The George Institute for Global Health, together with its subsidiaries and associated companies worldwide (The George Institute, we and our) is committed to handling personal information (including health and other sensitive information) in accordance with applicable privacy laws, including the Australian Privacy Principles (APPs) set out in the Australian Privacy Act 1988 (Cth) and, where relevant, the EU General Data Protection Regulation ((EU) 2016/679) (GDPR). A reference to personal information includes “personal data” as defined in the GDPR.
We have adopted the APPs as the minimum standard across all of our offices worldwide. We also comply with the ICH Guidelines for Good Clinical Practice with respect to the use, protection and security of health information collected, as well as guidelines issued by the National Health and Medical Research Council of Australia (NHMRC) in respect of health information that may be accessed in the conduct of research.
What types of personal information do we collect and why?
We collect personal information reasonably necessary for one or more of our functions or activities as a medical research organisation. The types of personal information we generally collect may include your name, date of birth, address and other contact details such as your telephone numbers and email address. Depending upon the purpose of our interaction with you, we may collect additional personal information. More details about the personal information we collect (and why) are provided below.
Human Research Studies / Trials
We (or an approved third-party operating on our behalf) will collect personal information and health information (and at times, other sensitive information) from individuals who participate in human research studies and clinical trials undertaken by The George Institute (or our related entities, including George Clinical).
Such information collected may include:
- Gender, nationality, heritage, and date of birth;
- Medical history and treatments;
- Medicare number (or similar) and private health insurance information;
- Current medications and treatments;
- Health services and treatments;
- Symptoms, test results and hospital care; and
- Consequential health factors.
The information is collected for the purposes of medical research and analysis pertaining to the research study or trial, to comply with laws and regulatory guidelines relating to medical research and clinical trials, and to substantiate the findings and publication of research results.
We may also collect personal information of health practitioners and health providers who are involved in the care of study participants (e.g. general practitioners, physiotherapists, other healthcare service providers). Such information collected may include name, address, contact details, professional qualifications, experience, and interaction records with us (as part of the particular research study or trial). This information is collected for the purpose of administration, management and operation of The George Institute and the particular research study or trial.
We may also collect the personal information of medical experts, researchers and other professionals advising on, overseeing, or assisting in the conduct of a particular research study or trial. Such information collected may include name, address, contact details, professional qualifications and experience, and registration information.
We may collate statistical data from study/trial results that we have collected over years for the purposes of future research, or advising on healthcare policy to Governments and decision-makers.
As part of the ordinary course of business operations, we may capture and record personal information from our dealings with partners, business alliances and service providers. Such information is collected for administrative, management, and audit purposes.
We may collect personal information (e.g. name and contact details) from those who contact us (by phone or in person) or access our websites (refer to ‘How do we collect and hold your personal information’ section below). Such information is collected in order to deal with you and improve our services.
We are required to collect personal information from donors and supporters of The George Institute in order to comply with laws and issue tax receipts. Information collected may include name, contact details and payment details. We may collect personal information when we are canvassing recruitment of staff and PhD students.
You may also supply personal information to us when applying for open positions, and we may collect your personal information from third-parties (e.g. referees) as part of the assessment and recruitment process. Such information collected may include educational and academic background, work history, skill-set and capabilities. We may collect similar personal information from volunteers who apply to work with The George Institute.
Can you deal with us anonymously?
Where lawful and practical, you will be given the option to deal with us without identifying yourself or by using a pseudonym (e.g. when inquiring about the activities that The George Institute undertakes).
How do we collect and hold your personal information?
We aim to collect your personal information directly from you:
- When you first make contact with us (e.g. phone, in person, email or via our website);
- When you agree to participate in a research study or trial (e.g. through the study information/consent process); and
- When dealing with us as part of ordinary business.
We may collect your personal information from a third-party, such as your medical or health provider (e.g. GP, hospital) and an information document (including requisite privacy disclosures) will be given to you by that provider.
When accessing our websites, we may make a record of your user service address and internet provider name and address, the date and time of your visit, the pages you accessed and any documents downloaded, any website visited prior to accessing our site and the type of browser used. This information (which is unlikely to contain personal information) is collected to monitor the activity on our websites (including the popularity of certain pages and information presented on our websites, and linkages to information), to consider improvements to the delivery, presentation and types of information on our websites (including cost/benefit analysis), and ensure the protection of our intellectual property and reputation.
Holding personal information
We hold personal information in paper-based and electronic records and systems.
Personal information collected in paper-based documents may be converted to electronic form for storage (with the original paper-based documents either archived or securely destroyed).
The George Institute uses physical security and other measures to ensure that personal information is protected from misuse, interference and loss, and from unauthorised access, modification and disclosure.
Personal information held in paper-based form is generally securely stored at our offices, with archived records held at an external storage facility. Our databases and their contents remain at The George Institute and stay with data processors or servers acting on our behalf and responsible to us.
We maintain computer and network security by using firewalls, user identifiers and passwords to control access to our computer system.
Donations and registrations made on The George Institute website use encryption methods and credit card data is stored using systems compliant with the Payment Card Industry Data Security Standard.
How do we disclose your personal information?
We may disclose your personal information to our staff, related parties, and approved third-parties (e.g. agents, service providers, collaborators and research partners) who are working on the study or research program for which your personal information was collected; but only to such persons who need to know. Our staff must comply with privacy and confidentiality terms as part of their employment with us. To be an approved third-party of TGI, that party must be subject to similar privacy and confidentiality laws, or have a professional and/or contractual obligation of confidence.
We may also disclose your personal information as directed or permitted by law or court order.
Depending on the circumstances and the location where the study or research program is being conducted or coordinated, the above-mentioned may involve a cross-border disclosure. Our studies are often internationally based and our staff, agents, service providers, collaborators and research partners may be located overseas, e.g. Canada, the United Kingdom, the European Union, India and China. This will be explained in the study protocol and information documents.
Whenever possible, your personal information will be de-identified (and aggregated with others) before disclosure.
It is unlikely that personal information collected outside a study or research program (such as information collected during the ordinary course of business activities) will be disclosed outside of The George Institute.
We have put in place measures to protect the security of your information, and to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access (by physical and technical safeguards) to your personal information to those staff, related parties, and approved third-parties (e.g. agents, service providers, collaborators and research partners) who have a business or legal need to know.
We have also put in place procedures to deal with any suspected data breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We may use your personal information to offer you products and services which we believe may interest you, but we will not do so if you tell us not to.
Where you receive electronic marketing communications such as event communications and newsletters from us, you may opt out of receiving further marketing communications by following the opt-out instructions provided in the communication.
For individuals located in the EEA
If you are located in the European Economic Area (including the United Kingdom) (collectively the EEA) you will have certain rights under the GDPR:
What does this mean?
The right of access
You have the right to obtain access to your personal information that we hold about you.
The right to rectification
You are entitled to have the personal information that we hold about you corrected if it is inaccurate or incomplete.
The right to erasure
This is also known as “the right to be forgotten” and enables you to request the deletion or removal of your personal information if there is no compelling or legal reason for us to keep using it.
The right to restriction of processing
You have the right to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
The right to object to processing
You have the right to object and ask us to stop processing your personal information.
The right to lodge a complaint
You have the right to lodge a complaint about the way we process your personal information with a supervisory authority in the EEA.
The right to request transfer
You have the right to request us to transfer personal information we hold about you to another party, in a machine readable format.
The right to withdraw your consent
You have the right to withdraw your consent to us processing your personal information.
These rights are not absolute and may not apply in all circumstances.
Legal basis for processing
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- Where you have given consent;
- Where we need to perform the contract we have entered into with you;
- Where we need to comply with a legal obligation; or
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
Please contact us should you require any additional information about the legal grounds we rely on for any specific processing activities that involve your personal information.
International transfers outside the EEA
We may transfer your personal information outside the EEA to other countries where our databases are held or where our approved third-parties (e.g. agents, service providers, collaborators and research partners) are located. This may be in Australia, United States and other countries, some of which may not be deemed to provide an adequate level of protection for your personal information under GDPR. However, to ensure that your personal information does receive an adequate level of protection, we will put in place appropriate measures to ensure that your personal information is treated in a way that is consistent with and meets GDPR requirements: this may include the EU Model Clauses, EU Commission approved Binding Corporate Rules, and reliance on the US Privacy Shield.
How long will we keep you information?
We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
How can you access and seek correction of your personal information held by us, or exercise other rights under GDPR?
You may request access to, or seek correction of, your personal information that is held by The George Institute, or exercise other rights available under GDPR, by writing to the Privacy Officer:
Address: Level 5, 1 King Street, Newtown, NSW 2042 Australia; or
If you are located in the EEA you may also wish to write to our EU-based Representative:
Address: The George Institute for Global Health UK, Le Gros Clark Building, South Parks Road, University of Oxford, OX1 3QX United Kingdom. Tel no: + 44 1865 617 200
We will generally not charge a fee for such requests, but we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Typically, we will respond to your request within 10 - 20 business days, but sometimes we may require more time depending on the circumstances.
In your request, please ensure that you provide a reply address, so that we can contact you if we are unable to locate your personal information, if we need to verify your identity, or if we cannot carry out your request (in which case, we generally tell you why).
What should you do if you have a complaint about the handling of your personal information?
Please set out your complaint in writing to the Privacy Officer:
Address: Level 5, 1 King Street, Newtown, NSW 2042 Australia; or
Please provide sufficient information, so that the Privacy Officer can consider your concerns and contact you. Typically, we will respond to your complaint within 10 – 20 business days.
If you are not satisfied with our response, or you consider that we may have breached the Australian Privacy Principles or the Privacy Act 1988 (Cth), you are entitled to make a complaint to the Office of the Australian Information Commissioner. The Office of the Australia Privacy Commissioner can be contacted by telephone on 1300 363 992 or full contact details can be found online at www.oaic.gov.au.
If you are located in the EEA you may wish to lodge a complaint with a supervisory authority within the EEA. Please click here for a list of the national data protection authorities in the EEA.