Cancer Council Queensland Privacy Policy
Are you looking for the CCQ Privacy – Overseas Recipients Procedure? Click here.
Are you looking for the CCQ Privacy Position statement? Click here.
1 Purpose
In this Privacy Policy, the expressions “CCQ”, “we”, “us” and “our” are a reference to Cancer Council Queensland ACN 009 784 356.
CCQ takes privacy seriously. We are committed to respecting your privacy and protecting your personal information.
CCQ’s mission is to lead Queenslanders in a partnership against cancer.. In order to pursue this objective CCQ must provide assurances to the community of its commitment to the privacy of personal information.
This Privacy Policy applies to personal information collected, held, used and disclosed by us. We are bound by the Privacy Act 1988 (Cth) (the “Privacy Act”), which governs the way private sector organisations collect, use, keep secure and disclose personal information. The Privacy Act incorporates the Australian Privacy Principles. From time to time we may also be required (pursuant to contracts with the Queensland government) to comply with the Information Privacy Act 2009 (Qld) in relation to personal information that we collect, hold, use and disclose in connection with such contract/s.
In addition, from time to time, when performing functions for the Queensland government, we may be obliged to comply with the Human Rights Act 2019 (Qld) (the “Human Rights Act”). When performing those functions we consider and act compatibly with human rights (including the right to privacy).
If you have any concerns about the manner in which your personal information has been collected, stored, used or disclosed by us, we have put in place an effective mechanism and procedure for you to contact us so that we can attempt to resolve the issue. We can be e-mailed at privacyofficer@cancerqld.org.au or write to us at Privacy Officer, Cancer Council Queensland, PO Box 201, Spring Hill Qld 4004 and we will then attempt to resolve the issue.
We recommend that you keep this information for future reference.
2 I don’t have time to read the whole policy. What should I read first?
If all you want is a snapshot of our personal information handling practices, you can have a look at our Privacy Policy Position Statement. This offers an easy to understand summary of:
- how we collect, use, disclose and store your personal information; and
- how you can contact us if you want to access or correct personal information we hold about you.
If, on the other hand, you are in search of a more comprehensive explanation of our information handling practices, then this is the document for you.
3 Policy Statement and Details
3.1 What is personal information
The Privacy Act defines “personal information” to mean information or an opinion whether true or not, and whether recorded in a material form or not, about an identified individual or an individual who is reasonably identifiable.
3.2 Sensitive information
3.2.1 What is sensitive information?
Sensitive information is a subset of personal information. It means information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political organisation, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices or health information.
In general, we attempt to limit the collection of sensitive information but this is not always possible given the counselling, support and Research Services performed by CCQ. “Research Services” include cancer research, and statistical compilation and analysis that is conducted or supported by CCQ. Where required, we will collect sensitive information from you, or from third parties about you, in order to carry out the services provided to you, or in order to carry out or support our Research Services. We do not collect sensitive information from you without your consent. We may, however, receive sensitive information about you from third parties without your consent (where this is permitted by the Privacy Act or other applicable laws) in order for us to provide you with services or carry out our Research Services.
The type of sensitive information we may collect from you or record about you is dependent on the services provided to you and/or the purpose of collection and will be limited to the purpose(s) for which it is collected. We do not use sensitive information to send you Direct Marketing Communications (as defined in paragraph 7 below) without your consent.
3.2.2 Consent to collection of certain types of sensitive information
We may collect certain types of sensitive information where you have consented and agree to the collection of such information, or where otherwise provided to us in order for us to conduct our Research Services.
We may also collect sensitive personal information without your consent in accordance with the Privacy Act and any other applicable laws. The main types of sensitive personal information that we may collect without your consent relate to:
- the criminal record of an individual;
- the health or medical information of an individual; and
- genetic information,
but only to the extent that you volunteer such information or if it is necessary for, or incidental to, the purposes of collection set out in paragraph 5 or as otherwise permitted or required by law.
4 Collection of your personal information
4.1 Types of information we may collect and hold
We only collect and hold personal information where that is necessary for what we do. The type of information we may collect and hold includes:
- your contact information (both home and work) such as full name (first and last), e-mail address, current postal address and phone numbers;
- your date of birth;
- your employment details, including but not limited to your job title, any training and skills you may have;
- your insurance policies and details, if applicable;
- your opinions via surveys and questionnaires, if applicable;
- details relating to the goods and services you have obtained from us;
- details relating to the events or activities that you have participated in, in connection with us;
- details relating to donations made to us;
- if you are making a donation or requesting products or services from us or we are purchasing goods or services from you, then any relevant payment or billing information (including bank account details, credit card details, billing address and invoice details);
- any sensitive information listed in paragraph 3.2 ; and
- your username and password when setting up an account on our website.
4.2 Direct collection
As much as possible, we will collect your information directly from you. We also obtain personal information from third parties such as our service providers, charitable or likeminded organisations, grant providers and recipients, government departments and agencies, volunteers, medical health personnel, research institutions, and Cancer Council Australia and state and territory Cancer Councils that are members of Cancer Council Australia (“Cancer Councils”).
If we collect details about you from someone else and it is unclear that you have consented to the disclosure of your personal information to us, we will, whenever reasonably possible (unless we are legally exempt from complying with this obligation), make you aware that we have done this and why. If you have provided us with personal information in relation to another person we ask that you only do so with that individual’s consent (or that you are otherwise legally entitled to do so) and (where appropriate) that you provide that individual with a copy of this Privacy Policy.
4.3 Optional activities
When you engage in certain activities, such as purchasing a product, signing up for a service, entering a contest or promotion, filling out a survey or sending us feedback, we may ask you to provide certain information. It is completely optional for you to engage in these activities.
4.4 Mandatory information
Depending upon the reason for requiring the information, some of the information we ask you to provide may be identified as mandatory or voluntary. If you do not provide the mandatory data, or any other information we require in order for us to provide our services to you, we may be unable to effectively provide our services to you.
4.5 Online activity
If you use our Website, we may utilise “cookies” which enable us to monitor traffic patterns and to serve you more efficiently if you revisit the site. A cookie does not identify you personally but it does identify your computer. You can set your browser to notify you when you receive a cookie and this will provide you with an opportunity to either accept or reject it in each instance.
We may gather your IP address as part of our business activities and to assist with any operational difficulties or support issues with our services. This information does not identify you personally.
We use Google Analytics to track visits to our website, and use this information to track the effectiveness of our website to inform and optimise content based on your past visits to our site. While this data is mostly anonymous, sometimes we will connect it to you, for instance in personalising a webpage, or prefilling a form with your details. We also use pixel tracking, which indicates when your computer has visited pages on our websites where a pixel has been installed. As with cookies, this does not identify you personally, only the device you are using.
5 How we may use and disclose your personal information
5.1 Use and disclosure
We will only use or disclose your personal information for the primary purposes for which it was collected or as consented to and/or as set out below.
You consent to us using and disclosing your personal information to facilitate the applicable primary purpose/s for which such information was collected in connection with:
- if required, the verification of your identity;
- fundraising, including the processing of donations and grants;
- the processing of scholarships, awards and courses;
- undertaking our Research Services;
- the processing of orders, including to communicate with you concerning such orders;
- the provision of our goods and services to you (as applicable), including but not limited to counselling, support services, volunteering and fundraising;
- the administration and management of donations or our goods and services, including charging, billing, credit card authorisation and verification and collecting debts to the extent that such information is not directly provided to our third party hosted payment system for processing;
- the improvement of our services (including to contact you about those improvements and asking you to participate in surveys about the goods and services);
- the maintenance and development of our goods and services, products, business systems and infrastructure;
- marketing, events and promotional activities conducted by us and other Cancer Councils (including by direct mail, telemarketing, email, SMS and MMS messages);
- providing customer service functions, including handling customer enquiries and complaints;
- offering you updates, or other content or products and services that may be of interest to you;
- our compliance with applicable laws;
- your employment (or potential employment) by us; and
- any other matters reasonably necessary to facilitate the primary purpose and to continue to provide our goods and services.
5.2 When we will seek your consent
We will not use or disclose your personal information without your consent unless:
- it is disclosed or used for a purpose related to the primary purposes of collection and you would reasonably expect your personal information to be used or disclosed for such a purpose;
- we reasonably believe that the use or disclosure is necessary to lessen or prevent a serious or imminent threat to an individual’s life, health or safety or to lessen or prevent a threat to public health or safety;
- we have reason to suspect that unlawful activity has been, or is being, engaged in; or
- it is required or authorised by law.
5.3 Additional consent required
In the event we propose to use or disclose such personal information other than for reasons in paragraphs 5.1 and 5.2 above (and unless paragraph 5.5 applies), we will first seek your consent prior to such disclosure or use.
5.4 Opt-outs
If you have received communications from us and you no longer wish to receive those sorts of communications, you should contact us by e-mail at crmoperations@cancerqld.org.au or write to us at Data Services, Cancer Council Queensland, PO Box 201, Spring Hill Qld 4004 and we will ensure the relevant communication ceases. If you are a Supporter you can also email us at donorrelations@cancerqld.org.au or call us on 1300 65 65 85.
5.5 Disclosure required by law
Any other use or disclosure we make of your personal information will only be as required by law or as permitted by the Privacy Act, by this Privacy Policy or otherwise with your consent.
6 The types of organisations to which we may disclose your personal information
6.1 Disclosure to third parties
We will not disclose your personal information to organisations outside of CCQ unless we have your consent to do so, or we are legally obliged or permitted to do so, and such disclosure is in relation to the goods or services we provide to you or for a purpose permitted by this Privacy Policy. We may obtain your consent by virtue of the operation of other parts of this Privacy Policy or by including an opt-out clause in our communications with you. Furthermore, we will not make such disclosures to third parties unless we have taken such steps as are reasonable to ensure that these organisations and/or parties use your personal information in accordance with the terms of the Privacy Act.
Examples of organisations and/or parties that your personal information may be provided to, where appropriate given the goods or services that we are providing to you, and where we have your consent to do so, include:
- charitable or likeminded organisations, and grant and award providers that are aligned with CCQ, and third party service providers who facilitate the sharing of information between such types of organisations;
- third party service providers, Government departments and agencies, volunteers and medical health personnel that may assist CCQ with financial support, transportation, accommodation, counselling, fundraising and support services;
- third party service providers, Government departments and agencies, research institutions including but not limited to hospitals and universities, volunteers and medical health personnel that are concerned with cancer research and prevention;
- other Cancer Councils; and
- our contractors, third party service providers, volunteers and agents.
7 Direct Marketing
7.1 Consent for Direct Marketing
Any privacy collection statement that we provide to you will include information about how we will use and/or disclose your personal information so that you can receive information about programs, products, services, events, fundraising or other activities (including third party products, services, events and fundraising) which we think may interest you (“Direct Marketing Communications”). This may include the disclosure of your personal information to other Cancer Councils or to other likeminded organisations (including other charities, and third-party service providers who facilitate the sharing of information between such types of charitable or likeminded organisations) who may also use your personal information to send you Direct Marketing Communications. We will take reasonable steps to ensure that your information is used by such organisations in accordance with the terms of the Privacy Act.
7.2 Opt out of Direct Marketing
If at any time you do not wish us to disclose your personal information to others under paragraph 7.1 or you do not wish to receive any further Direct Marketing Communications from us, then you can opt out. Instructions on how to opt out will be set out in our Direct Marketing Communications.
In the case of disclosures to other likeminded organisations we will give you an opportunity to opt out not less than 30 days before we disclose your personal information to such organisations. You may do this by contacting us by email at donorrelations@cancerqld.org.au, by calling our Supporter Hotline 1300 65 65 85 or by writing to us at Philanthropy and Supporter Experience, Cancer Council Queensland, PO Box 201, Spring Hill Qld 4004.
8 Cross Border Disclosure
8.1 Disclosure of personal information to overseas recipients
CCQ acknowledges the importance of protecting personal information and has taken reasonable steps to ensure that your information is used securely by third parties, including overseas recipients, and in accordance with the terms of this Privacy Policy.
CCQ may from time to time enter into contractual arrangements with third party service providers to assist us with providing our goods and services. It may also transfer your personal information to other charitable or likeminded organisations or to grant and award providerswhich are aligned with CCQ, pursuant to paragraph 6.1 of this Privacy Policy. As a result, personal information provided to CCQ may be disclosed to overseas recipients. For a list of countries where overseas recipients are likely to be located please refer to our Privacy – Overseas Recipients Procedure. Personal information may also be accessed by employees or by other third parties operating outside Australia who work for us or for one of our suppliers, agents, partners, or other Cancer Councils.
Overseas organisations may be required to disclose information we share with them under a foreign law. In those instances, we will not be responsible for that disclosure. However, we will take reasonable steps (including through contractual arrangements) to ensure that when we disclose your personal information to an overseas recipient, that recipient does not breach the Australian Privacy Principles.
8.2 Consent to disclosure to overseas recipients
By submitting your personal information to CCQ, you expressly agree and consent to the disclosure of your personal information to overseas recipients, as described in paragraph 8.1. In providing this consent you understand and acknowledge that countries outside Australia do not always have the same privacy protection obligations as Australia in relation to personal information. You acknowledge that if such overseas recipients handle your personal information in breach of the Australian Privacy Principles they and we will not be accountable under the Privacy Act and you will not be able seek redress under the Privacy Act.
If you do not agree to the disclosure of your personal information to overseas recipients, please contact us by email at crmoperations@cancerqld.org.au or by writing to us at Data Services, Cancer Council Queensland, PO Box 201, Spring Hill Qld 4004. Please note that we may not be able to provide some services and/or products to you as a result of your election not to have your personal information disclosed to overseas recipients.
9 Data quality and security
9.1 Storage and Security
At all times we will take reasonable steps to help ensure your personal information is safe including:
- making sure that the personal information we collect, use or disclose is accurate, complete and up to date;
- protecting your personal information from misuse, loss, unauthorised access, modification or disclosure both physically and through computer security methods; and
- destroying or permanently de-identifying personal information if it is no longer needed for any authorised purpose.
transmissions of personal information, especially where the internet is involved.
Your personal information will be stored on a password protected electronic database, which may be on our database, a database maintained by a cloud hosting service provider or other third party database storage or server provider. Backups of electronic information are written to drives which are stored offsite.
Hard copy information is generally stored in our offices, which are secured to prevent entry by unauthorised people. Any personal information not actively being used is archived with a third party provider of secure archiving services or is destroyed or de-identified if no longer needed.
Where personal information is stored with a third party, we have arrangements which require those third parties to maintain the security of the information. We take reasonable steps to protect the privacy and security of that information, but we are not liable for any unauthorised access or use of that information. Your personal information will stay on the database indefinitely until you advise you would like it removed, unless we de-identify it or destroy it earlier in accordance with privacy law requirements.
9.2 Responding to a Data Breach
A data breach occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure or other misuse (a “Data Breach”). We have implemented a Data Breach Response Plan which sets out procedures and clear lines of authority for us to respond to a confirmed or suspected data breach. Our Data Breach Response Plan will guide our Data Breach Response Team through the following six key steps when responding to a Data Breach:
- Detect a potential or actual Data Breach.
- Analyse the incident to determine the impact and scope of the threat, by gathering the facts and evaluating the risks (including potential harm to affected individuals) and, where possible, take action to remediate any risk of harm. We will notify affected individuals and the Australian Information (Privacy) Commissioner if required. If the Data Breach is an
‘eligible data breach’ under the Notifiable Data Breach scheme, it may be mandatory for us to notify. - Contain and isolate the Data Breach to limit its ability to spread.
- Eradicate the identified compromise indicators, such as deleting malware and removing unauthorised user access, as well as identifying and mitigating all exploited vulnerabilities.
- Recover by enacting processes and procedures to enable restoration of any systems, devices, or accounts affected by the Data Breach. In recovery, responders will restore systems to normal operation, confirm that the systems are functioning normally, and (if applicable) remediate vulnerabilities to prevent similar incidents.
- Review the incident and consider what actions can be taken to prevent future Data Breaches. Teams will perform root-cause analysis and lessons learned activities with various teams and stakeholders. Any recommended outcomes will be implemented to ensure continuous improvement.
9.3 Accuracy
The accuracy of personal information depends largely on the information you provide to us, so we recommend that you:
- let us know if there are any errors in your personal information; and
- keep us up-to-date with changes to your personal information (such as your name or address).
10 Access, corrections and complaints
10.1 Access
You are entitled to have access to any of your personal information which we possess, except in some exceptional circumstances provided by law. You can gain access by emailing us at privacyofficer@cancerqld.org.au or writing to us at Privacy Officer, Cancer Council Queensland, PO Box 201, Spring Hill Qld 4004. We reserve the right to charge a fee for searching for and providing access to your information.
10.2 Correction and Deletion
You may request that we correct or destroy the personal information that we hold about you. However, in some cases we may be required by law to retain your personal information or we may be permitted to retain it in accordance with this Privacy Policy. We may also need to keep track of your personal information for our accounting and audit requirements. Furthermore, it may be impossible to completely destroy your personal information because some information may remain as backups. You can make requests of this nature by contacting us at crmoperations@cancerqld.org.au or writing to us at Data Services, Cancer Council Queensland, PO Box 201, Spring Hill Qld 4004.
10.3 Complaints
If you have any queries or would like to make a complaint relating to our Privacy Policy or the manner in which we handle your personal information, please email us at privacyofficer@cancerqld.org.au or write to us at Privacy Officer, Cancer Council Queensland, PO Box 201, Spring Hill Qld 4004. We will respond to complaints and queries as soon as reasonably practicable. If you are dissatisfied with our response, you may refer the matter to the Australian Information (Privacy) Commissioner (see www.oaic.gov.au).
If the Human Rights Act applies to a service that you have received from us (i.e. certain services that CCQ provides pursuant to contracts with the Queensland government) and you believe that your human rights (for example your right to privacy) have been breached, please let us know and we will respond within 45 business days. If you are not satisfied with our response after this time, you can complain to the Queensland Human Rights Commission (see www.qhrc.qld.gov.au).
11 Governing law
This Privacy Policy is governed by the laws in force in Queensland, Australia. You agree to submit to the exclusive jurisdiction of the courts of that jurisdiction.
12 Consent
12.1 Consent
By using our website or by accepting our terms and conditions which refer to this Privacy Policy, you are agreeing to the terms of this Privacy Policy.
12.2 Amendments to this Privacy Policy
We reserve the right to modify our Privacy Policy as our business needs require. We will post such changes on our website, after which, your continued use of the website or your continued dealings with us shall be deemed to be your agreement to the modified terms.