Privacy Policy

1. Orygen’s obligations and commitment
Orygen (we, us, our) is committed to protecting the privacy of your personal information.
This Privacy Policy explains how we collect, use, disclose, and securely store your personal information. This Privacy Policy also explains how you can access and correct the information we hold about you, and how you can make a privacy complaint.
We will handle your personal information in compliance with the following laws:
-
in some instances, the European Union’s General Data Protection Regulation 2016/79 (EU GDPR), in circumstances where the GDPR applies to Orygen’s activities involving individuals or entities located in the European Union (EU) and where Orygen is processing their personal data, or where Orygen enters into a binding contract requiring it to abide by the provisions of the GDPR.
We will act in accordance with these laws when we carry out our activities, including providing clinical and other care to young people, researching better interventions, treatments and service systems, providing training to the mental health workforce and the community, conducting fundraising and advocacy as well as undertaking activities in relation to our staff and applicants for roles with us (our Services).
2. What is ‘personal information’?
Personal information is information or an opinion about an individual who is identified, or can be reasonably identified, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.
Our collection, use and disclosure of personal information complies with the APPs and HPPs.
Sensitive information is a type of personal information that is given a higher level of protection under the Privacy Act. It includes information or an opinion about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association or trade union, sexual orientation or criminal record. It also includes health information.
Our collection, use and disclosure of sensitive information complies with the APPs, HPPs.
Health information is a type of both personal information and sensitive information. It includes information or an opinion about:
In this Privacy Policy, when we refer to personal information, we also mean to include sensitive information and health information unless stated otherwise. We also use the term to mean personal data which is the phrase used in some countries.
3. What types of personal information does Orygen collect?
Orygen only collects personal information that is reasonably necessary for one or more of our functions or activities or to ensure that we comply with relevant laws.
We collect personal information from individuals in order to provide them with our Services, and from individuals who help us provide our Services in order to manage our relationship with them. The type of information we collect will depend on who you are – it may include:
|
|
For young people with mental illness, family, friends and supporters
|
- Name, date of birth and gender identity
- Contact information including address, postcode, email, telephone/mobile number
- Details regarding your ethnicity
- Health information and medical history, in particular history with mental illness and treatments
- Details of the Services we have provided you and of your dealings with us
- Aboriginal and Torres Strait Islander heritage
|
Young people with mental illness, family and friends and supporters on Orygen Digital’s MOST platform and other online platforms, and referral from eligible services |
|
Open Access/ Direct Access
|
|
For research study participants |
-
Name, date of birth and gender identity
-
Contact information including address, postcode, email, telephone/mobile number
-
Details regarding your ethnicity
-
Health information and medical history
-
Aboriginal and Torres Strait Islander heritage
|
For participants in Orygen’s education and training programs |
|
For health professionals |
|
For participants in Orygen’s fundraising or advocacy campaigns |
-
Contact information including address, postcode, email, telephone/mobile number
-
Your opinions via surveys and questionnaires or any other way you have provided them to us
-
Details relating to any donations you have made to Orygen
-
Your employer details for any workplace giving program
-
Records of your transactions and communications with us
-
If relevant, details of your personal interests
|
For donors
|
|
For employees or job applicants |
-
Name, date of birth and gender identity
-
Contact information including address, postcode, email, telephone/mobile number, emergency contact details
-
Details regarding Aboriginal and Torres Strait Islander heritage
-
Employment history, qualifications, Curriculum Vita and job references
-
Fitness for work including licensing, registrations, police checks and working with children checks
-
Banking details to process payments such as wages or reimbursements
-
Government related identifiers such as your tax file number
|
For volunteers |
-
Name, date of birth and gender identity
-
Contact information including address, postcode, email, telephone/mobile number,
-
Emergency contact details
-
Details regarding Aboriginal and Torres Strait Islander heritage
-
Fitness for work checks, including police check and/or working with children check
-
Banking details to process payments such as reimbursements
|
For collaborators |
-
Name
-
Contact information including address, postcode, email, telephone/mobile number
-
Details of the collaboration
-
Institutional affiliations and employer
|
For suppliers and service providers |
-
Name
-
Employer for the services provided to Orygen
-
Payment information (including bank account details, credit card details, billing address)
-
Details of your dealings with us and the goods or services provided
-
Contact information including address, postcode, email, telephone/mobile number.
|
For users of our website and social media pages
|
- Name
-
Your username and password for accounts set up on our website including your social media handle if you choose to use it
-
Contact information including address, postcode, email, telephone/mobile number
|
Can you be anonymous or use a pseudonym?
You can be anonymous or use a pseudonym when you deal with us in some circumstances, for example, if you are enquiring about our Services generally or if you are using Open Access or accessing the community network on Orygen Digital’s MOST platform (although in order to access and post on the community network on MOST, registration and provision of certain personal information is required).
We will likely need to identify you, however, if it is not practicable or lawful for you to remain anonymous or use a pseudonym when you deal with us. For example, if you are receiving clinical care from us, it may not be practicable for you to be anonymous or use a pseudonym, because this may prevent us from understanding your medical history and providing you with appropriate care and any follow up care.
Do you need to provide your personal information?
It is your choice whether you would like to provide your personal information to us. However, if you do not provide your personal information:
4. How does Orygen collect personal information?
Orygen will collect personal information directly from you via lawful and fair means, unless it is unreasonable or not practical to do so.
We may collect your personal information in the following ways:
-
In person, for example if you attend one of our clinical services, participate in a research study or trial, or attend an event.
-
Online, for example if you set up an account with Orygen on our website, send us an enquiry via our website, fill in a website form, register to receive updates and news, sign up for an event online or set up an account to use Orygen Digital’s MOST platform online.
In some circumstances we may need to collect your personal information from other people, such as:
-
From health professionals or from your family, friends or other support persons. We will only do this where you have consented, or where it is not reasonable or practicable to collect this information from you directly and this is otherwise permitted by the privacy laws.
-
For the purposes of fundraising, from a third party who makes a donation and nominates you as the recipient of communication going forwards, where this is with your consent or otherwise permitted by the privacy laws.
We will only collect your health information, if:
-
the collection is necessary to prevent or lessen a serious threat to public health or safety, or your or any other individual’s life, health, safety or welfare; or
Notification of Collection by Orygen
When we collect your personal information, we will take reasonable steps to ensure you are aware of the details of the collection (including notifying you through this Privacy Policy), with such details being:
-
if your personal information is collected from a third party, that Orygen has done so and how Orygen has done so, unless doing so would pose a serious threat to the life or health of any individual or would involve the disclosure of confidential information or is otherwise unreasonable in the circumstances.
Where we have collected your personal information with your consent, you can withdraw that consent at any time – see section 13 of this Privacy Policy below for our contact details.
Information provided by ‘Cookies’
Orygen sometimes uses ‘cookies’ as a reporting mechanism. Cookies identify traffic coming into and out of the Orygen website. Cookies enable our webserver to collect information back from your browser each time you visit the Orygen website.
Cookies do not identify individual users. When you visit the Orygen site, our servers may record information about your usage, the time of your visit, its duration, the pages you visit and style settings. Orygen does not collect information that can identify the individuals who visit the site. When you look at our website, Google Analytics compiles data that records and logs your visit with the following information which we collect for statistical purposes:
-
the user's top-level domain name (for example, .com, .gov, .au, .uk, etc.);
Access to, and use of, this information is restricted to Orygen. We will not attempt to track or identify individual users or their browsing activities, except in the unlikely event of an investigation, where a law enforcement agency may exercise a warrant to inspect Google Analytics logs.
Orygen will only use statistics we get from cookies to understand how our website is used so we can continue to improve and update it.
5. For what purposes does Orygen collect personal information and how do we use it?
We will generally only collect and use your personal information for the primary purpose for which you have (or a third party has) provided it to us. For example, if you are seeking or receiving our Services, we will use your personal information to deliver Services to you. If you are another person we engage or work with, we will use your personal information to manage our relationship with you.
If you have consented to the use of your personal information for any other purposes (secondary purposes), we will use your information for those purposes.
The primary purposes for which we collect and use your personal information are set out below:
Research purposes
Orygen may collect and use your personal information to conduct research in many aspects and areas of mental health. For information on how we disclose personal information for the purpose of research, see section 6 below.
Personal information that we collect for research purposes is not used for other purposes unless you consent to those other purposes. Consent for research purposes complies with the National Statement on Ethical Conduct of Human Research (2023). Where we collect personal information for a research project involving a collaborator, we will ensure that the collaborator meets the conditions in section 6 below, further, that the collaborator treats your personal information in the same way in which we treat it.
Research studies which require ethics approval from an Australian Human Research Ethics Committee (HREC) may have additional obligations in relation to our collection of personal information. These research studies will also comply with the conditions of the relevant HREC ethics approval and governance offices.
Clinical services
Orygen may collect and use your personal information to provide you with quality care and support, including diagnosis and treatment by health professionals. We may also collect your personal information to send you reminders and follow up notices and to invite you to participate in research projects.
Other purposes
Depending on what Services we are delivering or the way we are engaging or working with you, we may collect and use your personal information for a number of other purposes, including the following:
-
for the administrative, employment (including secondment), planning, service development, quality control and research purposes of Orygen;
-
to comply with any law, rule, regulation, lawful and binding determination, decision or direction of a regulator, or in co-operation with any governmental authority of any country;
We may also use your personal information for purposes which are related to the primary purpose for which the information was collected (or which are directly related, where the information is health information or other sensitive information), in circumstances where you would reasonably expect us to use your information for these purposes.
We will also use your personal information where we are otherwise required or permitted by law to do so, which includes the following:
-
for funding, management, planning, monitoring improvement or evaluation of health services, or the training of staff, where we take all reasonable steps to de-identify that information; or
-
where it is unreasonable or impracticable to obtain your consent and the use is necessary to lessen or prevent a serious threat to your or any other individual’s life, health or safety, or to public health or safety.
Use of automated decision making and artificial intelligence
We may from time to time use automated decision making and artificial intelligence (AI) through use of ‘Generative AI’, which are computer programs which can generate new content such as text or images, in response to prompts we provide. We will not, however, use any personal information when we use Generative AI, and we abide by strict guidelines when we use it, including the following:
-
Any use of Generative AI as part of a proposed Orygen research study will require appropriate submission and approval for research governance purposes, risk assessments, and appropriate disclosures and citation of use of Generative AI.
-
Generative AI must not be used to formulate decisions, undertake assessments, or used for other administrative actions that may have consequences for individuals, for example, evaluations, assessments, or reviews.
-
Subject to staff exercising proper professional judgement and taking care to review the accuracy of output produced, and not using any personal information, it may be considered appropriate to use a Generative AI for the following:
-
entering a list of clinical features as a prompt to generate useful diagnostic suggestions (subject to outputs being required to be corroborated against source data and independent external references or resources for accuracy and reliability, and provided that clinical decision making remains with the clinician);
We will inform you through this Privacy Policy and in accordance with the APPs, if in future we use computer programs that use personal information to make automated decisions that could reasonably be expected to significantly affect the rights or interests of an individual. This will include information about the kinds of personal information used in, and types of decisions made by, such computer programs that use personal information to make such decisions.
6. Who does Orygen disclose personal information to?
We will generally only disclose your personal information to other persons for the primary purpose for which it was collected, as set out in section 5 of this Privacy Policy. For example, if you are seeking or receiving our clinical services, we will generally only disclose your personal information to other health professionals and health service providers to continue providing you with these clinical services. If you are another person we engage or work with, we may disclose your personal information to manage our relationship with you.
If you have consented to the disclosure of your personal information for any other purposes (secondary purposes), we will use your information for those purposes.
The types of persons to whom we will disclose your personal information for the primary purposes set out in section 5, or otherwise with your consent are:
-
Our service providers: that assist us with archival, auditing, accounting, customer contact, legal, business consulting, banking, payment, debt collection, delivery, data processing, data analysis, document management, research, investigation, insurance, website or technology services or other third parties required to support our services.
-
Researchers and research collaborators: to invite you to participate in research studies and, if you agree, to conduct research studies into the prevention, diagnosis, treatment of mental disorders or other areas of research or quality assurance activities. Your personal information may be stored on secure databases controlled by parties outside of Orygen. Generally, personal information provided for research projects is de-identified (so you cannot be identified) unless your consent is obtained. Disclosure of personal information for research purposes will be subject to our legal obligations and relevant HREC ethics approvals as discussed in this Privacy Policy above.
-
For fundraising purposes: if you have made a donation to Orygen, Orygen may provide your personal information to other charities that we collaborate with, in order for those charities to send you mail-outs containing information that may be of interest to you. These charities usually allow us to do the same and by collaborating like this we can reach more people with important information. You may opt out of us sharing your information with other charities.
When we transfer your personal information to a third party we take all reasonable steps to ensure that your personal information will be treated by that third party in accordance with the privacy laws set out in section 1 above.
We may disclose your personal information to other persons for other purposes (secondary purposes) if:
Additionally, we may disclose your health information for a secondary purpose if we are providing health services to you and:
-
the disclosure is reasonably necessary for us to provide you with the health service, and you are incapable of giving consent, and it is not practicable to obtain consent from your authorised representative or you do not have an authorised representative; or
-
the disclosure is for funding, management, planning, monitoring improvement or evaluation of health services, or the training of staff, where we take all reasonable steps to de-identify that information.
7. Do we disclose personal information to anyone interstate or outside of Australia?
We will comply with the Privacy Act and Health Records Act if we are required to disclose your personal information interstate or overseas.
From time to time, we may be required to disclose your personal information to our research collaborators and funding bodies interstate or overseas for any of the purposes outlined in this Privacy Policy.
In addition, we may store your personal information on cloud servers which are based outside of Australia.
We will only disclose your personal information, interstate or overseas with your prior consent, or otherwise where required or authorised under law.
Where we do transfer your personal information interstate or overseas, we will take all reasonable steps to protect it and ensure that interstate and overseas recipients of personal information do not breach the APPs and HPPs. For example, these steps may include ensuring the recipient is subject to a law, binding scheme or binding contract that provides substantially similar protection to the APPs and HPPs which you can access and enforce, or the recipient is from an overseas country prescribed under the APPs, and ensuring binding agreements with the recipient are in place that replicate the relevant privacy obligations before any personal information is transferred to them.
8. How does Orygen keep personal information secure?
Orygen takes a range of steps, including technical and organisational measures, to keep any personal information we hold about you secure. Depending on the circumstances, these may include electronic access controls, premises security, network firewalls and appropriate anti-virus software. We are required to comply with Payment Card Industry Data Security Standards in relation to payment card transactions. Our staff, volunteers and contractors are required to comply with our policies and procedures relating to personal information. We also put in place appropriate contractual requirements with third parties which require them to maintain the security of the personal information.
While we take all reasonable and appropriate steps, we cannot guarantee the security of any information that you send to us using our website or other online means, such as email. Accordingly, any personal information or other information that you transmit to us through our website or by email is transmitted at your own risk.
Please notify us immediately if you become aware of any breach of security.
We retain personal information for the minimum period for which we are required to retain it under relevant laws (see also section 9 of this Privacy Policy regarding retention of health information). We securely archive any information that we are not actively using. Any information collected for the purpose of research is held by us for the period of time required in accordance with the National Health and Medical Research Council standards for Management of Data and Information in Research, which varies according to the specific type of research and applicable state, territory and/or national legislation, which may require that such information be held by us for up to 15 years or more for most clinical trials, and may require us to hold such information indefinitely for some research, for example if the work has community, cultural or historical value, unless we are obligated to de-identify or destroy it under law.
9. Your rights in relation to personal information – access and correction
Orygen takes reasonable steps to ensure that personal information that it collects, uses or discloses is accurate, complete and relevant to our Services.
Access
You may request access to any personal information that we hold about you at any time. If you are subject to GDPR, you may request that it is transmitted to another party. There may be circumstances where we do not grant you access to your personal information where this is permitted or required under law, such as where we think it may pose a serious threat to your or another individual’s life or health, or to public or safety, or where it creates an unreasonable impact on the privacy of someone else.
Where we refuse access to any part of your personal information, we will notify you in writing of our reasons for refusal and how you can make a complaint about our decision.
Correction
You may ask us to update or correct your personal information that we hold at any time. We will also take reasonable steps to update your personal information where we are notified or we consider that it is inaccurate, out of date, incomplete, or irrelevant or misleading for the purpose for which we are holding it. If we have provided your personal information to any third party, we will also take reasonable steps to notify that third party of the corrections to your personal information unless it is impracticable or unlawful to do so.
Where we refuse to update or correct your personal information, we will notify you in writing of our reasons for refusal and how you can make a complaint about our decision.
Deletion
Where we no longer require your personal information for any purpose for which the information may be lawfully used or disclosed, and it is not required to be retained under law, we will take reasonable steps to destroy or permanently de-identify your information.
In relation to any health information we hold about you, the Health Records Act requires that health information must be retained until whichever of the following dates occurs later:
You may also ask Orygen to delete or de-identify your personal information that we hold. There may be instances where we cannot agree to that request, for example where we are required to keep it under law (such as under the Health Records Act as above) or where the information is contained in a Commonwealth record.
If that is the case, we will notify you in writing of the reasons for our refusal and how you can make a complaint about our decision.
Contact
If you require access to, or would like us to update, correct or delete, your personal information, please contact us using the details provided in Section 13 below.
10. MARKETING COMMUNICATIONS
We may seek to send you marketing communications (direct marketing) from time to time, but we will only do so in accordance with the applicable privacy laws. For example, if we sought to send you a communication you about any of our Services, news, fundraising, activities or events, we will only send you such communications in accordance with any marketing consents and preferences which you have provided to us or otherwise only where this is in accordance with the law.
Any marketing communications we send to you in accordance with the above, will clearly identify Orygen as the sender with our contact details (see below), and also provide you with an easy way to opt out of receiving these communications.
You may opt out of receiving marketing communications at any time by contacting us by email: [email protected], mail: 35 Poplar Road Parkville VIC 3052 or telephone: 1800 ORYGEN (1800 679 436), or where applicable by selecting the unsubscribe option in our electronic communications.
11. data breaches
Orygen is required to comply with the ‘notifiable data breach’ scheme under the Privacy Act. The notifiable data breach applies when there is an ‘eligible data breach’ of personal information, as follows:
If a data breach occurs, we will take all reasonable remedial steps to reduce the likelihood of serious harm occurring.
If we reasonably believe that we have experienced an eligible data breach (and remedial action cannot be used), we will notify affected people and the Office of the Australian Information Commissioner about the breach as soon as practicable in accordance with our requirements in the Privacy Act.
In addition, where an eligible data breach has occurred, the responsible Minister may make an eligible data breach declaration where they are satisfied that the declaration is necessary or appropriate to prevent or reduce, a risk of harm arising from misuse of one or more affected individuals’ personal information. For example, a declaration may permit the collection, use and/or disclosure of personal information of affected individuals to specified agencies or authorities or other persons to reduce the risk of harm to the individuals. Where such a declaration is in force, Orygen may collect, use or disclose personal information about individuals in accordance with the declaration and where it reasonably believes that the individual may be at risk from the eligible data breach.
12. HOW CAN YOU MAKE A COMPLAINT ABOUT OUR HANDLING OF PERSONAL INFORMATION?
We may revise this Privacy Policy from time to time. The revised version will be published on our website and any changes will take effect immediately from the date of publication.
If you wish to make a complaint about our handling of your personal information, please contact Orygen’s Privacy Officer at the details set out in Section 13 and provide us with details of the complaint so that we can appropriately investigate it.
We may require any complaint to be made in writing first so that we can be sure about the details of the complaint and we may ask you for further information about your complaint and to verify your identity.
After you have provided a written complaint, Orygen will within 7 days after the complaint is made, provide written notice to you to acknowledge the making of the complaint and provide information on how Orygen will deal with the complaint. Orygen will then investigate the complaint. In doing so, we may also need to engage or consult with other parties to investigate and deal with the complaint if necessary.
We will investigate your complaint and provide you with a response as soon as possible and within 30 calendar days of receiving your complaint (or as otherwise required by our legal obligations or such longer period as agreed by you in writing). We will provide you with status updates regarding your request, as required.
After we have completed our enquiries, we will contact you in writing to advise the outcome and invite a response from you.
If you have a complaint about how we handle your personal information and you feel Orygen has not resolved your issue or complaint to your satisfaction, then you can escalate your privacy concern and you have the right to make a complaint to the relevant privacy or data protection regulator or authority (for example in the place you reside or where you believe Orygen has breached your rights) or access an external dispute resolution scheme.
If you are based in Australia:
Office of the Australian Information Commissioner Online: www.oaic.gov.au/privacy
Phone: 1300 363 992
In respect of any complaints relating to health information in Victoria:
Victorian Health Complaints Commissioner
Online: https://hcc.vic.gov.au/ Phone: 1300 582 113
If you are based in a country other than Australia, you will need to contact the privacy or data protection regulator or authority that regulates privacy of your data.
13. CONTACTING ORYGEN – ENQUIRIES OR COMPLAINTS
If you have any enquiries about this Privacy Policy, or a complaint about the way Orygen has handled your personal information, please contact Orygen’s Privacy Officer (who is also Orygen’s Data Protection Officer for GDPR purposes) at:
Privacy Officer Locked Bag 10
Parkville VIC 3052
Email: [email protected]
Phone: +61 3 9966 9100 and ask to speak with Orygen’s Privacy Officer
14. CHANGES TO THIS PRIVACY POLICY
Orygen will notify consumers, young people and users of Orygen’s services and website, and where relevant, their families and carers, of changes to this Privacy Policy from time to time, in a timely and comprehensible way. The revised version will be published on our website and promoted on our website and external public-facing platforms, and in some cases where appropriate, Orygen may also notify consumers, young people and users of Orygen’s services, and where relevant, their families and carers, of such changes directly. Any changes will take effect immediately from the date of publication.
