Privacy Policy

Privacy Policy

1. Orygen’s obligations and commitment

Orygen (we, us, our) is committed to protecting the privacy of your personal information. 

This Privacy Policy explains how we collect, use, disclose, and securely store your personal information. This Privacy Policy also explains how you can access and correct the information we hold about you, and how you can make a privacy complaint. 

We will handle your personal information in compliance with the following laws: 

  • the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (the APPs) that are set out in the Privacy Act; 

  • the Health Records Act 2001 (Vic) (Health Records Act) and the Health Privacy Principles (the HPPs) that are set out in the Health Records Act; 

  • other states’ and territories’ health privacy legislation as applicable;  

  • other privacy laws where we are required to contractually, including the Privacy and Data Protection Act 2014 (Vic) where we required to do so under a ‘State contract’ under that Act; and 

  • in some instances, the European Union’s General Data Protection Regulation 2016/79 (EU GDPR), in circumstances where the GDPR applies to Orygen’s activities involving individuals or entities located in the European Union (EU) and where Orygen is processing their personal data, or where Orygen enters into a binding contract requiring it to abide by the provisions of the GDPR. 

We will act in accordance with these laws when we carry out our activities, including providing clinical and other care to young people, researching better interventions, treatments and service systems, providing training to the mental health workforce and the community, conducting fundraising and advocacy as well as undertaking activities in relation to our staff and applicants for roles with us (our Services). 

2. What is ‘personal information’?

Personal information is information or an opinion about an individual who is identified, or can be reasonably identified, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not. 

Our collection, use and disclosure of personal information complies with the APPs and HPPs. 

Sensitive information is a type of personal information that is given a higher level of protection under the Privacy Act. It includes information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual orientation or criminal record. It also includes health information. 

Our collection, use and disclosure of sensitive information complies with the APPs, HPPs. 

Health information is a type of both personal information and sensitive information. It includes information or an opinion about: 

  • an individual’s physical, mental or psychological health, or a health service provided or to be provided to them;  

  • an individual’s expressed wishes about the future provision of health services to them; 

  • other personal information collected in providing a health service to an individual; and 

  • genetic information about an individual that could predict the health of that individual or their genetic relatives. 

In this Privacy Policy, when we refer to personal information, we also mean to include sensitive information and health information unless stated otherwise. We also use the term to mean personal data which is the phrase used in some countries. 

3. What types of personal information does Orygen collect?

Orygen only collects personal information that is reasonably necessary for one or more of our functions or activities or to ensure that we comply with relevant laws. 

We collect personal information from individuals in order to provide them with our Services, and from individuals who help us provide our Services in order to manage our relationship with them. The type of information we collect will depend on who you are – it may include: 

   

For young people with mental illness, family, friends and supporters

  • Name, date of birth and gender identity
  • Contact information including address, postcode, email, telephone/mobile number
  • Details regarding your ethnicity
  • Health information and medical history, in particular history with mental illness and treatments
  • Details of the Services we have provided you and of your dealings with us
  • Aboriginal and Torres Strait Islander heritage
Young people with mental illness, family and friends and supporters on Orygen Digital’s MOST platform and other online platforms, and referral from eligible services 
  • Name date of birth and gender identity & clinic (referring service) 

  • Contact information telephone number, postcode 

  • Emergency contact  

  • Optional– address and email address 

  • Details regarding your ethnicity 

  • Optional health information and medical history, history of mental illness and treatments 

  • Details of the service we have provided you and your dealings with us 

  • Aboriginal and Torres Strait Islander heritage 

Open Access/ Direct Access

 

 

  • Name date of birth and gender identity 

  • Emergency contact 

  • Phone number postcode 

  • Optional- email address and home address and other services involved 

For research study participants 
  • Name, date of birth and gender identity 

  • Contact information including address, postcode, email, telephone/mobile number 

  • Details regarding your ethnicity 

  • Health information and medical history 

  • Aboriginal and Torres Strait Islander heritage 

For participants in Orygen’s education and training programs 
  • Name 

  • Contact information including address, postcode, email, telephone/mobile number 

  • Institutional affiliations and employer 

  • Details of the Services we have provided you and your dealings with us 

  • Payment or billing information (including bank account details, credit card details, billing address and invoice details) for any programs for which you have paid 

For health professionals
  • Name 

  • Contact information including address, postcode, email, telephone/mobile number 

  • Details of your use of our Services and your dealings with us 

  • Aboriginal and Torres Strait Islander heritage 

For participants in Orygen’s fundraising or advocacy campaigns 
  • Contact information including address, postcode, email, telephone/mobile number 

  • Your opinions via surveys and questionnaires or any other way you have provided them to us 

  • Details relating to any donations you have made to Orygen 

  • Your employer details for any workplace giving program 

  • Records of your transactions and communications with us 

  • If relevant, details of your personal interests

For donors 

  • Name, date of birth and gender identity 

  • Contact information including address, postcode, email, telephone/mobile number 

  • Payment or billing information (including bank account details, credit card details, billing address) 

  • Details relating to donations you have made to Orygen 

  • Records of your transactions and communications with us 

  • If relevant, details of your personal interests 

For employees or job applicants 
  • Name, date of birth and gender identity 

  • Contact information including address, postcode, email, telephone/mobile number, emergency contact details 

  • Details regarding Aboriginal and Torres Strait Islander heritage 

  • Employment history, qualifications, Curriculum Vita and job references 

  • Fitness for work including licensing, registrations, police checks and working with children checks 

  • Banking details to process payments such as wages or reimbursements 

  • Government related identifiers such as your tax file number 

For volunteers 
  • Name, date of birth and gender identity 

  • Contact information including address, postcode, email, telephone/mobile number, 

  • Emergency contact details 

  • Details regarding Aboriginal and Torres Strait Islander heritage 

  • Fitness for work checks, including police check and/or working with children check 

  • Banking details to process payments such as reimbursements

For collaborators 
  • Name 

  • Contact information including address, postcode, email, telephone/mobile number 

  • Details of the collaboration 

  • Institutional affiliations and employer

For suppliers and  service                providers           
  • Name 

  • Employer for the services provided to Orygen 

  • Payment information (including bank account details, credit card details, billing address) 

  • Details of your dealings with us and the goods or services provided 

  • Contact information including address, postcode, email, telephone/mobile number.

For users of our website and social media pages ​   

  • Name 
  • Your username and password for accounts set up on our website including your social media handle if you choose to use it 

  • Contact information including address, postcode, email, telephone/mobile number

 

Can you be anonymous or use a pseudonym? 

You can be anonymous or use a pseudonym when you deal with us in some circumstances, for example, if you are enquiring about our Services generally or if you are using Open Access or accessing the community network on Orygen Digital’s MOST platform (although in order to access and post on the community network on MOST, registration and provision of certain personal information is required).  

We will likely need to identify you, however, if it is not practicable or lawful for you to remain anonymous or use a pseudonym when you deal with us. For example, if you are receiving clinical care from us, it may not be practicable for you to be anonymous or use a pseudonym, because this may prevent us from understanding your medical history and providing you with appropriate care and any follow up care. 

Do you need to provide your personal information? 

It is your choice whether you would like to provide your personal information to us. However, if you do not provide your personal information:  

  • if you are seeking to receive Services from us, we may not be able to provide you with appropriate Services or provide you with information relevant to you about or Services; or  

  • if you are another person we engage or work with, we may not be able to engage or work with you.  

4. How does Orygen collect personal information?

Orygen will collect personal information directly from you via lawful and fair means, unless it is unreasonable or not practical to do so. 

We may collect your personal information in the following ways: 

  • In person, for example if you attend one of our clinical services, participate in a research study or trial, or attend an event. 

  • By telephone, for example if you contact us to seek or enquire about our clinical services. 

  • By email, for example if you apply for a job or a volunteer position, or send us a message through our website. 

  • Online, for example if you set up an account with Orygen on our website, send us an enquiry via our website, fill in a website form, register to receive updates and news, sign up for an event online or set up an account to use Orygen Digital’s MOST platform online. 

  • From publicly available sources of information. 

  • For staff and volunteers, via an online enterprise system associated with the employment and management of staff records and salary payments or a secure file storage system. 

In some circumstances we may need to collect your personal information from other people, such as: 

  • From health professionals or from your family, friends or other support persons. We will only do this where you have consented, or where it is not reasonable or practicable to collect this information from you directly and this is otherwise permitted by the privacy laws.  

  • For the purposes of fundraising, from a third party who makes a donation and nominates you as the recipient of communication going forwards, where this is with your consent or otherwise permitted by the privacy laws. 

We will only collect your health information, if:  

  • you or your authorised representative has provided consent; or 

  • the information is necessary to provide a health service to you and you are incapable of providing consent and it is not reasonably practicable to obtain the consent of an authorised representative for yourself, or you do not have an authorised representative; or 

  • the collection is necessary to prevent or lessen a serious threat to public health or safety, or your or any other individual’s life, health, safety or welfare; or 

  • the collection is necessary to establish, exercise or defend against a legal or equitable claim; or 

  • the collection is otherwise permitted or required under law  

Notification of Collection by Orygen  

When we collect your personal information, we will take reasonable steps to ensure you are aware of the details of the collection (including notifying you through this Privacy Policy), with such details being:  

  • Orygen's contact details; 

  • the purposes for which Orygen is collecting your personal information; 

  • the types of people, individuals or organisations (including overseas recipients) that Orygen usually discloses such information to; 

  • any laws that require the information to be collected;  

  • the main consequences (if any) for you if all or part of the information is not provided;  

  • that this Privacy Policy contains further information on how you can access or correct your personal information, and how you can complain about a breach of the APPs by Orygen;  

  • if Orygen is likely to disclose the information to overseas recipients, the countries where such recipients are likely to be located; and  

  • if your personal information is collected from a third party, that Orygen has done so and how Orygen has done so, unless doing so would pose a serious threat to the life or health of any individual or would involve the disclosure of confidential information or is otherwise unreasonable in the circumstances.  

Where we have collected your personal information with your consent, you can withdraw that consent at any time – see section 13 of this Privacy Policy below for our contact details. 

Information provided by ‘Cookies’ 

Orygen sometimes uses ‘cookies’ as a reporting mechanism. Cookies identify traffic coming into and out of the Orygen website. Cookies enable our webserver to collect information back from your browser each time you visit the Orygen website. 

Cookies do not identify individual users. When you visit the Orygen site, our servers may record information about your usage, the time of your visit, its duration, the pages you visit and style settings. Orygen does not collect information that can identify the individuals who visit the site. When you look at our website, Google Analytics compiles data that records and logs your visit with the following information which we collect for statistical purposes:  

  • the user's server address; 

  • the user's top-level domain name (for example, .com, .gov, .au, .uk, etc.); 

  • the date and time of the visit to the site; 

  • the pages accessed and documents downloaded; 

  • the search words and referral sites used; and 

  • the type of browser used. 

Access to, and use of, this information is restricted to Orygen. We will not attempt to track or identify individual users or their browsing activities, except in the unlikely event of an investigation, where a law enforcement agency may exercise a warrant to inspect Google Analytics logs. 

Orygen will only use statistics we get from cookies to understand how our website is used so we can continue to improve and update it. 

5. For what purposes does Orygen collect personal information and how do we use it?

We will generally only collect and use your personal information for the primary purpose for which you have (or a third party has) provided it to us. For example, if you are seeking or receiving our Services, we will use your personal information to deliver Services to you. If you are another person we engage or work with, we will use your personal information to manage our relationship with you.  

 

If you have consented to the use of your personal information for any other purposes (secondary purposes), we will use your information for those purposes. 

The primary purposes for which we collect and use your personal information are set out below:  

Research purposes 

Orygen may collect and use your personal information to conduct research in many aspects and areas of mental health. For information on how we disclose personal information for the purpose of research, see section 6 below. 

Personal information that we collect for research purposes is not used for other purposes unless you consent to those other purposes. Consent for research purposes complies with the National Statement on Ethical Conduct of Human Research (2023). Where we collect personal information for a research project involving a collaborator, we will ensure that the collaborator meets the conditions in section 6 below, further, that the collaborator treats your personal information in the same way in which we treat it. 

Research studies which require ethics approval from an Australian Human Research Ethics Committee (HREC) may have additional obligations in relation to our collection of personal information. These research studies will also comply with the conditions of the relevant HREC ethics approval and governance offices. 

Clinical services 

Orygen may collect and use your personal information to provide you with quality care and support, including diagnosis and treatment by health professionals. We may also collect your personal information to send you reminders and follow up notices and to invite you to participate in research projects. 

Other purposes 

Depending on what Services we are delivering or the way we are engaging or working with you, we may collect and use your personal information for a number of other purposes, including the following: 

  • to provide services to you and to send communications requested by you; 

  • to refer you to programs, services or research studies; 

  • to arrange your participation in education and training programs and for your participation in and the conduct of these programs including engagement with other participants 

  • to provide you with news and information about our work; 

  • to encourage you to learn about and act on supporting us and our work (unless you have asked us not to); 

  • to promote our programs and activities, including fundraising, education and training; 

  • to process donations and provide receipts; 

  • to enhance your experience of our website and online training programs; 

  • to help individuals to assist us with our activities, such as fundraising, advocacy campaigns and volunteering with us; 

  • to confirm your identity when you make enquiries about your donation; 

  • to respond to questions from or about a prospective, current or past employee; 

  • to provide support services and to evaluate these services; 

  • to provide youth participation and advisory activities; 

  • for the administrative, employment (including secondment), planning, service development, quality control and research purposes of Orygen; 

  • for quality improvement and clinical governance requirements such as accreditation. In general, we will de-identify any personal information used for these purposes; 

  • to comply with any law, rule, regulation, lawful and binding determination, decision or direction of a regulator, or in co-operation with any governmental authority of any country; 

  • to update our records and keep your contact details up to date; and 

  • to process and respond to any complaint made by you and/or your authorised representative. 

We may also use your personal information for purposes which are related to the primary purpose for which the information was collected (or which are directly related, where the information is health information or other sensitive information), in circumstances where you would reasonably expect us to use your information for these purposes.   

We will also use your personal information where we are otherwise required or permitted by law to do so, which includes the following: 

  • where we are required to by law (e.g., under a subpoena or court order, or you tell us that you are being abused – which must be reported under law); 

  • for funding, management, planning, monitoring improvement or evaluation of health services, or the training of staff, where we take all reasonable steps to de-identify that information; or 

  • where it is unreasonable or impracticable to obtain your consent and the use is necessary to lessen or prevent a serious threat to your or any other individual’s life, health or safety, or to public health or safety.  

Use of automated decision making and artificial intelligence  

We may from time to time use automated decision making and artificial intelligence (AI) through use of ‘Generative AI’, which are computer programs which can generate new content such as text or images, in response to prompts we provide. We will not, however, use any personal information when we use Generative AI, and we abide by strict guidelines when we use it, including the following: 

  • Any AI-generated content should be reviewed for accuracy by a suitably qualified staff member before being used or shared or relied on, to ensure reliable and safe use of AI-generated content. 

  • Humans will remain in control of health-care systems, research related decisions and medical decisions, and patient safety must always take priority. 

  • Any use of Generative AI as part of a proposed Orygen research study will require appropriate submission and approval for research governance purposes, risk assessments, and appropriate disclosures and citation of use of Generative AI. 

  • Generative AI must not be used to formulate decisions, undertake assessments, or used for other administrative actions that may have consequences for individuals, for example, evaluations, assessments, or reviews.  

  • Subject to staff exercising proper professional judgement and taking care to review the accuracy of output produced, and not using any personal information, it may be considered appropriate to use a Generative AI for the following: 

  • summarising literature, research, or other publicly available information sources; 

  • accessing medical literature, guidelines and research; 

  • entering a list of clinical features as a prompt to generate useful diagnostic suggestions (subject to outputs being required to be corroborated against source data and independent external references or resources for accuracy and reliability, and provided that clinical decision making remains with the clinician); 

  • generation of a first draft of educational material for staff / patients / families; 

  • generation of a document to explain general medical concepts and terms for patients in simple language; and 

  • translation of patient materials for patients who speak a different language (provided that any translation is always checked by an appropriately credentialed translator). 

  • Where Generative AI has been used, this should be discussed with patients for transparency. 

We will inform you through this Privacy Policy and in accordance with the APPs, if in future we use computer programs that use personal information to make automated decisions that could reasonably be expected to significantly affect the rights or interests of an individual.  This will include information about the kinds of personal information used in, and types of decisions made by, such computer programs that use personal information to make such decisions.  

6. Who does Orygen disclose personal information to?

We will generally only disclose your personal information to other persons for the primary purpose for which it was collected, as set out in section 5 of this Privacy Policy. For example, if you are seeking or receiving our clinical services, we will generally only disclose your personal information to other health professionals and health service providers to continue providing you with these clinical services. If you are another person we engage or work with, we may disclose your personal information to manage our relationship with you. 

If you have consented to the disclosure of your personal information for any other purposes (secondary purposes), we will use your information for those purposes. 

The types of persons to whom we will disclose your personal information for the primary purposes set out in section 5, or otherwise with your consent are: 

  • Our staff, volunteers and approved contractors. 

  • Our partners, affiliates and consultants: people or organisations that work with us or help us in conducting Orygen’s business and providing the Services. 

  • Our service providers: that assist us with archival, auditing, accounting, customer contact, legal, business consulting, banking, payment, debt collection, delivery, data processing, data analysis, document management, research, investigation, insurance, website or technology services or other third parties required to support our services. 

  • Researchers and research collaborators: to invite you to participate in research studies and, if you agree, to conduct research studies into the prevention, diagnosis, treatment of mental disorders or other areas of research or quality assurance activities. Your personal information may be stored on secure databases controlled by parties outside of Orygen. Generally, personal information provided for research projects is de-identified (so you cannot be identified) unless your consent is obtained. Disclosure of personal information for research purposes will be subject to our legal obligations and relevant HREC ethics approvals as discussed in this Privacy Policy above. 

  • Other support services: health care professionals, counsellors or other parties that provide you with support services. 

  • For prospective employees: we may exchange personal information with those staff within our organisation who are involved in recruitment. 

  • For fundraising purposes: if you have made a donation to Orygen, Orygen may provide your personal information to other charities that we collaborate with, in order for those charities to send you mail-outs containing information that may be of interest to you. These charities usually allow us to do the same and by collaborating like this we can reach more people with important information. You may opt out of us sharing your information with other charities. 

  • For education and training purposes: with other participants in the programs. You may opt out of us sharing this information. 

  • Any organisation or any person that you expressly allow us to provide it to. 

When we transfer your personal information to a third party we take all reasonable steps to ensure that your personal information will be treated by that third party in accordance with the privacy laws set out in section 1 above. 

We may disclose your personal information to other persons for other purposes (secondary purposes) if: 

  • you or your authorised representative has consented; or 

  • the secondary purpose is related to the primary purpose for which the information was collected, and you would reasonably expect us disclose the information for this purpose; or 

  • the disclosure is reasonably necessary to lessen or prevent a serious threat to your or any other individual’s life, health or safety, or to public health or safety; or 

  • we have reason to suspect that unlawful activity has been engaged in and the disclosure is necessary as part of our investigation or in reporting the matter to the relevant authorities (and this would not constitute a breach of confidence by relevant registered health practitioners); or 

  • the disclosure is otherwise required or permitted under law. 

Additionally, we may disclose your health information for a secondary purpose if we are providing health services to you and: 

  • the disclosure is reasonably necessary for us to provide you with the health service, and you are incapable of giving consent, and it is not practicable to obtain consent from your authorised representative or you do not have an authorised representative; or 

  • the disclosure is for funding, management, planning, monitoring improvement or evaluation of health services, or the training of staff, where we take all reasonable steps to de-identify that information. 

7. Do we disclose personal information to anyone interstate or outside of Australia?

We will comply with the Privacy Act and Health Records Act if we are required to disclose your personal information interstate or overseas. 

From time to time, we may be required to disclose your personal information to our research collaborators and funding bodies interstate or overseas for any of the purposes outlined in this Privacy Policy.  

In addition, we may store your personal information on cloud servers which are based outside of Australia. 

We will only disclose your personal information, interstate or overseas with your prior consent, or otherwise where required or authorised under law.  

Where we do transfer your personal information interstate or overseas, we will take all reasonable steps to protect it and ensure that interstate and overseas recipients of personal information do not breach the APPs and HPPs. For example, these steps may include ensuring the recipient is subject to a law, binding scheme or binding contract that provides substantially similar protection to the APPs and HPPs which you can access and enforce, or the recipient is from an overseas country prescribed under the APPs, and ensuring binding agreements with the recipient are in place that replicate the relevant privacy obligations before any personal information is transferred to them. 

8. How does Orygen keep personal information secure?

Orygen takes a range of steps, including technical and organisational measures, to keep any personal information we hold about you secure. Depending on the circumstances, these may include electronic access controls, premises security, network firewalls and appropriate anti-virus software. We are required to comply with Payment Card Industry Data Security Standards in relation to payment card transactions. Our staff, volunteers and contractors are required to comply with our policies and procedures relating to personal information. We also put in place appropriate contractual requirements with third parties which require them to maintain the security of the personal information. 

While we take all reasonable and appropriate steps, we cannot guarantee the security of any information that you send to us using our website or other online means, such as email. Accordingly, any personal information or other information that you transmit to us through our website or by email is transmitted at your own risk. 

Please notify us immediately if you become aware of any breach of security. 

We retain personal information for the minimum period for which we are required to retain it under relevant laws (see also section 9 of this Privacy Policy regarding retention of health information). We securely archive any information that we are not actively using. Any information collected for the purpose of research is held by us for the period of time required in accordance with the National Health and Medical Research Council standards for Management of Data and Information in Research, which varies according to the specific type of research and applicable state, territory and/or national legislation, which may require that such information be held by us for up to 15 years or more for most clinical trials, and may require us to hold such information indefinitely for some research, for example if the work has community, cultural or historical value, unless we are obligated to de-identify or destroy it under law. 

9. Your rights in relation to personal information – access and correction

Orygen takes reasonable steps to ensure that personal information that it collects, uses or discloses is accurate, complete and relevant to our Services. 

Access 

You may request access to any personal information that we hold about you at any time. If you are subject to GDPR, you may request that it is transmitted to another party. There may be circumstances where we do not grant you access to your personal information where this is permitted or required under law, such as where we think it may pose a serious threat to your or another individual’s life or health, or to public or safety, or where it creates an unreasonable impact on the privacy of someone else. 

Where we refuse access to any part of your personal information, we will notify you in writing of our reasons for refusal and how you can make a complaint about our decision. 

Correction 

You may ask us to update or correct your personal information that we hold at any time. We will also take reasonable steps to update your personal information where we are notified or we consider that it is inaccurate, out of date, incomplete, or irrelevant or misleading for the purpose for which we are holding it. If we have provided your personal information to any third party, we will also take reasonable steps to notify that third party of the corrections to your personal information unless it is impracticable or unlawful to do so. 

Where we refuse to update or correct your personal information, we will notify you in writing of our reasons for refusal and how you can make a complaint about our decision. 

Deletion 

Where we no longer require your personal information for any purpose for which the information may be lawfully used or disclosed, and it is not required to be retained under law, we will take reasonable steps to destroy or permanently de-identify your information.  

In relation to any health information we hold about you, the Health Records Act requires that health information must be retained until whichever of the following dates occurs later:  

  • 7 years after the last health service was provided to you; or  

  • if your health information was collected when you were under 18 years of age, the health information must be retained until you are 25 years of age. 

You may also ask Orygen to delete or de-identify your personal information that we hold. There may be instances where we cannot agree to that request, for example where we are required to keep it under law (such as under the Health Records Act as above) or where the information is contained in a Commonwealth record.  

If that is the case, we will notify you in writing of the reasons for our refusal and how you can make a complaint about our decision. 

Contact 

If you require access to, or would like us to update, correct or delete, your personal information, please contact us using the details provided in Section 13 below. 

10. MARKETING COMMUNICATIONS

We may seek to send you marketing communications (direct marketing) from time to time, but we will only do so in accordance with the applicable privacy laws.  For example, if we sought to send you a communication you about any of our Services, news, fundraising, activities or events, we will only send you such communications in accordance with any marketing consents and preferences which you have provided to us or otherwise only where this is in accordance with the law.   

Any marketing communications we send to you in accordance with the above, will clearly identify Orygen as the sender with our contact details (see below), and also provide you with an easy way to opt out of receiving these communications. 

You may opt out of receiving marketing communications at any time by contacting us by email: [email protected], mail: 35 Poplar Road Parkville VIC 3052 or telephone: 1800 ORYGEN (1800 679 436), or where applicable by selecting the unsubscribe option in our electronic communications.

11. data breaches

Orygen is required to comply with the ‘notifiable data breach’ scheme under the Privacy Act.  The notifiable data breach applies when there is an ‘eligible data breach’ of personal information, as follows: 

  • there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation holds; and 

  • this is likely to result in serious harm to one or more persons; and 

  • the organisation has not been able to prevent the likely risk of serious harm with remedial action. 

If a data breach occurs, we will take all reasonable remedial steps to reduce the likelihood of serious harm occurring. 

If we reasonably believe that we have experienced an eligible data breach (and remedial action cannot be used), we will notify affected people and the Office of the Australian Information Commissioner about the breach as soon as practicable in accordance with our requirements in the Privacy Act. 

In addition, where an eligible data breach has occurred, the responsible Minister may make an eligible data breach declaration where they are satisfied that the declaration is necessary or appropriate to prevent or reduce, a risk of harm arising from misuse of one or more affected individuals’ personal information. For example, a declaration may permit the collection, use and/or disclosure of personal information of affected individuals to specified agencies or authorities or other persons to reduce the risk of harm to the individuals. Where such a declaration is in force, Orygen may collect, use or disclose personal information about individuals in accordance with the declaration and where it reasonably believes that the individual may be at risk from the eligible data breach. 

12. HOW CAN YOU MAKE A COMPLAINT ABOUT OUR HANDLING OF PERSONAL INFORMATION? 

We may revise this Privacy Policy from time to time.  The revised version will be published on our website and any changes will take effect immediately from the date of publication.

If you wish to make a complaint about our handling of your personal information, please contact Orygen’s Privacy Officer at the details set out in Section 13 and provide us with details of the complaint so that we can appropriately investigate it.  

We may require any complaint to be made in writing first so that we can be sure about the details of the complaint and we may ask you for further information about your complaint and to verify your identity.  

After you have provided a written complaint, Orygen will within 7 days after the complaint is made, provide written notice to you to acknowledge the making of the complaint and provide information on how Orygen will deal with the complaint. Orygen will then investigate the complaint. In doing so, we may also need to engage or consult with other parties to investigate and deal with the complaint if necessary. 

We will investigate your complaint and provide you with a response as soon as possible and within 30 calendar days of receiving your complaint (or as otherwise required by our legal obligations or such longer period as agreed by you in writing). We will provide you with status updates regarding your request, as required. 

After we have completed our enquiries, we will contact you in writing to advise the outcome and invite a response from you. 

If you have a complaint about how we handle your personal information and you feel Orygen has not resolved your issue or complaint to your satisfaction, then you can escalate your privacy concern and you have the right to make a complaint to the relevant privacy or data protection regulator or authority (for example in the place you reside or where you believe Orygen has breached your rights) or access an external dispute resolution scheme.  

If you are based in Australia: 

Office of the Australian Information Commissioner Online: www.oaic.gov.au/privacy 

Phone: 1300 363 992 

In respect of any complaints relating to health information in Victoria:  

Victorian Health Complaints Commissioner 

Online: https://hcc.vic.gov.au/ Phone: 1300 582 113 

If you are based in a country other than Australia, you will need to contact the privacy or data protection regulator or authority that regulates privacy of your data. 

13. CONTACTING ORYGEN – ENQUIRIES OR COMPLAINTS 

If you have any enquiries about this Privacy Policy, or a complaint about the way Orygen has handled your personal information, please contact Orygen’s Privacy Officer (who is also Orygen’s Data Protection Officer for GDPR purposes) at: 

Privacy Officer Locked Bag 10 

Parkville VIC 3052 

Email: [email protected] 

Phone: +61 3 9966 9100 and ask to speak with Orygen’s Privacy Officer 

14. CHANGES TO THIS PRIVACY POLICY 

Orygen will notify consumers, young people and users of Orygen’s services and website, and where relevant, their families and carers, of changes to this Privacy Policy from time to time, in a timely and comprehensible way. The revised version will be published on our website and promoted on our website and external public-facing platforms, and in some cases where appropriate, Orygen may also notify consumers, young people and users of Orygen’s services, and where relevant, their families and carers, of such changes directly. Any changes will take effect immediately from the date of publication.