australia
In certain circumstances, QIMR Berghofer may disclose Personal Information outside Australia in accordance with section 33 of the IP Act. For example, QIMR Berghofer may disclose Personal Information, including health information, to international collaborators and third party service providers outside Australia in connection with the purposes outlined in this policy.
QIMR Berghofer will make every effort to ensure that the recipient of the Personal Information is subject to a law, binding scheme or contract that effectively upholds the principles for the fair handing of Personal Information that are substantially similar to the QPPs. In addition, transfer of participant health information is subject to stringent safeguards, including ethics approval processes and, where applicable, data transfer agreements.
Individuals have a right to access documents held by QIMR Berghofer that contain the individual’s Personal Information. The IP Act also provides a right for an individual to request an amendment to QIMR Berghofer documents containing their Personal Information which the individual considers to be inaccurate, out of date, incomplete, irrelevant or misleading.
Individuals who have concerns about how their Personal Information is being collected, stored, used or disclosed may make a complaint to QIMR Berghofer’s Privacy Officer.
QIMR Berghofer will endeavour to respond to the privacy complaint within 30 days of receiving the complaint or such other reasonable time frame as may be agreed, depending on the nature of the complaint.
If the complaint is not resolved, the complainant may escalate the complaint to the Office of the Information Commissioner (Queensland).
QIMR takes its privacy and cyber security obligations very seriously.
Upon becoming aware of an actual or suspected privacy breach, an individual must report it as soon as possible to QIMR Berghofer’s Privacy Officer. QIMR Berghofer will respond to actual or suspected privacy breaches in a timely manner in accordance with Data Breach Policy and will make any necessary notifications in relation to Eligible Data Breaches.
8.1 Medical research
QIMR Berghofer collects Personal Information, including health information, for medical research purposes, including undertaking clinical trials and human research projects, developing tissue banks and data banks, and publishing research (as non-identifiable data).
QIMR Berghofer will collect Personal Information from individuals directly. However, Personal Information may be collected from parents or guardians (minors or persons with cognitive impairment), Commonwealth and State agencies, Registries (e.g. Death and Cancer Registries), and support groups and communities.
The kinds of information collected includes biographical information, contact information, Medicare numbers, referrals and reports from treating practitioners, physical and mental health information, medical history, virus screens and genetic information derived from DNA and RNA.
8.2 Fundraising
QIMR Berghofer collects Personal Information to raise funds for medical research, including marketing to supporters and donors about research, appeals and events, requesting and processing donations, gifts and bequests, maintaining relationships with supporters and donors, organising fundraising events and building profiles on supporters and donors.
QIMR Berghofer will collect Personal Information from individuals directly. However, Personal Information is also collected from corporate partners, agents acting on behalf of QIMR Berghofer and supporters, open source publications, list brokers and prospect research consultants.
The kinds of information collected includes biographical information, contact information, information about an individual’s interests in QIMR Berghofer’s functions and research, attendance at events, donations, gifts or bequests (including payment details) and any other information required to build and maintain relationships with supporters.
8.3 Personnel records
Personal Information is collected in relation to personnel records, including employment or potential employment of staff, visitors, consultants, volunteers, recruitment, attendance, leave, personal details, salary, payroll, superannuation, personnel development, performance management, staff health and safety, staff welfare, staff equity, promotion, scholarships, grants, awards, honours and recognition, research output, research publications, travel and membership of committees.
8.4 Financial and business information
QIMR Berghofer collects information relating to financial transactions between QIMR Berghofer and customers, suppliers and contractors, including names, addresses, bank account details, accounts payable or receivable, customer records, processing purchase orders, customer service functions such as customer enquiries and complaints, insurance information, payment and billing information.
8.5 Information technology systems
QIMR Berghofer’s Information Technology Services division collects, processes and stores Personal Information, relating to former and present staff, and other users or QIMR Berghofer’s systems. Data held includes telephone, email and internet activity, as well as authentication, identification and usage tracking information.
9.1 Personnel
All Personnel are responsible for handling Personal Information in accordance with this policy andnotifying the Privacy Officer of actual or suspected privacy or data breaches as soon as possible.
9.2 Leaders and Managers
Leaders and Managers are responsible for reviewing their department or unit’s Personal Information holdings and taking steps to ensure that any Personal Information held within that organisational unit is protected from unauthorised access, modification, use or disclosure and assisting and supporting the investigation of any privacy complaints or breaches of this policy.
9.3 Privacy Officer
The Institute’s Privacy Officer is the Chief Operating Officer and the Privacy Officer is responsible for:
(a) providing advice and leadership in relation to privacy compliance across QIMR Berghofer;
(b) receiving, processing and responding to privacy complaints and requests to access or amend documents containing an individual’s Personal Information;
(c) where applicable, reporting privacy and data breaches to the relevant regulator and notifying individuals affected by privacy and data breaches as required under the IP Act; and
(d) providing training opportunities to enable Personnel to meet their obligations under this policy.
The Privacy Officer, in performing the above functions, may seek advice from any area of the Institute, including Legal, Information Technology and Governance and Risk.
This policy will be reviewed following legislative or organisational changes, or as a minimum, every three years.
Collaborator
A research partner, including clinical research organisations and manufacturing organisations.
Council
The Council of the Queensland Institute of Medical Research constituted under the QIMR Act.
Eligible data breach
A data breach which involves either:
(a) unauthorised access to, or disclosure of, Personal Information where serious harm to an individual is likely to result; or
(b) loss of Personal Information in circumstances where unauthorised access to, or disclosure of, the Personal Information is likely to occur and it is likely to result in serious harm to an individual.
DEC
Director’s Executive Committee.
Health Information
(a) Personal Information about an individual that includes any of the following—
- (i) the individual’s health at any time;
- (ii) a disability of the individual at any time;
- (iii) the individual’s expressed wishes about the future provision of health services to the individual;
(iv) a health service that has been provided, or that is to be provided, to the individual; or
(b) Personal Information about the individual collected for the purpose of providing, or in providing, a health service; or
(c) Personal Information about the individual collected in connection with the donation, or intended donation, by the individual of any of the individual’s body parts, organs or body substances.
Institute
QIMR Berghofer
Personal Information
Personal Information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.
Personnel
All QIMR Berghofer employees whether full-time, part-time, or casual and includes Council members, and all students, volunteers, contractors, affiliates and visiting scientists.
Privacy Officer
The Chief Operating Officer or their delegate.
Sensitive Information
(a) information or an opinion, that is also Personal Information, about the individual’s—
- (i) racial or ethnic origin;
- (ii) political opinions;
- (iii) membership of a political association;
- (iv) religious beliefs or affiliations;
- (v) philosophical beliefs;
- (vi) membership of a professional or trade association;
- (vii) membership of a trade union;
- (viii)sexual orientation or practices;
- (ix) criminal record;
(b) health information about the individual;
(c) genetic information about the individual that is not otherwise health information;
(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
(e) biometric templates
Information Privacy Act 2009 (Qld)
Privacy Act 1988 (Cth)
Guidelines under section 95 of the Privacy Act 1988 (Cth) dated 2014
QIMR Berghofer Data Breach Policy
Privacy Officer (PrivacyOfficer@qimrb.edu.au)
| Version | Date Approved | Approved By / Scope of Change | Date Due for Review |
|---|---|---|---|
| 1.0 | 24 June 2014 | New Policy approved by Council | |
| 1.2 | 20 February 2018 | Amendments approved by Council | |
| 1.3 | 12 June 2025 | Amendments approved by Director & CEO | 12 June 2028 |