Privacy Policy

Privacy Policy

1. Orygen’s obligations and commitment

This Privacy Policy explains how we collect and manage personal information (including sensitive and health information).  It describes the types of information we collect, why it is collected, how we keep the information secure, how you can access and correct the information, and how you can make a privacy complaint.

When collecting, holding, using and disclosing personal information, including sensitive and health information, Orygen is required to follow:

  • the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles which are set out in the Privacy Act (the APPs);
  • the Health Records Act 2001 (Vic) (Health Records Act) and the Health Privacy Principles (the HPPs) that are set out in the Health Records Act;
  • other states’ health privacy legislation, where it is required to contractually; and
  • in some instances, the European Union’s General Data Protection Regulation 2016/79 (EU GDPR), in circumstances where the GDPR applies to Orygen’s activities involving individuals or entities located in the European Union (EU) and where Orygen is processing their personal data, or where Orygen enters into a binding contract requiring it to abide by the provisions of the GDPR.

Orygen is committed to protecting personal information in accordance with these laws when we carry out our activities, including providing clinical and other care to young people, researching better interventions, treatments and service systems, providing training to the mental health workforce and the community, conducting fundraising and advocacy as well as undertaking activities in relation to our staff and applicants for roles with us (our Services).

2. What is ‘personal information’?

Personal information is information or an opinion about an individual who is identified, or can be reasonably identified, whether or not the information or opinion is true. 

Our collection, use and disclosure of personal information will comply with the APPs.

Sensitive information is information that is given a higher level of protection under the Privacy Act than other types of personal information.  It includes information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual orientation or criminal record.  It also includes health information.

Our collection, use and disclosure of sensitive information will comply with the APPs.

Health information means information or an opinion about an individual’s health, including an illness, disability or injury, expressed wishes about the future provision of health services, health service provided, or to be provided, to an individual and genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual. 

Our collection, use and disclosure of health information will comply with the APPs and the HPPs.

Where required, we will also comply with the requirements of the GDPR.

In this Privacy Policy, when we refer to personal information we also mean to include sensitive information and health information, unless we say otherwise.  We also use the term to mean personal data which is the phrase used in some countries.

3. What types of personal information does Orygen collect and hold?

Orygen only collects personal information that is reasonably necessary for one or more of our functions or activities or to ensure that we comply with relevant laws. 

We collect personal information from individuals who receive our Services as well as those who help us provide our Services.  The type of information we collect will depend on who you are – it may include:

 

   


For young people with mental illness, family, friends and supporters

  • Name, date of birth and gender identity
  • Contact information including address, postcode, email, telephone/mobile number
  • Details regarding your ethnicity
  • Health information and medical history, in particular history with mental illness and treatments
  • Details of the Services we have provided you and of your dealings with us
  • Aboriginal and Torres Strait Islander heritage

For research study participants
  • Name, date of birth and gender identity
  • Contact information including address, postcode, email, telephone/mobile number
  • Details regarding your ethnicity
  • Health information and medical history
  • Aboriginal and Torres Strait Islander heritage

For participants in Orygen’s education and training programs
  • Name
  • Contact information including address, postcode, email, telephone/mobile number
  • Institutional affiliations and employer
  • Details of the Services we have provided you and your dealings with us
  • Payment or billing information (including bank account details, credit card details, billing address and invoice details) for any programs for which you have paid
  • Aboriginal and Torres Strait Islander heritage

For health professionals
  • Name
  • Contact information including address, postcode, email, telephone/mobile number
  • Details of your use of our Services and your dealings with us
  • Aboriginal and Torres Strait Islander heritage

For participants in Orygen’s fundraising or advocacy campaigns
  • Name, date of birth and gender identity
  • Contact information including address, postcode, email, telephone/mobile number
  • Your opinions via surveys and questionnaires or any other way you have provided them to us
  • Details relating to any donations you have made to Orygen
  • Your employer details for any workplace giving program
  • Records of your transactions and communications with us
  • If relevant, details of your personal interests

For donors
  • Name, date of birth and gender identity
  • Contact information including address, postcode, email, telephone/mobile number
  • Payment or billing information (including bank account details, credit card details, billing address)
  • Details relating to donations you have made to Orygen
  • Records of your transactions and communications with us
  • If relevant, details of your personal interests

For employees or job applicants
  • Name, date of birth and gender identity
  • Contact information including address, postcode, email, telephone/mobile number, emergency contact details
  • Details regarding Aboriginal and Torres Strait Islander heritage
  • Employment history, qualifications, Curriculum Vita and job references
  • Fitness for work including licensing, registrations, police checks and working with children checks
  • Banking details to process payments such as wages or reimbursements
  • Government related identifiers such as your tax file number

For volunteers
  • Name, date of birth and gender identity
  • Contact information including address, postcode, email, telephone/mobile number,
  • Emergency contact details
  • Details regarding Aboriginal and Torres Strait Islander heritage
  • Fitness for work checks, including police check and/or working with children check
  • Banking details to process payments such as reimbursements

For collaborators
  • Name
  • Contact information including address, postcode, email, telephone/mobile number
  • Details of the collaboration
  • Institutional affiliations and employer

For suppliers and service providers
  • Name
  • Contact information including address, postcode, email, telephone/mobile number
  • Details of your dealings with us and the goods or services provided
  • Payment information (including bank account details, credit card details, billing address)
  • Employer for the services provided to Orygen

For users of our website and social media pages
  • Name
  • Contact information including address, postcode, email, telephone/mobile number
  • Your username and password for accounts set up on our website including your social media handle if you choose to use it


If you do not wish to provide your personal information

In some circumstances, you can also choose to deal with Orygen anonymously or using a pseudonym, or you can choose not to provide us with some or all of your personal information or ask that we do not store some or all of it.  This may affect Orygen’s ability to provide our Services as fully as we would like.

4. How does Orygen collect personal information?

From you

Orygen aims to collect personal information directly from you, unless it is unreasonable or not practical to do so. 

We may collect personal information in the following ways.

  • In person, for example if you attend one of our clinical services, participate in a research study or trial, or attend an event
  • By telephone, for example if you contact us to seek or enquire about our clinical services
  • By email, for example if you apply for a job or a volunteer position, or send us a message through our website
  • Online, for example if you set up an account with Orygen on our website, send us an enquiry via our website, fill in a website form, register to receive updates and news or sign up for an event online.
  • From publicly available sources of information.
  • For staff and volunteers, via an online enterprise system associated with the employment and management of staff records and salary payments or a secure file storage system.

From a third party

We may collect personal information from third parties, including health professionals or from your family, friend or other support person, for example, where you have consented to this or are unable to provide us with your personal information directly, or where your family, friend or other support person contacts us to seek clinical services on your behalf.

For the purpose of fundraising, we may collect personal information from third parties that organise fundraising on our behalf, or from a third party known to you who makes a donation and nominates you as the recipient of communication going forwards.

Information provided by ‘Cookies’

Orygen sometimes uses ‘cookies’ as a reporting mechanism.  Cookies identify traffic coming into and out of the Orygen website.  Cookies enable our webserver to collect information back from your browser each time you visit the Orygen website.

Cookies do not identify individual users.  When you visit the Orygen site, our servers may record information about your usage, the time of your visit, its duration, the pages you visit and style settings.  Orygen does not collect information that can identify the individuals who visit the site.  When you look at our website, Google Analytics compiles data that records and logs your visit with the following information which we collect for statistical purposes:

  • the user's server address
  • the user's top-level domain name (for example, .com, .gov, .au, .uk, etc.)
  • the date and time of the visit to the site
  • the pages accessed and documents downloaded
  • the search words and referral sites used
  • the type of browser used

Access to, and use of, this information is restricted to Orygen.  We will not attempt to track or identify individual users or their browsing activities, except in the unlikely event of an investigation, where a law enforcement agency may exercise a warrant to inspect Google Analytics logs. 

Orygen will only use statistics we get from cookies to understand how our website is used so we can continue to improve and update it.

5. For what purposes does Orygen collect personal information and how do we use it?

Orygen collects your personal information for the purpose of delivering our Services.

In addition, we collect, hold, use and disclose your personal information for the following purposes.  In some countries, this is known as ‘processing’ personal information.

We generally rely on an individual’s explicit consent to collect, hold, use and disclose their personal information.  Depending on the circumstances, we will sometimes rely on Orygen’s legitimate interests, the need to perform a task in the public interest or a legal obligation placed on Orygen as the basis for collecting, holding, using or disclosing your personal information.

Where we have collected your data on the basis of your consent, you can withdraw that consent at any time – see sections 9 to 11 below.

Research purposes

Orygen may collect personal information to conduct research in many aspects and areas of mental health.  For information on how we disclose personal information for the purpose of research, see Section 6 below. 

Personal information that we collect for research purposes is not used for other purposes unless you consent to those other purposes.  Consent for research purposes complies with the National Statement on Ethical Conduct of Human Research. Where we collect personal information for a research project involving a collaborator, we will ensure that the collaborator treats your personal information in the same way in which we treat it.

Research studies which require ethics approval from an Australian Human Research Ethics Committee (HREC) may have additional obligations in relation to our collection of personal information.  These research studies will comply with the conditions of the relevant HREC ethics approval and governance offices.

Clinical services

Orygen may collect personal information to provide you with quality care and support, including diagnosis and treatment by health professionals.  We may also collect your personal information to send you reminder and follow up notices and to invite you to participate in research projects.

Other purposes

Depending on what Services we are delivering, we may collect, hold, use and disclose your personal information for a number of other purposes, including the following:

  • To provide services to you and to send communications requested by you
  • To refer you to programs, services or research studies
  • To arrange your participation in education and training programs and for your participation in and the conduct of these programs including engagement with other participants
  • To provide you with news and information about our work
  • To encourage you to learn about and act on supporting us and our work (unless you have asked us not to)
  • To promote our programs and activities, including fundraising, education and training
  • To process donations and provide receipts
  • To enhance your experience of our website and online training programs
  • To help individuals to assist us with our activities, such as fundraising, advocacy campaigns and volunteering with us
  • To confirm your identity when you make enquiries about your donation
  • To respond to questions from or about a prospective, current or past employee
  • To provide support services and to evaluate these services
  • To provide youth participation and advisory activities
  • For the administrative, employment (including secondment), planning, service development, quality control and research purposes of Orygen
  • For quality improvement and clinical governance requirements such as accreditation. In general, we will de-identify any personal information used for these purposes.
  • To comply with any law, rule, regulation, lawful and binding determination, decision or direction of a regulator, or in co-operation with any governmental authority of any country
  • Where we are required to disclose by law (e.g. under subpoena, court order, suspected child abuse) or in connection with legal proceedings or advice where:
    • You are being seriously hurt by someone
    • You are thinking of seriously harming yourself
    • Someone else is being, or is likely to be, seriously hurt by you or another person
    • You tell us you are being abused (this must be reported by law)
    • A court order is recevied directing us to disclose information
  • To update our records and keep your contact details up to date
  • To process and respond to any complaint made by you and/or your nominated representative

Direct marketing

You may opt out of receiving communications from us in relation to news, marketing and fundraising at any time by contacting us by email, mail: 35 Poplar Road Parkville VIC 3052 or telephone: 1800 ORYGEN (1800 679 436), or where applicable by selecting the unsubscribe option in our electronic communications.

6. Who does Orygen disclose personal information to?

In connection with the purposes set out in section 5 above, Orygen may provide your personal information to the following people or organisations.

  • Our staff, volunteers and approved contractors.
  • Our partners, affiliates and consultants: people or organisations that work with us or help us in conducting Orygen’s business and providing the Services.
  • Our service providers: that assist us with archival, auditing, accounting, customer contact, legal, business consulting, banking, payment, debt collection, delivery, data processing, data analysis, document management, research, investigation, insurance, website or technology services or other third parties required to support our services.
  • Researchers and research collaborators: to invite you to participate in research studies and, if you agree, to conduct research studies into the prevention, diagnosis, treatment of mental disorders or other areas of research or quality assurance activities. Your personal information may be stored on secure databases controlled by parties outside of Orygen. Generally, personal information provided for research projects is de-identified (so you can’t be identified) unless your consent is obtained.  Disclosure of personal information for research purposes will be subject to our legal obligations and relevant HREC ethics approvals.
  • Other support services: health care professionals, counsellors or other parties that provide you with support services.
  • For prospective employees: we may exchange personal information with those staff within our organisation who are involved in recruitment.
  • For fundraising purposes: if you have made a donation to Orygen, Orygen may provide your personal information to other charities that we collaborate with, in order to for those charities to send you mail-outs containing information that may be of interest to you.  These charities usually allow us to do the same and by collaborating like this we can reach more people with important information. You may opt-out of us sharing your information with other charities.
  • For education and training purposes: with other participants in the programs. You may opt-out of us sharing this information.
  • Any organisation or any person that you expressly allow us to provide it to.

When we transfer your personal information to a third party we take all reasonable steps to ensure that your personal information will be treated by that third party in accordance with the privacy laws set out in Section 1 above and/or with applicable privacy laws.

7. Do we disclose personal information to anyone outside of Australia?

From time to time we may be required to disclose your personal information to our research collaborators and funding bodies overseas for any of the purposes outlined in this Policy.  We will seek your consent if we do this. In addition, we may store your personal information on cloud servers which are based outside of Australia.

Where we do transfer your personal information to another country, we will take all reasonable steps to protect it and to comply with applicable laws, including ensuring binding agreements are put in place before any personal information is transferred. 

8. How does Orygen keep personal information secure?

Orygen takes a range of steps to keep any personal information we hold about you secure.  Depending on the circumstances, these may include electronic access controls, premises security, network firewalls and appropriate anti-virus software. We comply with Payment Card Industry Data Security Standards in relation to payment card transactions. Our staff, volunteers and contractors are required to comply with our policies and procedures relating to personal information. We also put in place appropriate contractual requirements with third parties which require them to maintain the security of the personal information.

While we take all reasonable and appropriate steps, we cannot guarantee the security of any information that you send to us using our website or other online means, such as email.  Accordingly, any personal information or other information that you transmit to us through our website or by email is transmitted at your own risk.

Please notify us immediately if you become aware of any breach of security.

We retain personal information for the minimum period for which we are required to retain it under relevant laws. We securely archive any information that we are not actively using. Any information collected for the purpose of research is held by us indefinitely.

9. Your rights in relation to personal information – access and correction

Orygen takes reasonable steps to ensure that personal information that it collects, uses or discloses is accurate, complete and relevant to our Services. 

Access

You may request access to any personal information that Orygen holds about you at any time and if you are subject to GDPR, you may request that it is transmitted to another party.  There may be circumstances where we do not grant you access to your personal information, such as where we think it may pose a threat to someone’s life or health or where it creates an unreasonable impact on the privacy of someone else. 

Where we refuse access to any part of your personal information, we will notify you in writing of our reasons for refusal and how you can make a complaint.

Correction

You may ask Orygen to update or correct your personal information that we hold at any time.  We will also take reasonable steps to update your personal information where we are notified or we consider that it is inaccurate, out of date, incomplete, or irrelevant or misleading for the purpose for which we are holding it.  If we have provided your personal information to any third party, we will also take reasonable steps to notify that third party of the corrections to your personal information.

Where we refuse to update or correct your personal information, we will notify you in writing of our reasons for refusal and how you can make a complaint.

Deletion

You may also ask Orygen to delete or de-identify your personal information that we hold.  There may be instances where we cannot agree to that request, for example if we still need the personal information for the purpose that we collected it for, or where we are legally required to keep it.  If that is the case, we will notify you in writing of the reasons for our refusal and how you can make a complaint.

Contact

If you require access to, or would like us to update, correct or delete, your personal information, please contact us on the details provided in Section 11 below. 

10. How can you make a complaint about our handling of personal information?

If you wish to make a complaint about our handling of your personal information, please contact Orygen’s Privacy Officer at the details set out in Section 11 and provide us with details of the complaint so that we can appropriately investigate it.  We may require any complaint to be made in writing first so that we can be sure about the details of the complaint and we may ask you for further information about your complaint and to verify your identity.  We may also need to engage or consult with other parties to investigate and deal with the report. 

We will investigate your complaint and provide you with a response as soon as possible and within 30 calendar days of receiving your complaint (or as otherwise required by our legal obligations).  If we cannot respond within this timeframe, we will contact you and explain the reason for the delay and give you a new timeframe for our response.  We will provide you with status updates regarding your request, as required.

After we have completed our enquiries we will contact you, usually in writing, to advise the outcome and invite a response from you.

If you have a complaint about how we handle your personal information and you feel Orygen has not resolved your issue or complaint to your satisfaction, then you can escalate your privacy concern and you have the right to make a complaint to the relevant data protection authority (for example in the place you reside or where you believe Orygen has breached your rights). 

If you are based in Australia:

Office of the Australian Information Commissioner
Online: www.oaic.gov.au/privacy
Phone: 1300 363 992

In respect of any complaints relating to health information which is not covered under the Privacy Act:

Victorian Health Complaints Commissioner
Online: https://hcc.vic.gov.au/
Phone: 1300 582 113

If you are based in a country other than Australia, you will need to contact the data protection authority that regulates privacy of your data.

11. Contacting Orygen – enquiries or complaints

If you have any enquiry about this Privacy Policy, or a complaint about the way Orygen has handled your personal information, please contact Orygen’s Privacy Officer (who is also Orygen’s Data Protection Officer for GDPR purposes) at:

Privacy Officer
Locked Bag 10
Parkville VIC 3052

Email: [email protected]

Phone: +61 3 9966 9100 and ask to speak with Orygen’s Privacy Officer

12. Changes to this Privacy Policy

We may revise this Privacy Policy from time to time.  The revised version will be published on our website and any changes will take effect immediately from the date of publication.