NHMRC recognises that our staff and stakeholders value their privacy, and we make privacy a part of our everyday business. This means we incorporate privacy into strategic planning, make privacy a priority, and take a ‘privacy by design’ approach to integrate privacy management into all projects and practices.
NHMRC is Australia's peak body for supporting health and medical research; for developing health advice for the Australian community, health professionals and governments; and for providing advice on ethical behaviour in health care and in the conduct of health and medical research. NHMRC is responsible to the Commonwealth Minister for Health and has offices in Canberra and Melbourne.
Governed by the National Health and Medical Research Council Act 1992 (NHMRC Act), NHMRC's functions are to pursue activities designed to:
- raise the standard of individual and public health throughout Australia;
- foster the development of consistent health standards between the various States and Territories;
- foster medical research and training and public health research and training throughout Australia; and
- foster consideration of ethical issues relating to health.
NHMRC collects, holds, uses and discloses personal information to carry out these functions or activities. NHMRC also collects, holds, uses and discloses personal information to carry out responsibilities under the:
- Research Involving Human Embryos Act 2002 (RIHE Act)
- Prohibition of Human Cloning for Reproduction Act 2002 (PHCR Act)
- Public Governance, Performance and Accountability Act 2013 (PGPA Act)
- Freedom of Information Act 1982 (FOI Act).
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.
sensitive information means
- information or an opinion about an individual's:
- racial or ethnic origin; or
- political opinions; or
- membership of a political association; or
- religious beliefs or affiliations; or
- philosophical beliefs; or
- membership of a professional or trade association; or
- membership of a trade union; or
- sexual orientation or practices; or
- criminal record;
- that is also personal information; or
- health information about an individual; or
- genetic information about an individual that is not otherwise health information; or
- biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
- biometric templates.
Collection of your personal information
The main way in which NHMRC collects personal information is when you provide it. For example, NHMRC may collect your personal information when you:
- Are an employee or prospective employee of NHMRC.
- Are appointed the Chairperson or a member of NHMRC’s Council, Principal Committees or Working Committees.
- Apply for membership of the NHMRC Research Translation Faculty.
- Apply for NHMRC research grants and fellowships.
- Participate in Peer Review processes (including as an assigner or an assessor).
Make an ethics application using the Human Research Ethics Application (HREA).
- Apply for a licence to use human eggs and/or human embryos that were created by assisted reproductive technology and declared excess to the needs of the woman for whom they were created and her partner (if any) at the time the embryos were created.
- Respond to a request for tender.
- Participate in NHMRC targeted or public consultations.
- Contact NHMRC for information or advice, including freedom of information requests.
- Contact Ministers in the Health Portfolio and related portfolios.
- Make a complaint to NHMRC or the NHMRC Commissioner of Complaints.
- Make an allegation about research misconduct or fraud to NHMRC.
- Provide a submission to the Australian Research Integrity Committee.
- Access NHMRC websites or subscription services.
NHMRC may also collect your personal information via a third party, such as when an institution or organisation:
- Registers a Human Research Ethics Committee.
- Applies for certification under the National Certification Scheme.
- Participates in NHMRC targeted or public consultations.
- Applies to be an Administering Institution.
- Applies to be on Research Committee’s Approved Research Institutes register.
- Registers via the Guidelines in Development Register.
- Responds to a request for tender.
Or when an individual or group:
- Makes an allegation about research misconduct or fraud to NHMRC.
- Participates in NHMRC targeted or public consultations.
Makes an ethics application using the HREA.
- Contacts NHMRC or Ministers in the Health Portfolio and related portfolios.
- Makes a complaint to NHMRC or the NHMRC Commissioner of Complaints.
- Provides a submission to the Australian Research Integrity Committee.
The information in these records may include:
- driver’s licence number and expiry date
- vehicle insurance details
- address & other contact details
- financial information
- date of birth
- tax file number
- bank account and superannuation details
- sexual preference
- curricula vitae
- marital status
- current employment and employment history
- number of dependents
- employer/employee relationships and activities
- physical or mental health
- employment conditions
- disability status
- education/training qualifications
- racial or ethnic origin, cultural background or culturally sensitive issues
- professional registration and affiliations
- disclosures of interest
- union membership
- criminal convictions
- research grant and research publication history
- religious affiliations
- details of research misconduct or fraud (whether alleged, substantiated or dismissed)
- political affiliations
- commercial in-confidence information
- Medicare card number
- Australian Business Number
NHMRC may also collect personal information (including sensitive information) about you from publically available sources to enable it to contact stakeholders who may be interested in NHMRC’s work or participating in targeted or public consultations.
Receipt of unsolicited personal information
Unsolicited personal information is personal information (including sensitive or health information) received where there were no active steps taken to collect the information. NHMRC may receive unsolicited personal information about an individual in correspondence from external parties, including in ministerial correspondence, submissions to public consultations, complaints and in correspondence seeking advice.
Under Australian Privacy Principle 4 (APP4), NHMRC must determine whether or not NHMRC could have collected the information under Australian Privacy Principle 3 (APP3) if NHMRC had solicited the information. NHMRC may use or disclose the personal information for the purposes of making this determination.
- If NHMRC determines that it could not have collected the personal information, and the information is not contained in a Commonwealth record2, NHMRC will, as soon as practicable but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified.
- If NHMRC determines that it could have collected the personal information under APP3, or the information is contained in a Commonwealth record, then Australian Privacy Principles 5 to 13 apply in relation to the information as if NHMRC had solicited the information under APP3.
Where it is determined that the unsolicited personal information cannot be destroyed or de-identified under APP4, the information will be treated in accordance with APPs 5- 13. Any future destruction of the personal information will comply with section 24 of the Archives Act 1983.
In regard to submissions received during public consultation, NHMRC reserves the right to redact unsolicited personal information from submissions, or to not publish submissions containing unsolicited personal information.
Dealing with NHMRC anonymously or pseudonymously
You can ask NHMRC to deal with you anonymously or pseudonymously (using a fictitious name) unless NHMRC expressly identifies that it is not practicable to deal with you on that basis. In most cases, NHMRC will require your contact details.
In the case of applications for research grants, it is not practicable for NHMRC to deal with you on an anonymous or pseudonymous basis. NHMRC will not accept a grant application or report that is anonymous or not in your real name.
NHMRC administers the following websites:
Any system on these websites that seeks to record personal information about you, will advise you about your consent.
When you visit any of the NHMRC websites, NHMRC makes a record of your visit and logs the following information for statistical or systems administration purposes:
- your client address
- your top level domain name
- the date and time of access to the site and duration
- pages accessed and documents downloaded
- the previous site visited
- type of browser and operating system used.
Analytic and session tools
NHMRC use a range of tools provided by third parties, such as Google Analytics, to collect or view website traffic information. These sites have their own privacy policies. NHMRC also uses session tools to improve your experience when accessing our websites.
The information collected by these tools may include the IP address of the device you are using and information about sites that IP address has come from, the pages accessed on our site and the previous site visited. NHMRC uses this information to maintain, secure and improve our websites and to enhance your experience when using them. In relation to Google Analytics you can opt out of the collection of this information using the Google Analytics Opt-out Browser Add-on.
No attempt will be made to identify anonymous users or their browsing activities unless NHMRC is legally compelled to do so, such as in the event of an investigation, where a law enforcement agency may exercise a warrant to inspect the Internet Service Provider's log files.
NHMRC uses 'cookies' for maintaining contact with a user through a website session. A cookie is a small file supplied by us and stored by the web browser software on your computer when you access our site. Cookies allow us to recognise you as an individual as you move from one of our web pages to another.
All cookies will be immediately lost when you end your internet session and shut down your computer. NHMRC’s record of your information will be automatically deleted twenty minutes after you last use one of our websites. This information is only used to help you navigate NHMRC website systems more efficiently, not to track your movements through the internet, or to record personal information about you.
Social Networking Services
NHMRC uses social networking services such as Twitter to communicate with the public about its work. When you communicate with NHMRC using these services NHMRC may collect your personal information, but it is only used to communicate with you and the public. The social networking service will also handle your personal information for its own purposes. These sites have their own privacy policies.
Use and Disclosure of your personal information
NHMRC will not be taken to have breached its obligations under this policy or the Privacy Act where:
- a person has consented to the use or disclosure of their personal information
- a purpose for which the personal information is to be used is directly related to the purpose for which it was collected
- a person would reasonably expect, or has been told, that personal information may be published or passed to certain individuals (including the general public), bodies or agencies (e.g. if requested by the Australian Research Council (ARC), for the purpose of ARC establishing compliance with its funding rules)
- a grant applicant has explicitly indicated, or made NHMRC generally aware, of a wish for the application to be considered by other funding bodies and research institutions, such as co-funding organisations or the applicant’s own institution
- it uses the personal information to comply with obligations, or exercise rights under the NHMRC Act, or NHMRC policies and procedures
- it uses the personal information to enable effective management or auditing of a funding agreement, scheme or RGMS
- the disclosure of personal information:
- to overseas entities, Australian state/territory or local government agencies, organisations or individuals is necessary to assess the application or administer a grant
- to universities, private medical research bodies, Australian state/territory or local government agencies for the purpose of establishing expert advisory panels or working groups
- is required or permitted by law
- will prevent or lessen a serious and imminent threat to somebody’s life or health
- there is a reasonable belief that the disclosure of the personal information is for a purpose directly related to the enforcement or investigation of a possible breach of a Commonwealth, State or Territory law
- the personal information is in the public domain.
Access to NHMRC records and your personal information is limited to those who have an operational need or who have legislative authority. These include:
- NHMRC CEO and staff
- Ministers in the Health Portfolio and related portfolios
- other Australian Government agencies, where the information is relevant to manage correspondence (i.e. where a person has written to more than one minister on the same matter)
- NHMRC Council, Principal Committee and Working Committee members
- individuals involved with NHMRC Peer Review, including NHMRC Academy members
- the NHMRC Commissioner of Complaints
- members of the Australian Research Integrity Committee
- Inspectors appointed under the RIHE/PHCR Acts
- state/territory organisations under legislation complementary to the RIHE/PHCR Acts
- the Administrative Appeals Tribunal
- the Commonwealth Ombudsman
- the Office of the Australian Information Commissioner
- Administering Institutions
- the Australian Taxation Office
- the Australian Federal Police.
Disclosure of personal information to overseas recipients
Disclosure for NHMRC peer review
NHMRC’s peer review processes use the most qualified researchers available to assess grant applications. There may also be occasions when personal information (contained in an application) must be sent overseas to an expert reviewer or assessor for peer review.
RGMS will prompt applicants with a notice that seeks their express consent to overseas disclosure at the time of making their application, and can elect not to have their information sent overseas for peer review.
Some NHMRC funding schemes for collaborative projects may require NHMRC to disclose personal information to an overseas-based co-funding organisation. NHMRC may also appoint peer reviewers from overseas countries, where there is a need. In those cases, information may be disclosed to those entities or people.
In order for applicants to participate in these schemes, their personal information may need to be disclosed by NHMRC to overseas recipients. Applicants are advised of this possibility at the time of making their application.
Disclosure within jointly administered research schemes
NHMRC participates in a number of funding schemes which provide assistance to Australian researchers to participate in collaborative research projects with international researchers. See the NHMRC International activities page for further information regarding these funding schemes and corresponding organisations and countries.
In order for applicant researchers to participate in these schemes, their personal information may need to be disclosed by NHMRC to overseas recipients, generally for the purposes of peer review of the applications. Applicants are advised of this possibility at the time of making their application.
Disclosure to support international cooperation
NHMRC participates in international collaborations to foster global health and medical research goals. Occasionally, information will be shared between member organisations, generally about researchers with expertise in particular areas. NHMRC always requests permission from the researcher to provide their names to these organisations. See the NHMRC International activities page for further information regarding these organisations and participating countries.
See also ‘Storage and security of personal information - NHMRC Servers’ below.
Requirements of the Commonwealth Grants Rules and Guidelines
Certain information about grant recipients is published on the NHMRC website in accordance with the requirements of the Commonwealth Grants Rules and Guidelines, including the name of the recipient, the amount of the grant, the researcher’s institution and the NHMRC scheme under which the grant was awarded.
Submissions to NHMRC targeted or public consultations
In general, if you provide NHMRC with permission to publish your public consultation submission on the NHMRC public consultation website, the submission will be published as soon as possible once all administrative and committee processes have concluded. Regardless of your permission being granted, NHMRC reserves the right to not publish any submission, or part of a submission, that contains what NHMRC determines, in its absolute discretion, to be personal information about you and/or personal information about a reasonably identifiable third-party.
NHMRC does not usually publically disclose submission to targeted consultations. Should the need arise; NHMRC will seek your explicit permission to publish your submission online.
No sale of personal information
Under no circumstances will NHMRC sell or receive payment for licensing or disclosing your personal information.
Storage and security of personal information
Under the Public Governance, Performance and Accountability Act 2013, NHMRC is required to implement the Australian Government Protective Security Policy Framework (PSPF). PSPF provides the appropriate controls for the Australian Government to protect its people, information and assets, at home and overseas. All personal information held by NHMRC is stored in accordance with the PSPF and managed in accordance with the Archives Act 19833.
NHMRC takes steps to protect the security of the personal information it holds from both internal and external threats by:
- regularly assessing the risk of misuse, interference, loss, and unauthorised access, modification or disclosure of that information
- taking measures to address those risks, for example, keeping a record (audit trail) of when someone has added, changed or deleted personal information held in our electronic databases and regularly check that staff only access those records when they need to
- conducting regular internal and external audits to assess whether NHMRC has adequately complied with or implemented these measures.
For further information on the way NHMRC manages security risks in relation to personal information please contact the Agency Security Adviser via email to firstname.lastname@example.org.
The information collected via NHMRC websites is held on servers located internally at NHMRC. The exceptions being:
- www.hrea.gov.au, which is held on a server located external to NHMRC, but within Australia.
- Subscriptions and web forms linked to Campaign Monitor, where the server is located in the USA.
Subscriptions and web forms
If you subscribe to any of NHMRC’s regular electronic publications, the personal information you submit through the subscription service form will be secure using SSL protocol used solely by NHMRC and not be disclosed to any other individual or organisation. The records are kept within NHMRC and Campaign Monitor until the individual asks to be removed from the NHMRC mailing list or fails to respond to a request for confirmation of continued interest.
There are security risks associated with transmission of information via the Internet. NHMRC has taken reasonable steps to safeguard against unauthorised access, use, modification or disclosure of the personal information NHMRC holds electronically. Before deciding whether to use this facility you should make your own assessment of the potential risks to the security of your information.
By clicking on the warning/disclaimer tick box on the subscription service or our web based forms (including the NHMRC Public Consultation Portal), you acknowledge and agree that the Commonwealth will not be liable for any unauthorised access or for any loss or damage that you may incur as a result of any unauthorised access to this site or to the information transmitted by you or any other person.
Retention of Records
NHMRC records are retained in accordance with the relevant Records Authority issued by the National Archives of Australia, under the Archives Act 1983.
Records Authorities enable NHMRC to determine how long records need to be retained and when a record will be due for destruction or transfer to the National Archives.
Records Authorities contain descriptions of record types and specify the minimum retention periods applying to them.
Accessing and correcting your personal information
Under the Privacy Act (APPs 12 and 13), you have the right to ask for access to the personal information that NHMRC holds about you, and to ask that NHMRC corrects that personal information. You can ask for access or correction by contacting NHMRC’s Privacy Contact Officer by email to email@example.com or by writing to the following address:
Privacy Contact Officer NHMRC GPO Box 1421 CANBERRA ACT 2601
If you ask, NHMRC must give you access to your personal information unless there is a law that allows or requires NHMRC to refuse access. If your personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, the NHMRC will take reasonable steps to correct your personal information.
You will be asked to verify your identity before NHMRC will give you access to your information or correct it. If you are uncertain about how to set out your request, or the supporting material required, the Privacy Contact Officer may be able to assist you.
If a correction is made and NHMRC has disclosed the incorrect information to certain third parties, you can ask NHMRC to tell them about the correction.
If NHMRC refuses to give you access to, or correct, your personal information, you will be notified in writing of the reasons.
You also have the right under the FOI Act to request access to documents that NHMRC holds and ask for information that NHMRC holds about you to be changed or annotated if it is incomplete, incorrect, out-of-date or misleading. For further information see Freedom of information requests to NHMRC.
Making a privacy complaint if you believe that NHMRC has breached the Australian Privacy Principles
If you wish to complain that the NHMRC has breached one of the Australian Privacy Principles you can contact the NHMRC’s Privacy Contact Officer on (02) 6217 9000, by email to firstname.lastname@example.org, or by writing to the following address:
Privacy Contact Officer NHMRC GPO Box 1421 CANBERRA ACT 2601
Your privacy complaint should be in writing and set out as much detail as possible and include any supporting documentation. You may make a privacy complaint anonymously, or by using a pseudonym. However, you should realise that if you wish to communicate with the NHMRC in this way, our ability to fully investigate and deal with the complaint may be restricted.
How NHMRC will deal with your privacy complaint
The NHMRC will usually respond to your complaint within 30 calendar days and provide you with its response in writing.
If NHMRC takes more than 30 days to respond to your privacy complaint (without your prior agreement), or you are not satisfied with the NHMRC’s response, you may then take your privacy complaint to the Office of the Australian Information Commissioner (OAIC).
Privacy Contact Officer NHMRC GPO Box 1421 CANBERRA ACT 2601
NHMRC Response Plan for data breaches involving personal or sensitive information
1See clause 1.3 of Australian Privacy Principle 1 (open and transparent management of personal information), in Schedule 1 of the Privacy Act 1988.
2A Commonwealth record is a document (including in electronic form) that is the property of the Commonwealth and that has been kept by reason of its connection with any event, person, circumstance or thing (ss6(1) and ss3(1) of the Archives Act 1983).
3Some relevant records may also be held by the Department of Health, if those records were generated before NHMRC became a separate agency in the Health Portfolio (i.e before 2006).