The National Health and Medical Research Council (NHMRC) recognises that our staff and stakeholders value their privacy, and we make privacy a part of our everyday business. This means we incorporate privacy into strategic planning and take a 'privacy by design' approach to integrating privacy management into our projects and practices.


The Privacy Act 1988 (Privacy Act) requires entities bound by the Australian Privacy Principles (APP) to have a privacy policy1. This privacy policy outlines the personal information handling practices at NHMRC.

The legal obligations of NHMRC when collecting and handling personal information are outlined in the Privacy Act, in particular the APPs in that Act. Detailed information on the APPs can be found on the website of the Office of the Australian Information Commissioner (OAIC).


NHMRC is Australia's peak body for:

  • supporting health and medical research
  • for developing health advice for the Australian community, health professionals and governments
  • for providing advice on ethical behaviour in health care and in the conduct of health and medical research.

NHMRC is responsible to the Australian Government Minister for Health and Aged Care. NHMRC has offices in Canberra and Melbourne.

Governed by the National Health and Medical Research Council Act 1992 (NHMRC Act), NHMRC's functions are to pursue activities designed to:

  • raise the standard of individual and public health throughout Australia
  • foster the development of consistent health standards between the various States and Territories
  • foster medical research and training and public health research and training throughout Australia
  • foster consideration of ethical issues relating to health.

NHMRC collects, holds, uses and discloses personal information to carry out these functions or activities. NHMRC also collects, holds, uses and discloses personal information to carry out other responsibilities including those under the:

  • NHMRC Act
  • Medical Research Future Fund Act 2015
  • Research Involving Human Embryos Act 2002 (RIHE Act)
  • Prohibition of Human Cloning for Reproduction Act 2002 (PHCR Act)
  • Public Governance, Performance and Accountability Act 2013 (PGPA Act)
  • Freedom of Information Act 1982 (FOI Act)
  • Therapeutic Goods Act 1989, in relation to the registration of Human Research Ethics Committees (HRECs)


In this privacy policy, personal information and sensitive information (a sub-set of personal information), have the same meanings as defined in subsection 6(1) of the Privacy Act, namely:

personal information is as defined in section 6 of the Privacy Act and means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not.

sensitive information is as defined in section 6 of the Privacy Act and means

  1. information or an opinion about an individual's:

    1. racial or ethnic origin
    2. political opinions
    3. membership of a political association
    4. religious beliefs or affiliations
    5. philosophical beliefs
    6. membership of a professional or trade association
    7. membership of a trade union
    8. sexual orientation or practices, or
    9. criminal record

    that is also personal information; or

  2. health information about an individual
  3. genetic information about an individual that is not otherwise health information
  4. biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or
  5. biometric templates.

Collection of your personal information

The main way in which NHMRC collects personal information is when you provide it. For example, NHMRC may collect your personal information when you:

  • are an employee or prospective employee of NHMRC
  • are appointed as the Chair or a member of NHMRC's Council, principal committees or working committees (including as a peer reviewer)
  • apply for research grants, through an NHMRC Administering Institution, in relation to any of the schemes administered by NHMRC
  • access NHMRC's grant management system, including to update a CV
  • participate in grant review processes (including as an assigner or an assessor)
  • use the Human Research Ethics Application (HREA)
  • apply for a licence under the Research Involving Human Embryos Act 2002 (RIHE Act)
  • respond to a request for tender
  • participate in NHMRC meetings
  • participate in NHMRC targeted or public consultations or surveys
  • contact NHMRC for information or advice, including Freedom of Information (FOI) requests
  • contact Ministers in the health portfolio and related portfolios
  • make a complaint to NHMRC or the NHMRC Commissioner of Complaints
  • make an allegation about research misconduct or fraud to NHMRC
  • request a review by the Australian Research Integrity Committee (ARIC)
  • access NHMRC websites or subscription services
  • make a public interest disclosure
  • make a complaint under the Government Procurement (Judicial Review) Act 2018.

NHMRC may also collect your personal information via a third party, such as:

  • when an institution or organisation:
    • registers an HREC and provides updates on its activity
    • applies for a licence under the RIHE Act
    • applies for certification under the National Certification Scheme and during any monitoring or assessment activity
    • participates in NHMRC targeted or public consultations or surveys
    • applies to be an Administering Institution
    • applies to be on Research Committee's Approved Research Institutes register
    • registers via the Guidelines in Development Register
    • responds to a request for tender.
  • or when an individual or group:
    • makes an allegation about research misconduct or fraud to NHMRC
    • participates in NHMRC targeted or public consultations or surveys
    • while completing an ethics application using the HREA
    • contacts NHMRC or Ministers in the Health Portfolio and related portfolios
    • makes a complaint to NHMRC or the NHMRC Commissioner of Complaints
    • requests a review by ARIC.

The personal information in these records may include:

  • title
  • name
  • address & other contact details
  • date of birth
  • gender
  • marital status
  • number of dependants
  • physical or mental health
  • disability status
  • racial or ethnic origin, cultural background or culturally sensitive issues
  • photographs, digital images, video and audio recordings
  • disclosures of interest
  • criminal convictions
  • religious affiliations
  • political affiliations
  • Medicare card number
  • details of research misconduct or fraud (whether alleged, substantiated or dismissed)
  • driver's licence number and expiry date
  • vehicle insurance details
  • passport details
  • financial information
  • tax file number
  • bank account and superannuation details
  • curricula vitae
  • current employment and employment history
  • employer/ employee relationships and activities
  • employment conditions
  • education/ training qualifications
  • professional registration and affiliations
  • union membership
  • research grant and research publication history
  • Australian Business Number
  • Details of research misconduct or fraud (whether alleged, substantiated or dismissed).


NHMRC does not solicit information from some of the categories listed above, however it may, subject to APP4 (see next section), hold this information where it has been volunteered by the individual.

NHMRC may also collect personal information about you from publicly available sources to enable it to:

  • contact stakeholders who may be interested in NHMRC's work, or who may wish to participate in targeted or public consultations
  • construct databases of contact details for the purpose of informing relevant parties about relevant grant opportunities, or
  • for ensuring compliance with the NHMRC Research Integrity and Misconduct Policy.

Receipt of unsolicited personal information

Unsolicited personal information is personal information received where there were no active steps taken by NHMRC to collect the information. NHMRC may receive unsolicited personal information about an individual in correspondence from external parties, including in ministerial correspondence, submissions to public or targeted consultations or surveys, complaints and in correspondence seeking advice.

When handling unsolicited personal information NHMRC uses APP4, to determine whether or not NHMRC could have solicited the information (refer APP3). If the information provided could have been solicited by NHMRC to do its work then NHMRC may use or disclose unsolicited personal information that has been provided by an individual.

However, if NHMRC determines that it would not have collected the personal information, and the information is not contained in a Commonwealth record2, NHMRC will, as soon as practicable, but only if it is lawful and reasonable to do so, destroy the information or ensure that the information is de-identified.

If NHMRC determines that it could have collected the personal information under APP3, or the information is contained in a 'Commonwealth record', then APPs 5 to 13 will apply in relation to the information as if NHMRC had solicited the information under APP3.

Where it is determined that the unsolicited personal information cannot be destroyed or de-identified under APP4 (that is, it is part of the Commonwealth record), the information will be treated in accordance with APPs 5 to 13. That is, it will be retained until it can be destroyed in accordance with the Archives Act 1983.

In regard to submissions received during public consultation, NHMRC reserves the right to redact unsolicited personal information from submissions, or to not publish submissions containing unsolicited personal information.

Dealing with NHMRC anonymously or pseudonymously

You can ask NHMRC to deal with you anonymously or pseudonymously (using a fictitious name) unless NHMRC expressly identifies that it is not practicable to deal with you on that basis. In most cases, NHMRC will require your contact details.

In the case of applications for research grants or licence applications under the RIHE Act, it is not practicable for NHMRC to deal with you on an anonymous or pseudonymous basis. NHMRC will not accept an application or report that is anonymous or not in your real name.

NHMRC websites

NHMRC administers the following websites:

Note the development of Sapphire included a Privacy Impact Assessment (see below) and uses privacy access controls, such as user penetration testing, as part of its data management strategy.  

Any system on these websites that seeks to record personal information about you will include a Privacy collection notice and will include a link to this Policy.

When you visit any of the NHMRC websites, NHMRC makes a record of your visit and logs the following information for statistical or systems administration purposes:

  • your client address
  • your top-level domain name
  • the date and time of access to the site and duration
  • pages accessed and documents downloaded
  • the previous site visited
  • type of browser and operating system used.

Analytic and session tools

NHMRC uses a range of tools provided by third parties, such as Google Analytics, to collect or view website traffic information. These sites have their own privacy policies. NHMRC also uses session tools to improve your experience when accessing our websites.

The information collected by these tools may include the IP address of the device you are using and information about sites that IP address has come from, the pages accessed on our site and the previous site visited. NHMRC uses this information to maintain, secure and improve our websites and to enhance your experience when using them. In relation to Google Analytics you can opt out of the collection of this information using the Google Analytics Opt-out Browser Add-on.

No attempt will be made to identify anonymous users or their browsing activities unless NHMRC is legally compelled to do so, such as in the event of an investigation, where a law enforcement agency may exercise a warrant to inspect the Internet Service Provider's log files.


NHMRC uses 'cookies' for maintaining contact with a user through a website session. A cookie is a small file supplied by us and stored by the web browser software on your computer when you access our site. Cookies allow us to recognise you as an individual as you move from one of our web pages to another.

All cookies will be immediately lost when you end your internet session and shut down your computer. NHMRC's record of your information will be automatically deleted 20minutes after you last use one of our websites. This information is only used to help you navigate NHMRC website systems more efficiently, not to track your movements through the internet, or to record personal information about you.

Social networking services

NHMRC uses social networking services such as Facebook and Twitter to communicate with the public about its work. When you communicate with NHMRC using these services NHMRC may collect your personal information, but it is only used to communicate with you and the public. The social networking service will also handle your personal information for its own purposes. These sites have their own privacy policies and data storage which may include cookies. Your use of these services is governed by the individual conditions of each site.

Use or disclosure of your personal information

Disclosure of personal information

NHMRC can, and usually will, disclose personal information where:

  • a person has consented to the disclosure, or
  • the person would reasonably expect that their information will be disclosed, or
  • the disclosure is authorised or required by or under law.

NHMRC will not be taken to have breached its obligations under this policy or the Privacy Act where:

  • a person has consented to the use or disclosure of their personal information
  • a purpose for which the personal information is to be used is directly related to the purpose for which it was collected
  • a person would reasonably expect, or has been told, that personal information may be published or passed to certain individuals (including the general public), bodies or agencies (for example, if requested by the Australian Research Council (ARC), for the purpose of ARC establishing compliance with its funding rules)
  • a grant applicant has explicitly indicated, or made NHMRC generally aware, of a wish for the application to be considered by other funding bodies and research institutions, such as co-funding organisations or the applicant's own institution
  • it uses the personal information to comply with obligations, or exercise rights under the NHMRC Act, or NHMRC policies and procedures
  • it uses the personal information to enable effective management or auditing of a funding agreement, scheme or NHMRC's grants management solution
  • the disclosure of personal information:
    • to overseas entities, Australian state/ territory or local government agencies, organisations or individuals is necessary to assess an application or administer a grant
    • to universities, private medical research bodies, Australian state/ territory or local government agencies is for the purpose of establishing expert advisory panels or working groups
    • is required or permitted by law
    • will prevent or lessen a serious and imminent threat to somebody's life or health.
  • there is a reasonable belief that the disclosure of the personal information is for a purpose directly related to the enforcement or investigation of a possible breach of a Commonwealth, State or Territory law
  • the personal information is in the public domain.

Access to NHMRC records and your personal information is limited to those who have an operational need or who have legislative authority. These include:

  • NHMRC CEO and staff
  • Ministers and staff in the Health Portfolio and related portfolios
  • other Australian Government agencies, where:
    • the information is relevant to manage correspondence (that is, where a person has written to more than one minister on the same matter)
    • the information will inform the development of government policy
    • it is requested or needed for the purpose of legislative requirements
  • NHMRC Council, Principal Committee and Working Committee members
  • individuals involved with NHMRC grant review processes
  • contracted service providers in relation to the delivery of the service
  • the NHMRC Commissioner of Complaints
  • members of ARIC
  • Inspectors appointed under the RIHE/ PHCR Acts
  • state/ territory organisations under legislation complementary to the RIHE/PHCR Acts
  • the Administrative Appeals Tribunal
  • the Commonwealth Ombudsman
  • the OAIC
  • the National Anti-Corruption Commission
  • Administering Institutions
  • the Australian Taxation Office
  • the Australian Federal Police.

Disclosure of sensitive information in grant applications

Researchers applying to some grant schemes may be asked to provide career disruption or relative to opportunity information. Applicants should note that application information may be available to:

  • people with preview access to applications, including Chief Investigators and Research Administration Officers related to the application
  • NHMRC staff and individuals involved in peer review.

Applicants are asked to consider the level of information they disclose.

Disclosure of personal information to overseas recipients

NHMRC may disclose certain personal information to overseas recipients with consent, where authorised by or under law, or in accordance with an international treaty or convention.

Disclosure for NHMRC peer review of applications for funding

NHMRC's review processes use the most qualified researchers available to assess grant applications. There may be occasions when personal information (contained in an application) must be sent overseas to an expert reviewer or assessor for review where the assessor or reviewer best suited and available to assess the application is overseas.

NHMRC will prompt applicants with a notice that seeks their express consent to overseas disclosure at the time of making their application. Applicants can elect not to have their information sent overseas for review or assessment.

Disclosure for the assessment of mitochondrial donation and other licence applications under the RIHE Act

When assessing a licence application, including those for mitochondrial donation, the Embryo Research Licensing Committee (ERLC) may request advice from other relevant experts. These experts may be located overseas and where there is a need, they may require access to the personal information of the people identifiable in the application form.

Each person named on a mitochondrial donation licence application will be asked to confirm that they have been given a copy of the Mitochondrial Donation Licensing Scheme Privacy Notice. The nominated embryologist must confirm their consent to being nominated on the application and the Organisation Representative and the Principal Supervisor must also confirm that the information in the application is true and correct.

Disclosure within jointly administered research schemes

NHMRC participates in a number of funding schemes which provide assistance to Australian researchers to participate in collaborative research projects with international researchers.

See International Collaborative Health Research Funding for further information regarding these funding schemes and corresponding organisations and countries.

In order for applicant researchers to participate in these schemes, their personal information may need to be disclosed by NHMRC to overseas recipients, generally for the purposes of review of the applications.

Applicants are advised of this at the time of making their application.

Disclosure in public or targeted consultations or surveys

NHMRC undertakes public or targeted consultations and surveys in order to perform its functions. If an expert or consultant engaged to analyse or consider any survey or consultation data is based overseas, NHMRC will ordinarily adopt one of the following approaches:

  • redact any personal information that may be contained in the response before forwarding the data overseas
  • advise in the collection notice attached to the survey or consultation that any personal information provided in the response will only be forwarded overseas if the respondent expressly gives consent to the information being forwarded overseas.

Disclosure to support international cooperation

NHMRC participates in international collaborations to foster global health and medical research goals. Occasionally, information will be shared between member organisations, generally about researchers with expertise in particular areas. See International Collaborative Health Research Funding for further information regarding these organisations and participating countries.

Requirements of the Commonwealth Grants Rules and Guidelines

Certain information about grant recipients is published on this website and GrantConnect in accordance with the requirements of the Commonwealth Grants Rules and Guidelines, including the name of the recipient, the amount and duration of the grant, the researcher's institution and the NHMRC scheme under which the grant was awarded.

Submissions to NHMRC targeted or public consultations

Providing personal information in any consultation or survey response is usually optional.

In general, if you provide NHMRC with permission to publish your public consultation submission on the NHMRC public consultation website, the submission will be published as soon as possible once all administrative and committee processes have concluded. Regardless of your permission being granted, NHMRC reserves the right to not publish any submission, or part of a submission, which contains what NHMRC determines, in its absolute discretion, to be personal information about you and/or personal information about a reasonably identifiable third party.

NHMRC does not usually publicly disclose submissions to targeted consultations. Should the need arise, NHMRC will seek your explicit permission to publish your submission online.

No sale of personal information

Under no circumstances will NHMRC sell or receive payment for licensing or disclosing your personal information.

Storage and security of personal information

Under the Public Governance, Performance and Accountability Act 2013, NHMRC is required to implement the Australian Government Protective Security Policy Framework (PSPF). The PSPF provides the appropriate controls for the Australian Government to protect its people, information and assets, at home and overseas. All personal information held by NHMRC is stored in accordance with the PSPF and managed in accordance with the Archives Act 1983.3

NHMRC takes steps to protect the security of the personal information it holds by:

  • regularly assessing the risk of misuse, interference, loss, and unauthorised access, modification or disclosure of that information
  • taking appropriate measures to address those risks
  • conducting regular reviews to assess whether NHMRC has adequately complied with or implemented these measures.

In addition, NHMRC must comply with the Australian Cyber Security Centre Information Security Manual and with relevant Government security standards when storing any information.

Storage of personal information

In compliance with APP10, NHMRC takes reasonable steps to ensure that the personal information it collects is accurate, up-to-date and complete. In compliance with APP11, NHMRC also takes reasonable steps to protect the personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.

NHMRC has the following controls in place to protect against interference with personal information by way of unauthorised access, misuse, loss, modification, or disclosure including:

  • access to information collected from individuals is limited to authorised persons with a need-to-know by way of audited technical controls
  • our internal network, electronic records management system, and databases are protected using firewall, intrusion detection and prevention, antivirus, user authentication complexity, and other ICT Security technologies and protocols
  • web transactions are conducted securely using encrypted connections
  • our web services are vulnerability tested against intrusion
  • paper files containing sensitive information are protected in accordance with Australian Government Protective Information Security Management Protocol and secured in locked cabinets, Australian Government-approved protective security containers or Secure Rooms with restricted access
  • NHMRC's premises are under 24-hour surveillance and access is via security passes only, with all access (and attempted access) logged electronically
  • NHMRC regularly conducts system audits and staff training to ensure we adhere to our established protective and ICT Security compliance and best practices
  • aftercare measures (including return of devices and signing secrecy documents) are taken to support the removal of access to personal information when no longer required.

For further information on the way NHMRC manages security risks in relation to personal information, contact the Agency Security Adviser via email to

Subscriptions on NHMRC websites

If you subscribe to any of NHMRC's regular electronic publications (for example, Tracker), the personal information you submit through the subscription service form will be secure using SSL protocol used solely by NHMRC and not be disclosed to any other individual or organisation. The records are kept within NHMRC and Campaign Monitor (USA) until the individual asks to be removed from the NHMRC mailing list or fails to respond to a request for confirmation of continued interest.

There are security risks associated with transmission of information via the Internet. NHMRC has taken reasonable steps to safeguard against unauthorised access, use, modification or disclosure of the personal information NHMRC holds electronically. Before deciding whether to use this subscription facility you should make your own assessment of the potential risks to the security of your information.

By clicking on the warning/ disclaimer tick box on the subscription service or our web-based forms, you acknowledge and agree that the Commonwealth will not be liable for any unauthorised access or for any loss or damage that you may incur as a result of any unauthorised access to this site or to the information transmitted by you or any other person.

Retention of records

NHMRC records3 are retained in accordance with the relevant Records Authority issued by the National Archives of Australia, under the Archives Act 1983.

Records Authorities enable NHMRC to determine how long records need to be retained and when a record will be due for destruction or transfer to the National Archives.

Records Authorities contain descriptions of record types and specify the minimum retention periods applying to them.

Accessing and correcting your personal information

Under the Privacy Act (APPs 12 and 13), you have the right to ask for access to the personal information that NHMRC holds about you, and to ask that NHMRC corrects that personal information. You can ask for access or correction by contacting NHMRC's Privacy Officer by email to or by writing to the following:


Privacy Officer
GPO Box 1421

If you ask, NHMRC must give you access to your personal information unless there is a law that allows or requires NHMRC to refuse access. If your personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, NHMRC will take reasonable steps to correct your personal information within 30 days of receiving and verifying your request.


For some systems used by NHMRC, including Sapphire and Aurion, individuals can correct their own information.

You will be asked to verify your identity before NHMRC will give you access to your information or corrects it. If you are uncertain about how to set out your request, or the supporting material required, the Privacy Officer may be able to assist you.

If a correction is made and NHMRC has disclosed the incorrect information to certain third parties, you can ask NHMRC to tell them about the correction.

If NHMRC refuses to give you access to, or correct, your personal information, you will be notified in writing of the reasons.

You also have the right under the FOI Act to request access to documents that NHMRC holds and ask for information that NHMRC holds about you to be changed or annotated if it is incomplete, incorrect, out-of-date or misleading. For further information see Freedom of information requests to NHMRC.

Making a privacy complaint if you believe that NHMRC has breached the Australian Privacy Principles

If you wish to complain that the NHMRC has breached one of the APPs you can contact the NHMRC's Privacy Officer:


Privacy Officer
GPO Box 1421

Your privacy complaint should be in writing and set out as much detail as possible and include any supporting documentation. You may make a privacy complaint anonymously, or by using a pseudonym. However, you should realise that if you wish to communicate with the NHMRC in this way, our ability to fully investigate and deal with the complaint may be restricted.

How NHMRC will deal with your privacy complaint?

The NHMRC will usually respond to your complaint within 30 calendar days and provide you with its response in writing.

If NHMRC takes more than 30 days to respond to your privacy complaint (without your prior agreement), or you are not satisfied with the NHMRC's response, you may then take your privacy complaint to the OAIC.

NHMRC Response Plan for data breaches involving personal or sensitive information

NHMRC is committed to protecting the privacy of its officials and stakeholders. NHMRC has a number of controls in place for the collection, storage and use of personal or sensitive information.

Data breach

Controls are in place to enable NHMRC to promptly identify data breaches – see NHMRC Response Plan for data breaches involving personal or sensitive information in the Download section (below).

NHMRC Privacy Impact Assessments

A Privacy Impact Assessment (PIA) is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising, or eliminating that impact.

NHMRC is required by the Australian Government Agencies Privacy Code to maintain a register of the Privacy Impact Assessments it conducts. Privacy Impact Assessments, and the NHMRC response, are published in the following table:

Table: Privacy Impact Assessment and the NHMRC response
Date of publicationProjectPrivacy Impact AssessmentNHMRC response
16 December 2019Privacy Impact Assessment Report on the Implementation of the Sapphire SystemSapphire PIA finalNHMRC response
6 March 2023Privacy Impact Assessment report on the implementation and ongoing management of the Mitochondrial Donation Licensing SchemeMitochondrial Donation PIANHMRC response
2 January 2024Privacy Impact Assessment on the implementation of Citizen Space Citizen Space PIAN/A – NHMRC conducted PIA

The NHMRC Privacy Impact Assessments register is current as at 2 January 2024.


This policy is subject to annual review.

This page was last updated on 2 January 2024.


1 See clause 1.3 of Australian Privacy Principle 1 (open and transparent management of personal information), in Schedule 1 of the Privacy Act.
2 A Commonwealth record is a document (including in electronic form) that is the property of the Commonwealth and that has been kept by reason of its connection with any event, person, circumstance or thing (ss6(1) and ss3(1) of the Archives Act 1983.
3 Some relevant records may also be held by the Department of Health and Aged Care, if those records were generated before NHMRC became a separate agency in the Health Portfolio (that is, before 2006).