NHMRC recognises that our staff and stakeholders value their privacy, and we make privacy a part of our everyday business. This means we incorporate privacy into strategic planning and take a ‘privacy by design’ approach to integrating privacy management into our projects and practices.
1 See clause 1.3 of Australian Privacy Principle 1 (open and transparent management of personal information), in Schedule 1 of the Privacy Act 1988.
NHMRC is Australia's peak body for supporting health and medical research; for developing health advice for the Australian community, health professionals and governments; and for providing advice on ethical behaviour in health care and in the conduct of health and medical research.
NHMRC is responsible to the Commonwealth Minister for Health. NHMRC has offices in Canberra and Melbourne.
Governed by the National Health and Medical Research Council Act 1992 (NHMRC Act), NHMRC's functions are to pursue activities designed to:
- raise the standard of individual and public health throughout Australia;
- foster the development of consistent health standards between the various States and Territories;
- foster medical research and training and public health research and training throughout Australia; and
- foster consideration of ethical issues relating to health.
NHMRC collects, holds, uses and discloses personal information to carry out these functions or activities. NHMRC also collects, holds, uses and discloses personal information to carry out other responsibilities including those under the:
- National Health and Medical Research Council Act 1992 (NHMRC Act)
- Medical Research Future Fund Act 2015
- Research Involving Human Embryos Act 2002 (RIHE Act)
- Prohibition of Human Cloning for Reproduction Act 2002 (PHCR Act)
- Public Governance, Performance and Accountability Act 2013 (PGPA Act)
- Freedom of Information Act 1982 (FOI Act)
- Therapeutic Goods Act 1989, in relation to the registration of Human Research Ethics Committees (HRECs)
personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
whether the information or opinion is true or not; and
whether the information or opinion is recorded in a material form or not.
sensitive information means
(a) information or an opinion about an individual's:
(i) racial or ethnic origin; or
(ii) political opinions; or
(iii) membership of a political association; or
(iv) religious beliefs or affiliations; or
(v) philosophical beliefs; or
(vi) membership of a professional or trade association; or
(vii) membership of a trade union; or
(viii) sexual orientation or practices; or
(ix) criminal record;
that is also personal information; or
(b) health information about an individual; or
(c) genetic information about an individual that is not otherwise health information; or
(d) biometric information that is to be used for the purpose of automated biometric verification or biometric identification; or
(e) biometric templates.
Collection of your personal information
The main way in which NHMRC collects personal information is when you provide it. For example, NHMRC may collect your personal information when you:
- are an employee or prospective employee of NHMRC
- are appointed as the Chairperson or a member of NHMRC’s Council, Principal Committees or Working Committees
- apply for research grants, through an NHMRC Administering Institution, in relation to any of the schemes administered by NHMRC
- access NHMRC’s Grant Management System including updating a CV
- participate in grant review processes (including as an assigner or an assessor)
- use the Human Research Ethics Application (HREA)
- apply for a licence to use human eggs and/or human embryos that were created by assisted reproductive technology and declared excess to the needs of the woman for whom they were created and her partner (if any) at the time the embryos were created
- respond to a request for tender
- participate in NHMRC targeted or public consultations or surveys
- contact NHMRC for information or advice, including Freedom of Information (FOI) requests
- contact Ministers in the Health Portfolio and related portfolios
- make a complaint to NHMRC or the NHMRC Commissioner of Complaints
- make an allegation about research misconduct or fraud to NHMRC
- request a review by the Australian Research Integrity Committee (ARIC)
- access NHMRC websites or subscription services
- make a public interest disclosure
- make a complaint under the Government Procurement (Judicial Review) Act 2018.
NHMRC may also collect your personal information via a third party, such as:
- when an institution or organisation:
- registers an HREC and provides updates on its activity
- applies for certification under the National Certification Scheme and during any monitoring or assessment activity
- participates in NHMRC targeted or public consultations or surveys
- applies to be an Administering Institution
- applies to be on Research Committee’s Approved Research Institutes register
- registers via the Guidelines in Development Register
- responds to a request for tender.
- Or when an individual or group:
- makes an allegation about research misconduct or fraud to NHMRC
- participates in NHMRC targeted or public consultations or surveys
- while completing an ethics application using the HREA
- contacts NHMRC or Ministers in the Health Portfolio and related portfolios
- makes a complaint to NHMRC or the NHMRC Commissioner of Complaints
- requests a review by ARIC.
The information in these records may include:
NHMRC may also collect personal information about you from publicly available sources to enable it to: contact stakeholders who may be interested in NHMRC’s work, or who may wish to participate in targeted or public consultations; construct databases of contact details for the purpose of informing relevant parties about relevant grant opportunities, or; for ensuring compliance with the NHMRC Misconduct Policy.
Receipt of unsolicited personal information
Unsolicited personal information is personal information received where there were no active steps taken to collect the information. NHMRC may receive unsolicited personal information about an individual in correspondence from external parties, including in ministerial correspondence, submissions to public consultations, complaints and in correspondence seeking advice.
Under Australian Privacy Principle 4 (APP4), NHMRC must determine whether or not NHMRC could have collected the information under Australian Privacy Principle 3 (APP3) if NHMRC had solicited the information. NHMRC may use or disclose the unsolicited personal information for the purposes of making this determination.
- If NHMRC determines that it could not have collected the personal information, and the information is not contained in a Commonwealth record2, NHMRC will, as soon as practicable, but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified.
- If NHMRC determines that it could have collected the personal information under APP3, or the information is contained in a Commonwealth record, then Australian Privacy Principles 5 to 13 will apply in relation to the information as if NHMRC had solicited the information under APP3.
2 A Commonwealth record is a document (including in electronic form) that is the property of the Commonwealth and that has been kept by reason of its connection with any event, person, circumstance or thing (ss6(1) and ss3(1) of the Archives Act 1983).
Where it is determined that the unsolicited personal information cannot be destroyed or de-identified under APP4, the information will be treated in accordance with APPs 5- 13. Any future destruction of the personal information will comply with section 24 of the Archives Act 1983.
In regard to submissions received during public consultation, NHMRC reserves the right to redact unsolicited personal information from submissions, or to not publish submissions containing unsolicited personal information.
Dealing with NHMRC anonymously or pseudonymously
You can ask NHMRC to deal with you anonymously or pseudonymously (using a fictitious name) unless NHMRC expressly identifies that it is not practicable to deal with you on that basis. In most cases, NHMRC will require your contact details.
In the case of applications for research grants, it is not practicable for NHMRC to deal with you on an anonymous or pseudonymous basis. NHMRC will not accept a grant application or report that is anonymous or not in your real name.
NHMRC administers the following websites:
Any system on these websites that seeks to record personal information about you will advise you about your consent.
When you visit any of the NHMRC websites, NHMRC makes a record of your visit and logs the following information for statistical or systems administration purposes:
- your client address
- your top level domain name
- the date and time of access to the site and duration
- pages accessed and documents downloaded
- the previous site visited
- type of browser and operating system used.
Analytic and session tools
NHMRC uses a range of tools provided by third parties, such as Google Analytics, to collect or view website traffic information. These sites have their own privacy policies. NHMRC also uses session tools to improve your experience when accessing our websites.
The information collected by these tools may include the IP address of the device you are using and information about sites that IP address has come from, the pages accessed on our site and the previous site visited. NHMRC uses this information to maintain, secure and improve our websites and to enhance your experience when using them. In relation to Google Analytics you can opt out of the collection of this information using the Google Analytics Opt-out Browser Add-on.
No attempt will be made to identify anonymous users or their browsing activities unless NHMRC is legally compelled to do so, such as in the event of an investigation, where a law enforcement agency may exercise a warrant to inspect the Internet Service Provider's log files.
NHMRC uses 'cookies' for maintaining contact with a user through a website session. A cookie is a small file supplied by us and stored by the web browser software on your computer when you access our site. Cookies allow us to recognise you as an individual as you move from one of our web pages to another.
All cookies will be immediately lost when you end your internet session and shut down your computer. NHMRC’s record of your information will be automatically deleted twenty minutes after you last use one of our websites. This information is only used to help you navigate NHMRC website systems more efficiently, not to track your movements through the internet, or to record personal information about you.
Social Networking Services
NHMRC uses social networking services such as Facebook and Twitter to communicate with the public about its work. When you communicate with NHMRC using these services NHMRC may collect your personal information, but it is only used to communicate with you and the public. The social networking service will also handle your personal information for its own purposes. These sites have their own privacy policies.
Use or disclosure of your personal information
NHMRC will not be taken to have breached its obligations under this policy or the Privacy Act where:
- a person has consented to the use or disclosure of their personal information
- a purpose for which the personal information is to be used is directly related to the purpose for which it was collected
- a person would reasonably expect, or has been told, that personal information may be published or passed to certain individuals (including the general public), bodies or agencies (e.g. if requested by the Australian Research Council (ARC), for the purpose of ARC establishing compliance with its funding rules)
- a grant applicant has explicitly indicated, or made NHMRC generally aware, of a wish for the application to be considered by other funding bodies and research institutions, such as co-funding organisations or the applicant’s own institution
- it uses the personal information to comply with obligations, or exercise rights under the NHMRC Act, or NHMRC policies and procedures
- it uses the personal information to enable effective management or auditing of a funding agreement, scheme or NHMRC’s grants management solution
- the disclosure of personal information:
- to overseas entities, Australian state/territory or local government agencies, organisations or individuals is necessary to assess an application or administer a grant
- to universities, private medical research bodies, Australian state/territory or local government agencies is for the purpose of establishing expert advisory panels or working groups
- is required or permitted by law
- will prevent or lessen a serious and imminent threat to somebody’s life or health
- there is a reasonable belief that the disclosure of the personal information is for a purpose directly related to the enforcement or investigation of a possible breach of a Commonwealth, State or Territory law
- the personal information is in the public domain.
Access to NHMRC records and your personal information is limited to those who have an operational need or who have legislative authority. These include:
- NHMRC CEO and staff
- Ministers and staff in the Health Portfolio and related portfolios
- other Australian Government agencies, where:
- the information is relevant to manage correspondence (i.e. where a person has written to more than one minister on the same matter)
- the information will inform the development of government policy
- it is requested or needed for the purpose of legislative requirements
- NHMRC Council, Principal Committee and Working Committee members
- individuals involved with NHMRC grant review processes
- contracted service providers in relation to the delivery of the service
- the NHMRC Commissioner of Complaints
- members of ARIC
- Inspectors appointed under the RIHE/PHCR Acts
- state/territory organisations under legislation complementary to the RIHE/PHCR Acts
- the Administrative Appeals Tribunal
- the Commonwealth Ombudsman
- the Office of the Australian Information Commissioner
- Administering Institutions
- the Australian Taxation Office
- the Australian Federal Police.
Disclosure of personal information to overseas recipients
Disclosure for NHMRC review
NHMRC’s review processes use the most qualified researchers available to assess grant applications. There may be occasions when personal information (contained in an application) must be sent overseas to an expert reviewer or assessor for review where the assessor or reviewer best suited and available to assess the application is overseas.
NHMRC will prompt applicants with a notice that seeks their express consent to overseas disclosure at the time of making their application. Applicants can elect not to have their information sent overseas for review or assessment.
Disclosure within jointly administered research schemes
NHMRC participates in a number of funding schemes which provide assistance to Australian researchers to participate in collaborative research projects with international researchers.
See https://www.nhmrc.gov.au/funding/fund-collaborative-health-researcher further information regarding these funding schemes and corresponding organisations and countries.
In order for applicant researchers to participate in these schemes, their personal information may need to be disclosed by NHMRC to overseas recipients, generally for the purposes of review of the applications.
Applicants are advised of this possibility at the time of making their application.
Disclosure to support international cooperation
NHMRC participates in international collaborations to foster global health and medical research goals. Occasionally, information will be shared between member organisations, generally about researchers with expertise in particular areas. See https://www.nhmrc.gov.au/funding/fund-collaborative-health-research.or further information regarding these organisations and participating countries.
Requirements of the Commonwealth Grants Rules and Guidelines
Certain information about grant recipients is published on the NHMRC website and https://www.grants.gov.au in accordance with the requirements of the Commonwealth Grants Rules and Guidelines, including the name of the recipient, the amount and duration of the grant, the researcher’s institution and the NHMRC scheme under which the grant was awarded.
Submissions to NHMRC targeted or public consultations
In general, if you provide NHMRC with permission to publish your public consultation submission on the NHMRC public consultation website, the submission will be published as soon as possible once all administrative and committee processes have concluded. Regardless of your permission being granted, NHMRC reserves the right to not publish any submission, or part of a submission, which contains what NHMRC determines, in its absolute discretion, to be personal information about you and/or personal information about a reasonably identifiable third- party.
NHMRC does not usually publically disclose submissions to targeted consultations. Should the need arise, NHMRC will seek your explicit permission to publish your submission online.
No sale of personal information
Under no circumstances will NHMRC sell or receive payment for licensing or disclosing your personal information.
Storage and security of personal information
Under the Public Governance, Performance and Accountability Act 2013, NHMRC is required to implement the Australian Government Protective Security Policy Framework (PSPF). The PSPF provides the appropriate controls for the Australian Government to protect its people, information and assets, at home and overseas. All personal information held by NHMRC is stored in accordance with the PSPF and managed in accordance with the Archives Act 1983.3
NHMRC takes steps to protect the security of the personal information it holds by:
- regularly assessing the risk of misuse, interference, loss, and unauthorised access, modification or disclosure of that information
- taking appropriate measures to address those risks
- conducting regular reviews to assess whether NHMRC has adequately complied with or implemented these measures.
In addition, NHMRC must comply with the Australian Signals Directorate Information Security Manual and with relevant Government security standards when storing any information.
For further information on the way NHMRC manages security risks in relation to personal information please contact the Agency Security Adviser via email to email@example.com.
Subscriptions on NHMRC websites
If you subscribe to any of NHMRC’s regular electronic publications (e.g.Tracker), the personal information you submit through the subscription service form will be secure using SSL protocol used solely by NHMRC and not be disclosed to any other individual or organisation. The records are kept within NHMRC and Campaign Monitor (USA) until the individual asks to be removed from the NHMRC mailing list or fails to respond to a request for confirmation of continued interest.
There are security risks associated with transmission of information via the Internet. NHMRC has taken reasonable steps to safeguard against unauthorised access, use, modification or disclosure of the personal information NHMRC holds electronically. Before deciding whether to use this subscription facility you should make your own assessment of the potential risks to the security of your information.
By clicking on the warning/disclaimer tick box on the subscription service or our web based forms (including the NHMRC Public Consultation Portal), you acknowledge and agree that the Commonwealth will not be liable for any unauthorised access or for any loss or damage that you may incur as a result of any unauthorised access to this site or to the information transmitted by you or any other person.
3Some relevant records may also be held by the Department of Health, if those records were generated before NHMRC became a separate agency in the Health Portfolio (i.e before 2006).
Retention of Records
NHMRC records are retained in accordance with the relevant Records Authority issued by the National Archives of Australia, under the Archives Act 1983.
Records Authorities enable NHMRC to determine how long records need to be retained and when a record will be due for destruction or transfer to the National Archives.
Records Authorities contain descriptions of record types and specify the minimum retention periods applying to them.
Accessing and correcting your personal information
Under the Privacy Act (APPs 12 and 13), you have the right to ask for access to the personal information that NHMRC holds about you, and to ask that NHMRC corrects that personal information. You can ask for access or correction by contacting NHMRC’s Privacy Officer by email to firstname.lastname@example.org or by writing to the following address:
Privacy Officer NHMRC
GPO Box 1421
CANBERRA ACT 2601
If you ask, NHMRC must give you access to your personal information unless there is a law that allows or requires NHMRC to refuse access. If your personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, the NHMRC will take reasonable steps to correct your personal information within 30 days of receiving and verifying your request.
You will be asked to verify your identity before NHMRC will give you access to your information or corrects it. If you are uncertain about how to set out your request, or the supporting material required, the Privacy Contact Officer may be able to assist you.
If a correction is made and NHMRC has disclosed the incorrect information to certain third parties, you can ask NHMRC to tell them about the correction.
If NHMRC refuses to give you access to, or correct, your personal information, you will be notified in writing of the reasons.
You also have the right under the FOI Act to request access to documents that NHMRC holds and ask for information that NHMRC holds about you to be changed or annotated if it is incomplete, incorrect, out-of-date or misleading. For further information see Freedom of information requests to NHMRC.
Making a privacy complaint if you believe that NHMRC has breached the Australian Privacy Principles
If you wish to complain that the NHMRC has breached one of the Australian Privacy Principles you can contact the NHMRC’s Privacy Officer on (02) 6217 9000, by email to email@example.com , or by writing to the following address:
Privacy Officer NHMRC
GPO Box 1421
CANBERRA ACT 2601
Your privacy complaint should be in writing and set out as much detail as possible and include any supporting documentation. You may make a privacy complaint anonymously, or by using a pseudonym. However, you should realise that if you wish to communicate with the NHMRC in this way, our ability to fully investigate and deal with the complaint may be restricted.
How NHMRC will deal with your privacy complaint
The NHMRC will usually respond to your complaint within 30 calendar days and provide you with its response in writing.
If NHMRC takes more than 30 days to respond to your privacy complaint (without your prior agreement), or you are not satisfied with the NHMRC’s response, you may then take your privacy complaint to the Office of the Australian Information Commissioner (OAIC).
(02) 6217 9000, by email to firstname.lastname@example.org or by writing to the following address:
Privacy Officer NHMRC
GPO Box 1421
CANBERRA ACT 2601
Please note, this policy is subject to annual review.
NHMRC Response Plan for data breaches involving personal or sensitive information
NHMRC Privacy Impact Assessments
A Privacy Impact Assessment (PIA) is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising, or eliminating that impact.
NHMRC is required by the Australian Government Agencies Privacy Code to maintain a register of the Privacy Impact Assessments it conducts. Privacy Impact Assessments, and the NHMRC response, are published here:
|Date of Publication||Project||Privacy Impact Assessment||NHMRC Response|
|16 December 2019||Privacy Impact Assessment Report on the Implementation of the Sapphire System||Sapphire PIA final||NHMRC response|
The NHMRC Privacy Impact Assessments register is current as at 31 March 2022.
This page was last updated on 4 April 2022