1-PURPOSE

This document describes NRL’s privacy policy and principles.

2- SCOPE

This policy applies to all NRL staff including casual and honorary staff and students and NRL clients where personal information is collected.

3- POLICY AND PRINCIPLES

NRL is committed to providing quality services to its clients, and this policy outlines our ongoing obligations in respect to how we manage Personal Information provided to NRL. This may be in hardcopy or via websites, mobile sites, mobile applications, and other digital services and products controlled by NRL, located at 4th Floor Healy Building, 41 Victoria Parade, Fitzroy, Victoria 3065, Australia.

NRL is bound by the Australian Privacy Principles (APPs) contained in the Privacy Act 1988 (Cth) (the Privacy Act). The APP govern the way in which NRL collects, uses, discloses, stores, secures and disposes of Personal Information.

A copy of the Australian Privacy Principles may be obtained from the Office of the Australian Information Commissioner website at: https://www.oaic.gov.au/assets/privacy/australian-privacy-principles/the-australian- privacy-principles.pdf

SVI / NRL collects personal information from employees and clients. The personal information held by NRL varies depending on the nature and purpose of the relationship. It may include name; position; qualifications, business address; business telephone, mobile phone and fax numbers; home address; home telephone; fax and personal mobile phone numbers; e-mail address; memberships of professional associations and employment history. If personal information is not provided, specific services may not be able to be provided or a position appointment may not be able to be made.

4- PERSONAL INFORMATION

4.1 What is Personal Information and why do we collect it?

For the purposes of this Privacy Policy, “Personal Information” means information that identifies an individual or that could reasonably be used to identify an individual. Examples of this include name, address, telephone number and e-mail address.

Personal Information is obtained in many ways including direct request, resumes, surveys, correspondence by telephone and facsimile, email, via the NRL website (www.nrlquality.org.au), via purchase requests for QC and EQAS products, through related products such as EDCNet, cookies and from third parties. The personal information supplied to NRL may be accessed by authorised 3rd parties, but only as required for the provision of NRL services, products, conference attendance and marketing purposes.

Personal Information may also be used for secondary purposes closely related to the primary purpose, in circumstances where it would be reasonably expected that such information is used or disclosed, for example, for provision of other NRL services. When Personal Information is collected, NRL will, where appropriate and where possible, explain why the information is being collected and how it will be used.

Clients may unsubscribe from the NRL mailing/marketing lists at any time by selecting an “Opt Out” feature in the digital newsletter and email alerts or by contacting NRL directly as detailed below.

• Personal Information Shared During Interactions with NRL Clients may contact NRL to ask questions, discuss concerns, or report issues regarding NRL’s products or services. Communication with or request for information from NRL may prompt a request to provide contact information as well as any Personal Information that is relevant.

4.3 Sensitive Information Provided by 3rd Party NRL customers or generated by NRL

In addition to Personal Information, NRL may collect and or generate “Sensitive Information” relevant to an individual’s health. As part of diagnostic and reference testing services, 3rd party clients may provide NRL with identifiable health records of individuals. These health records will have further information added to them during the process of providing diagnostic services. Electronic health records will be held in a dedicated database that is password protected and only accessible to authorized NRL staff. These staff have signed a confidentiality agreement upon employment to keep this information secure and confidential to protect the client’s privacy. Hard copy health record information (e.g. diagnostic reports) will be securely maintained at NRL premises or securely destroyed as appropriate. Any transmission of diagnostic testing results to clients is password protected.

Sensitive information collected or generated will only be used to provide the diagnostic services as requested by the client, and is only shared with the requesting organisation, or as required by law.

• Personal Information Provided When Visiting NRL Sites NRL collects Personal Information through NRL online sites, for example, when purchasing a QC or EQAS product, requesting marketing information, registered for an NRL workshop or conference, contacting NRL customer service, when visiting NRL premise, or responding to NRL questionnaires or This information could include:

• Contact information including name, address, phone number, or e-mail address
• Registration information such including organisation, username and password
• Employment, education and other background information in employment applications to NRL
• Payment information (such as banking information, payment card number, expiration date, delivery address, and billing address)

5- INFORMATION THAT MAY BE COLLECTED AUTOMATICALLY

When individuals use the NRL online sites, NRL may also automatically collect certain usage and device information as described below.

5.1 IP Address

NRL may record the Internet Protocol (“IP”) address of the user’s computer or other electronic device used when visiting the NRL online sites. An IP address identifies the electronic device being used to access the NRL online sites, which allow NRL to maintain communication with the user’s computer as the NRL online site is navigated.

5.2 Cookies and Other Tracking Technologies

NRL also collects information about the use of the NRL online sites through tracking technologies such as cookies and web beacons. A “cookie” is a unique numeric code that is transferred to the user’s computer to track interests and preferences and to recognise return visitors. A “web beacon” is a transparent graphic image placed on a website, e-mail or advertisement that enables the monitoring of user activity and website traffic. These technologies help remember preferences and allow NRL to offer the content and features that are likely to be of greatest interest on the basis of “clickstream” information from previous visits and activities on the NRL Sites.

5.3 Mobile Tracking

Some NRL online sites are available as mobile applications or mobile sites that can be accessed using mobile devices. If a mobile device accesses the NRL online sites, the following mobile-specific information may be collected in addition to the other information described above:

• device or advertising ID
• device type
• hardware type
• media access control (“MAC”) address
• international mobile equipment identity (“IMEI”)
• the version of the mobile operating system
• the platform used to access or download the NRL online site (e.g., Apple, Google, Amazon, Windows)
• location information and usage information about the device and the use of the NRL online sites.

6- INFORMATION COLLECTED FROM OTHER SOURCES – SURVEYS

NRL routinely seeks feedback about its products and services through customer surveys electronically and in hard copy. In analysing this feedback, IP addresses and Personal Information may be stored as a means to verify and validate the responses collected.

7- HOW NRL MAY USE PERSONAL INFORMATION

NRL may use Personal Information to communicate with individuals, provide advice regarding the products and services requested, to improve the user experience of NRL, to improve NRL’s products and services and for other business purposes.

7.1 Providing Products and Services

If a client purchases NRL’s products or services, NRL uses the Personal Information provided to manage orders and invoices, to process payments, to respond to client questions, to provide clients with the requested products or services, and to offer an optimal client experience.

7.2 Marketing

Clients may also receive marketing information from NRL, such as offers regarding NRL products or services, invitations to participate in surveys about NRL’s products, or notifications about special events such as Workshops or Training. In such cases, NRL will use client contact details and other Personal Information to send this marketing information.

7.3 Customised User Experiences

The Personal Information provided may be used to create customised offers or services tailored to a specific client’s interests and preferences. Also, NRL may use the IP address and the information that is automatically obtained through the use of cookies or similar tracking technologies to make NRL online sites more intuitive and user friendly. This allows customisation of the content provided on the NRL online sites by anticipating the information and services that may be of interest.

7.4 Business and Product Improvement

In order to help NRL better understand customer needs and improve, develop, and evaluate products, services, materials, and programmes, NRL analyses the information that the clients have provided. For these purposes, NRL does not use information that can directly identify an individual client.

7.5 Site Analytics and Improvement

NRL may use the information provided and the information automatically collected through NRL online sites, to monitor user traffic patterns and preferences for site improvement, analytics, and optimisation.

8- LEGAL BASIS FOR PROCESSING

Under European information protection laws, NRL must have a legal basis to process an individual’s Personal Information. The legal basis that applies in a particular instance will depend on the specific purposes described above for which NRL is processing the Personal Information:

• In certain instances, NRL may ask for client consent to collect and process Personal Should the client choose to provide consent, consent can be later withdrawn by contacting NRL as described in the “Privacy Choices” section. Please note that the withdrawal of consent will not affect processing which has already occurred.
• In other instances, the processing of Personal Information may be necessary in order to comply with an applicable law or regulation or for the performance of a In this situation the client may not be able to opt out of this data processing, or the choice to opt out may impact NRLs ability to perform a contractual obligation otherwise owed to the client.
• In other instances, NRL may process Personal Information based on NRL’s legitimate interests in communicating with the client about our products and services, and about scientific research and educational opportunities. The client has the right to opt out of all such processing of Personal Information as described in the “Privacy Choices” section.

9- INFORMATION WE SHARE

9.1 Affiliates, Distribution Channel Partners, Vendors and Suppliers

NRL has relationships with affiliates, distribution channel partners, vendors, and suppliers, who assist NRL to operate the business and for whom it may be necessary to have access to Personal Information in the course of providing services to NRL or in connection with the sale and distribution of NRL’s products and services. NRL will not authorise these parties to use Personal Information for any purpose that is not related to the business operations of NRL or its affiliates, and NRL does not share Personal Information from countries that require consent, unless appropriate consent has been obtained in advance of sharing with affiliates. NRL requires affiliates, distributors, vendors and suppliers to handle your Personal Information in accordance with this Privacy Policy.

NRL does not sell or disclose Personal Information to third parties for marketing purposes.

9.2 Co-Branded Sites

NRL may partner with other companies to provide clients with content or services on a joint or “co-branded” basis. At a co-branded site both the NRL logo and the logo of the co-branding partner is displayed on the relevant site or product. The client should read the individual privacy policies of NRL’s co-branding partners, as they may differ in some respects from NRL’s. Reading these policies will help clients make an informed decision about whether to provide personal information to a given site.

9.3 Product Reports

If clients contact NRL regarding their experience in using one of our products, NRL may use the information provided in submitting reports to the applicable government regulatory authority, as required by law.

10- LEGAL RIGHTS AND OBLIGATIONS

In certain limited circumstances, NRL may need to disclose Personal Information in order to comply with a legal obligation or demand, such as to comply with reporting obligations to applicable governing regulatory authorities regarding the safety of NRL’s products, or in connection with the sale or transfer of one of NRL’s product lines or divisions, which includes the services provided through one or more of NRL’s affiliates. In such instances, NRL will take measures to protect Personal Information to every extent possible. NRL also reserves the right to use Personal Information to investigate and prosecute clients who violate NRL’s rules or who engage in behaviour that is illegal or harmful to others or to others’ property.

11 – CHANGE IN ORGANISATION

In the event NRL decides to reorganise or divest its business through sale, merger, or acquisition, NRL may share Personal Information with actual or prospective purchasers. NRL will require any actual or prospective purchasers to treat this Personal Information in a manner consistent with this Privacy Policy.

12- CHILDREN PRIVACY

NRL does not knowingly collect or use any Personal Information directly from children (NRL defines “children” as minors younger than 18), except as requested for diagnostic confirmatory testing. NRL does not knowingly allow children to order NRL’s products, to communicate with NRL, or to use any of NRL’s online services. NRL requires all staff to sign a ‘working with children’ agreement upon employment.

13- INFORMATION SECURITY

NRL maintains reasonable technical, administrative, and physical controls to secure any Personal Information collected. However, there is always some risk that an unauthorised third party could intercept an internet transmission, or that someone will be able to bypass our security systems. NRL advises to exercise caution when transmitting Personal Information over the internet, especially in respect to financial information. NRL cannot guarantee that unauthorised third parties will not gain access to Information; therefore, when submitting Personal Information to NRL, the client must weigh both the benefits and the risks.

13.1 Breach of Privacy

In the event of a breach of privacy or the suspicion that a data breach has occurred, NRL will follow the requirements and process detailed in P-SM-0410 Data Breach Response Procedure to contain, assess and respond to data breaches in a timely fashion, to mitigate potential harm to affected individuals.

13.2 Storage and disposal of information

The Personal Information NRL collects may be stored for seven years following the most recent interaction, after which point it will be archived only for so long as reasonably necessary for the purposes set out in this document and in accordance with applicable laws.

Electronic and hardcopy information is securely stored on-site or securely stored off- site at a datacentre compliant with ISO 27001: Information security, cybersecurity and privacy protection — Information security management systems — Requirements.

NRL uses appropriate security measures when destroying personal information including shredding paper documents and records and permanently deleting electronic records on their statutory expiration.

NRL retains personal information only as long as reasonably necessary to fulfil the purposes for which the information was collected or for legal or business purposes.

14- PRIVACY CHOICES

Clients and individuals using NRL products and services have the right to see and obtain a copy of the relevant Personal Information that NRL maintains as well as to request amendments or corrections to inaccurate or incomplete Personal Information. Clients and individuals may also request the erasure of Personal Information or the restriction of or objection to the processing of Personal Information. To seek access to Personal Information being held, to file a concern, complaint, or request for correction, or to opt out of particular programs, the Privacy Officer may be contacted via the “Contact Us” link on www.nrlquality.org.au site, or by e-mailing [email protected].

In all communications to NRL, an e-mail address, the website address, mobile application, and/or specific NRL product to which Personal Information was provided should be requested together with a detailed explanation of the request. A response will be provided to all reasonable requests in a timely manner and may need to further confirm an individual’s identity in order to process certain requests.

If an individual is unable to resolve a problem directly with NRL, they may contact the local Information Protection Authority.

15- GENERAL DATA PROTECTION REGULATION (GDPR)

The General Data Protection Regulation is a Regulation in EU law on data protection and privacy in the EU and the European Economic Area. The GDPR is an important component of EU privacy law and of human rights law, in particular Article 8 of the Charter of Fundamental Rights of the European Union. EDNet is obliged to comply with GDPR due to the locations of its clientele.

Maintaining compliance under the GDPR is performed by the Controller 1 (Quality Control (QC) Services Scientist Grade 2), the Data Protection Officer 2 (SVI Information Technology and Cyber Security Manager) and the Processor 3 (Not applicable).

15.1 Conditions for Consent

• Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
• If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
• The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its Prior to giving consent, the data

1 Controller – implements appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation

2 The duties of a Data Protection Officer include, Working towards the compliance with all relevant data protection laws, monitoring specific processes, such as data protection impact assessments or the awareness-raising and training of employees for data protection, as well as collaborating with the supervisory authorities.

3 Processor – where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

• When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

15.2 User Obsolescence

User information cannot be deleted from the EDCNet database, but it may be obfuscated. This will be performed by NRL QC Services staff when requested by a customer.

15.3 Training

The Data Protection officer is also responsible for monitoring specific processes, such as data protection impact assessments or the awareness-raising and training of employees for data security and/or possible data breach. The Controller and the Processor will undertake the mandated Cybersecurity Awareness Training being presented by the Information Technology and Cyber Security Professional Services department.

15.4 Rights of the Data Subject 4

Clients and individuals using EDCNet and other NRL on-line services have the right to see and obtain a copy of the relevant Personal Information that NRL maintains as well as to request amendments or corrections to inaccurate or incomplete Personal Information. Clients and individuals may also request the erasure of Personal Information or the restriction of or objection to the processing of Personal Information. To seek access to Personal Information being held, to file a concern, complaint, or

4 The Customer – request for correction, or to opt out of particular programs, the Controller may be contacted by emailing [email protected].

16- CHANGES TO OUR PRIVACY POLICY

NRL will only use Personal Information in the manner described in the Privacy Policy that is in effect at the time that the information was collected or as authorised by the client. However, and subject to any applicable consent requirements, NRL reserves the right to change the terms of this Privacy Policy at any time. Any changes to this Privacy Policy will be reflected on this page with a new effective date.

17- REFERENCES

Australian Privacy Principles (APPs)

https://www.oaic.gov.au/assets/privacy/australian-privacy- principles/the-australian-privacy-principles.pdf

General Data Protection Regulation

https://gdpr-info.eu/

Privacy Act 1988

P-SM-0410                  Data Breach Response Procedure