Privacy Policy

Last updated: 18 November 2024

Definitions

Personal information means information or an opinion about an identified individual or an individual who can reasonably be identifiable. This applies whether the information or opinion is true and regardless of how or whether the information or opinion is recorded. It includes information such as the individual’s name, address, date of birth, contact details and emergency contacts and photos and videos, which may lead to the identification of the person or location/address.

Sensitive personal information is a specific type of personal information or opinion about that information that risks adverse consequences for the individual if not strictly managed. This is information regarding a person’s racial or ethnic origin; political opinions; membership of a political association; religious beliefs or affiliations; philosophical beliefs; membership of a professional or trade association or trade union; sexual orientation or practices; or criminal record. Sensitive personal information includes all health, genetic, and biometric information.

Clinical Trial Information, in addition to the definitions of personal information and sensitive personal information above, includes all personal and clinical information collected by ENA Respiratory through our work, either directly or through contract partners in clinical trials.

Data Breach means personal information is accessed or disclosed without authorisation or is lost.

Policy

ENA Respiratory is committed to protecting individuals’ privacy and rights regarding the personal information the company collects, holds, and administers. ENA Respiratory will ensure individuals have the opportunity to access their information and request correction of any errors where applicable.

ENA Respiratory welcomes feedback and will address any complaints about how the company manages personal information. ENA Respiratory is committed to its obligations under the Commonwealth Privacy Act 1988 (‘the Act’) and the Australian Privacy Principles contained therein. The company will:

a) collect only the information required for the running of the business

b) inform stakeholders (our clients, employees, customers, and prospective staff) of why we collect and how we administer the information

c) use and disclose (where necessary) personal information only for its primary business function, or a directly related purpose, or for other reasons with the person’s consent

d) securely store personal information and protect it from unauthorised access

e) provide stakeholders with access to their information and correct the information where it is in error.

ENA Respiratory is committed to its obligations under the General Data Protection Regulation (GDPR) for the European Union. Specifically, ENA Respiratory:

a) Will comply with the principles of data protection set out in the GDPR for fairness, transparency and lawful data collection and use.

b) Will hold personal information as a processor and/or to the extent that ENA Respiratory is a Controller as defined in the GDPR.

c) Will establish a lawful basis for processing personal data. The legal basis for which the collection and processing relies, will depend on the data that is collected and how it is used.

d) Will only collect personal information with the express consent of individuals for a specific purpose, and any data collected will be to the extent necessary and not excessive for its purpose. The data will be kept safe and secure.

e) Will process personal information if it is necessary:

a. For our legitimate interests or to fulfil a contractual or legal obligation

b. To protect a life or in a medical situation,

c. To carry out a public function, a task of public interest or if the function has a clear basis in law.

f) Will ensure that the rights of individuals who have provided ENA Respiratory with information are respected. They include:

a. To be informed on how personal information is being used,

b. Access their personal information,

c. To correct personal information if it is inaccurate or incomplete,

d. To delete personal information (also known as “the right to be forgotten”)

e. To restrict the processing of personal information,

f. To retain and reuse the individual’s personal information for their own purposes,

g. To object to their personal information being used, and

h. To object against automated decision-making and profiling.

ENA Respiratory will not collect or process any personal information that is considered “Sensitive Personal Information” under the GDPR, such as personal information relating to a person’s sexual orientation or ethnic origin, unless explicit consent has been obtained or it is being collected subject to and in accordance with the GDPR.

ENA Respiratory will not collect personal information of children without the express consent of a parent or someone who has parental authority over the child.

All personal information related to participants in clinical studies collected by ENA Respiratory will be treated as ‘personal information’ or ‘sensitive personal information’.

ENA Respiratory is required to collect personal information of individuals with whom we do business, both within and outside the organisation. This is necessary for the company’s effective operation to carry out its business functions. The company is committed to its responsibility to use such information only for the intended purpose.

All individuals working, volunteering, on student placement, or otherwise engaged by ENA Respiratory and its associated programs and businesses (hereafter referred to as ‘staff’) must comply with this policy and associated processes when collecting, accessing, disclosing, and managing personal information.

1. Personal information the Company may collect

The term ‘personal information’ used throughout this policy has the meaning given to it in the Act and includes private and sensitive information. In general terms, it is any information that can be used to identify a person and includes opinions about the person personally.

Examples of personal information the Company collects for relevant business purposes include  a person’s:

  • name, age, date of birth
  • contact, and emergency contact details such as email, phone, fax number, street address
  • profession, occupation, or job title
  • financial information such as bank details, credit card number, tax file number
  • photo of the person or photo ID such as driver license or passport details
  • health information of any kind, whether or not it is current
  • details used when assessing an application to volunteer, receive services, or become an employee. This may also include sensitive information related to disability, aboriginality, nationality, gender, or criminal record.
  • Centrelink Customer Reference Number

2. Anonymity

Where practical, individuals can interact anonymously with ENA Respiratory or by using a pseudonym, such as when making general enquiries about services. However, for most business functions, ENA Respiratory generally needs enough personal information to allow the company to manage the enquiry, application, request, or complaint fairly and efficiently.

3. Collection, use, and disclosure of personal information

ENA Respiratory will advise individuals whenever the company is collecting, or is about to collect, personal or sensitive information as described in this policy. Personal information is collected directly from the individual unless it is unreasonable or impractical to do so or if the person has nominated an authorised representative. The company may collect personal information from third parties, including referees of applicants for employment. The company may also collect information from individuals when signing up for mailing lists, providing service feedback, registering for events, or participating in surveys. ENA Respiratory collects and may disclose personal information for a range of business purposes, specifically:

  • to assess a person’s needs as a customer and to provide services to the person • for recruitment, employment, and student placement
  • to comply with reporting obligations to the government and other funding bodies
  • for financial recordkeeping purposes such as taxation and expenses
  • for the company’s administrative, planning, service development, and quality control purposes
  • to communicate with individuals to inform them about the company’s work, objectives, and activities
  • to update the company’s records and keep the person’s contact details up to date
  • to process and respond to complaints and access requests, and
  • to comply with any law, rule, regulation, lawful and binding determination, decision or direction of a regulator, or in co-operation with any governmental authority.

3.1 Unsolicited personal information

Personal information provided to ENA Respiratory that the company has not requested, and is not likely to request, will be deidentified or destroyed as soon as practicable.

4. Marketing

ENA Respiratory does not provide personal information to other organisations for direct marketing purposes. ENA Respiratory may use personal information for its direct marketing purposes, where the individual has consented to use their information for that purpose. The company may send information regarding its services and products in newsletters or email updates but will endeavour to use the person’s preferred method where possible.

ENA Respiratory’s marketing materials will contain opt-out information. Where a person chooses to opt-out, their name will be removed from the relevant mailing list. To unsubscribe from any of the company’s communications at any time, please contact christophe[at]enarespiratory.com or click “unsubscribe” if the option is available.

5. Information Security

ENA Respiratory uses physical, technical, and administrative safeguards to protect the privacy of the information the company collects and holds. Information security is tested and updated on an ongoing basis. The company reinforces to its employees their responsibilities to maintain confidentiality and protect the privacy and security of information. Access to personal information is limited to staff who need the information for operational business purposes or to provide business services. Information is de-identified and/or securely destroyed when no longer required or when obsolete.

5.1 Unsolicited personal information

As the ENA Respiratory website is linked to the internet, the company cannot provide any assurance concerning the security of information sent or received online. There is no guarantee that information transmitted or received via the internet will not be intercepted during transmission. Individuals who send personal information to the company via online or other electronic methods do so at their own risk.

ENA Respiratory uses interfaces with social media sites, including Twitter, Facebook, Instagram, LinkedIn and others. Users are advised to read their privacy policies if choosing to ‘like’, ‘share’, or enter information relating to ENA Respiratory through these sites. Engaging with these sites provides ENA Respiratory with the individual’s username and access to their public profile.

The ENA Respiratory website may contain links to websites operated by other organisations or individuals. ENA Respiratory is not responsible for other organisations and sites’ privacy policies and practices, and users are advised to read those privacy policies.

The company also uses the services of organisations whose websites and servers are based outside of Australia for business-related activities. ENA Respiratory is not responsible for other organisations and sites’ privacy policies and practices, and users are advised to read those privacy policies.

6. Data Breaches

Any suspected or actual data breaches should be immediately reported as an Incident to the company CEO at christophe[at]enarespiratory.com.

ENA Respiratory will quickly respond in case of suspected or actual data breach. All incidents will be managed on a case-by-case basis, and the appropriate course of action will be taken in response. ENA Respiratory will work to contain the breach, evaluate the associated risks, and assess the level of possible harm. ENA Respiratory will always endeavour to take appropriate remedial action in a timely manner to prevent a data breach from resulting in serious harm (see section 6.1 below).

6.1 Eligible breaches

Some breaches of data are considered so significant as to be eligible to be notified to the Office of the Australian Information Commissioner (OAIC) and any individual whose personal data has been breached. An eligible data breach occurs when all the following criteria are met:

• there is unauthorised access to or unauthorised disclosure of personal information or a loss of personal information that the company holds

• this is likely to result in serious harm to one or more individuals, and

• the company has been unable to prevent the potential risk of serious harm with remedial action.

Serious harm regarding a data breach includes serious physical, psychological, emotional, financial, or reputational damage. When assessing the risk of serious harm to individuals whose personal information is part of a data breach, ENA Respiratory will consider the likelihood of the harm eventuating and the likely consequences of the harm.

6.2 Notification

Upon becoming aware of a suspected data breach, ENA Respiratory will quickly act to assess whether the breach constitutes an eligible data breach. If during the assessment, there are reasonable grounds to believe that there has been an eligible data breach, or it becomes clear that an eligible breach has occurred, the company CEO ([email protected]) or an authorised representative of the company will notify the OAIC as soon as practicable of becoming aware of the breach or suspected breach.

Where practicable, the company will notify each individual directly affected by the breach unless remedial action has already occurred to prevent serious harm. Where it is not practicable to notify each individual (for example, where all clients or staff are affected), the company will publicise the statement made to the OAIC on the Company website. ENA Respiratory will include the following information about the eligible data breach:

• the company’s name and contact details

• a description of the eligible data breach (e.g. the date/date range of the breach, the date the breach was detected, circumstances of the breach, who has/is like to have access to the information, and action taken to contain the breach)

• the kind or kinds of information involved in the eligible data breach

• steps the company recommends the individuals take in response to the eligible data breach

After the breach has been addressed and notification has occurred, ENA Respiratory will thoroughly review the matter to reduce the likelihood of recurrence. The company will review and, where necessary, update its policies and processes, conduct additional training, enhance cyber security measures, and/or other action as appropriate.

7. Requests and Complaints

Individuals may request access to any personal information the company holds about them at any time by emailing the company CEO (christophe[at]enarespiratory.com)

The company will endeavour to provide access to the information by the most suitable means, such as by mail, email, or arranging for the individual to view the information at ENA Respiratory’s office. ENA Respiratory will require the person to provide evidence of their identity before granting access or amendments.

The company may refuse access to all or part of a person’s record if it would interfere with the privacy of others, if it would reveal confidential business information, or for any other applicable reasons described in Australian Privacy Principle 12.3. Individuals will be notified in writing of the reasons for any such refusal.

7.1 Request to amend personal information

Individuals may request that their personal information be amended if they believe that information is not incomplete, inaccurate, or not up to date.

All requests to amend personal information will be assessed before being actioned. Where this assessment determines there are no grounds for amending the information, the company will add a note to the personal information stating that the individual disagrees with the record’s content.

7.2 Making a complaint about a breach of the Australian Privacy Principles

Individuals may complain about how the company handles their information by emailing their concerns to the company CEO (christophe[at]enarespiratory.com). An authorised company representative will respond to the complaint within a reasonable period, generally within ten business days. If the complaint appears to take longer to resolve, the representative will notify the individual of the expected resolution date.