Charlie Teo Foundation (ABN 57 622 041 061) is a registered charity whose mission is to raise and fund brain cancer research in Australia and worldwide. Charlie Teo Foundation is also the sponsor of a Brain Tumour Biobank (Biobank). We will only collect personal information that is reasonably necessary for us to perform our charitable activities.

The CTF Group includes Charlie Teo Foundation, its affiliates, and any other entity related to the Charlie Teo Foundation from time to time (CTF Group).

This Privacy Policy applies to the CTF Group, including its affiliates and related entities (from time to time) when the CTF Group is handing personal information including health information, unless that affiliate or related entity has adopted a separate privacy policy.

This document sets out our policies for managing your personal information and is referred to as our Privacy Policy.

In this Privacy Policy, "we", "us" and “our” refers to the CTF Group and "you" and “your” refers to any individual about whom we collect personal information.

This Privacy Policy sets out how we collect, store, process, use and disclose personal information (including personal information we collect, and personal information submitted to us, whether offline or online).

Other terms and conditions may apply to you such as:

• the privacy terms and conditions contained in the Charlie Teo Foundation Terms and Conditions (as applicable to you); and
• the collection notices and privacy statements which may be provided to you at the time when your personal information is collected (for example, when you make a donation to the Charlie Teo Foundation).

“Personal information” is defined in the Privacy Act, and means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

• whether the information or opinion is true or not; and
• whether the information or opinion is recorded in a material form or not.

In this Privacy Policy, whenever we use the term “personal information”, we are referring to this legal definition.

Personal information does not include aggregated or de-identified data.

In our role as sponsor of the Biobank, we may also collect health information, which is a particular subset of personal information. “Health Information” is a kind of “sensitive information” also defined in the Privacy Act, and means:

• information or an opinion about the health or disability of an individual;
• information or an opinion about an individual’s expressed wishes about the future provision of health services to that individual; or
• personal information collected to provide, or in providing a health service.

In order to provide you with our services, or to otherwise interact with us, CTF Group may need to collect your personal information.

In summary, we may collect your personal information when you:

• interact with us in person (such as when you visit our premises or attend an event that we are hosting) or via phone or online (including through our website or our social media channels), such as when you contact us to make an enquiry or give us feedback;
• donate to the CTF Group, or when you authorise someone to make a donation on your behalf;
• sign-up, attend, or participate in our fundraising events, or commit to fundraising on behalf of the CTF Group;
• become an ambassador of, or partner with the CTF Group;
• subscribe to receive our latest newsletters containing updates on and research from the CTF Group;
• apply for a position with us (including when you apply for a volunteer position);
• apply for a research grant or Biobank access from the CTF Group; and/or
• if you have consented to donate a biospecimen and related health information to the Biobank;

Summary of personal information we collect and how we collect this information

The types of personal information we usually collect about you depends on who you are and your dealings with us. However, the table below sets out a summary of the personal information we generally collect and how we collect this information:

We may also collect other types of information, which we have summarised below:

In some cases you may provide us with personal information which relates to another person (for example, a referring doctor, an emergency contact or a job referee). If you do so, you agree that you have received permission from these individuals for us to collect, use, and share, their personal information in accordance with this Privacy Policy.

You should also let them know about our Privacy Policy (including the information in this Privacy Policy).

Where possible and lawful, you may interact with us anonymously or using a fake name. For example, if you contact us with a general question or query, we will not record your name or other details unless we need it to adequately respond to your query.

However, for many of our functions and the services we provide, we need information about you including your health information as it may not be practicable for us to deal with you anonymously or pseudonymously on an ongoing basis when providing our services.

If you provide incomplete or inaccurate information to us or withhold personal health information from us we may not be able to provide you with the services you are seeking.

The primary purpose for which we collect your personal information (including health information) will depend on who you are and your interaction with us, for example, if you are a donor, job applicant, student, researcher, contractor, health professional or a family member, carer, guardian.

We have summarised the types of purposes for which we may collect your personal information:

To process your donations, or application to raise funds for the CTF Group

We may collect, store and use your personal information to process your donation and contact you about our work and future fundraising opportunities and events.

To collect biospecimens for the Biobank

We may collect, store and use your personal information, including your health information, to process your Biobank donation.

To enable us to conduct our grant program and research activities

We may collect, store and use your personal information to process your grant application or request for Biobank access and to contact you about our work and future grant applications.

To manage your working relationship with us (including when you are a contractor or volunteer)

We may collect, store and use your personal information to assess your suitability for a position with us, and, if you successfully join us, to manage your working relationship with us.

We may collect, store and use your personal information for administration and management purposes.

To do business with you

We may collect, store and use your personal information about you if you interact with us on a commercial basis (such as if you are a doctor or specialist, service provider, contractor or supplier to us), or you otherwise interact with us on a commercial basis.

To manage and improve our operations and business

We may collect, store and use your personal information to:

• • manage donations and administer billing and debt recovery;
  • manage, monitor, plan and evaluate our services;
  • for our record-keeping and auditing purposes;
  • conduct safety and quality assurance and improvement activities, including quality control of our services and communications with you;
  • train staff (including admin and medical staff);
  • conduct our activities in funding brain cancer research;
  • undertake risk and operational management processes;
  • test and maintain information technology systems;
  • investigate any incidents that may occur (both in relation to cyber security, as well as any health and safety incidents that occur at our premises);
  • handle and respond to any complaints made; and/or
  • assist with service development, to test the effectiveness and customer satisfaction of our products and services, improve the way we provide services to you, and for other quality assurance and compliance purposes.

To create deidentified or aggregate data for data analytics activities

We may collect, store and use your personal information to create de-identified or aggregate data sets (which is no longer personal information). We do this by de-identifying or aggregating your information such as combining your information with information we have about our other customers, and with data we obtain from other sources. We use this de-identified or aggregate data to assist with our business decisions, such as to:

• • help us in understanding trends in behaviour (such as the success of services);
  • improve the services we offer; and
  • develop new services that better meet your preferences and behaviours.

We may share your information with third parties:

• for the reasons for which we collect, store and use that information (see above in section 8);
• for other purposes explained at the time we collect your personal information; or
• where we are otherwise allowed or required to do so under law.

Some of the third parties we may share your information with include the following:

CTF Group entities

We may share your personal information within the CTF Group in order to operate our business and provide services.

Our service providers and advisors

We may share your personal information with a variety of our service providers to assist us with providing and managing our services. These may include our:

• • event and catering companies that assist us to conduct our fundraising events and activities;
  • fundraising providers and platforms;
  • payment processing providers;
  • IT service providers and third party storage providers;
  • data analysis organisations; and
  • professional advisors and consultants (such as legal, insurance and financial advisors).

Healthcare providers

If you consent to donate to the Biobank, we may also share your personal information, with your healthcare providers, including allied health professionals, clinical staff and teams, who are involved in providing you with treatment and managing your healthcare, so that we can obtain your medical records and other relevant health information for the Biobank.

Corporate restructure

We may share your personal information with third parties, whether affiliated or unaffiliated, for the purpose of facilitating or implementing a transfer or sale of all or part of our assets or business or if we undergo any other kind of corporate restructure, acquisition or sale. In this context, your personal information may be transferred to another entity (or if such a sale, transfer, acquisition or corporate restructure is being contemplated by us).

Government and law enforcement agencies

We are sometimes required by certain Commonwealth, State or Territory legislation to report health information and health practitioner information to government agencies, regulatory bodies and law enforcement agencies, and to report patient information to other entities for certain purposes (such as Medicare Australia, NSW Health, the Commonwealth Department of Health and State child protection agencies in relation to children at risk).

If you are a Biobank donor, we may also provide your personal information to a Government agency for the purposes described to you in a participant consent form.

We generally collect and hold your personal information in Australia. However, some of the organisations we may disclose your personal information to are located overseas.  These recipients include our service providers who may handle, process or store your personal information on our behalf.

For example, we may share your personal information with service providers, such as Microsoft and Salesforce, who assist us with storing our data on secure data storage servers, or with improving our services (by analysing data, and conducting patient satisfaction enquiries).

We only ever share your personal information outside of Australia where we are permitted to do so under the Privacy Act and applicable privacy laws. Generally this means we will take reasonable steps to ensure your personal information is treated securely and in accordance with applicable privacy laws.

There are other circumstances where we may disclose your personal information to an overseas recipient. For example, where you have provided your consent or we are otherwise permitted to do so under other relevant laws.

When you provide your personal information to a CTF Group member, we may use that personal information to send you direct marketing communications to keep you informed about the CTF Group to help raise awareness and funds for brain cancer research and communicate with you about our activities, including upcoming fundraising events, campaigns, research activities and outcomes.

We may contact you from time to time, whether by phone, SMS, email or post, to provide you with information regarding our programs, services, events, research forums, promotions and opportunities, or to ask you for your support, either by volunteering, philanthropic donations or otherwise. To help us improve our standards, we may also ask for your feedback through surveys on how you found our services.

We will only send these communications in accordance with applicable privacy and marketing laws (such as the Privacy Act (including Australian Privacy Principle 7) and the Spam Act 2003 (Cth)), and only where you have not opted out from receiving such communications from CTF Group

If you have indicated a preference for a method of communication, we will endeavour to use that method wherever practical to do so.

If you are a Biobank donor, we will not send you direct marketing unless you sign up or subscribe to receive our marketing communications.

How can you opt out?

You are always in control of the direct marketing communications which you receive and can opt-out at any time. Generally you can opt-out by following the relevant opt-out or unsubscribe instructions in the relevant communication (such as email or SMS message).

You can also contact us using the detail set out in section 17 to tell us you would like to stop receiving direct marketing communications from us.

Important points regarding opting out

Importantly, regardless of whether you opt out from receiving any or all direct marketing communications, we will still communicate with you if we are required by law to provide you with information, or in relation to the services we are providing you with (for example, sending you an invoice in relation to a provided service or sending a SMS reminder about your appointment).

Third party links and sites

When you use our websites or receive communications from us, links to websites which belong to other third parties may be included (and are provided for your convenience). You should make your own enquiries as to the privacy policies of these parties. We are not responsible for information on, or the privacy practices of, any third party websites.

Website use and cookies

You may visit our websites without identifying yourself. If you identify yourself (for example, by making an enquiry), any personal information you provide to us will be managed in accordance with this Privacy Policy.

Our websites also use cookies (and we share personal information we collect between members of the CTF Group). A 'cookie' is a small file stored on your computer's browser, which assists in managing customised settings of the website and delivering content. We collect certain information such as your device type, browser type, “click-through” information, IP address, pages you have accessed on our websites and on third-party websites. Depending on the circumstances, this may or may not be personal information.

At a high level, cookies can be used for a variety of reasons, such as to personalise your browsing experience (for example, by remembering your preferences and recognising you as a repeat visitor to our websites), and to track statistics about the usage of our website. This allows us to better understand our users and improve the layout and functionality of our websites.

If you do not wish to receive any cookies (other than those that are strictly necessary) you can use the settings in your browser to control how your browser deals with cookies. However, in doing so, you may be unable to access certain pages or content on our websites.

We are committed to protecting your personal information, and ensuring that we securely store any personal information we collect (and in accordance with applicable privacy laws). We may hold your personal information in hard copy (paper) or electronic form.

We take all reasonable steps to ensure that any personal information we collect, use or disclose is accurate, complete, up-to-date and stored in a secure environment protected from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Security and storage of personal information

Paper-based files

We store personal information in paper-based files in secure storage. Personal information may be collected in paper-based documents and converted to electronic form for use or storage (with the original paper-based documents either archived or securely destroyed).

We maintain physical security measures to ensure that personal information in paper-based files is protected, such as physical locks and security systems at our premises.

Electronic records

We store electronic records in secure databases, using trusted third party storage providers based in Australia. We also maintain physical security measures in relation to storage of our electronic records (such as through locks and security systems at our electronic data stores).

Using technical methods, we also maintain computer and network security. For example, we use firewalls (security measures for the internet) and other security systems such as user identifiers and passwords to control access to our computer systems.

Our websites (including for making payments)

Our websites use encryption or other technologies to ensure that your personal information is securely transmitted via the internet (including to protect any payments you make).

We encourage you to exercise care when sending your personal information via the internet (for example, when communicating with us online, we ask that you do not include your full account or card details).

Biospecimens and related health information

If you have agreed to donate a biospecimen and related health information to the Biobank, this will be securely stored and subject to strict security controls. All biobank participants will be given further information detailing how their personal information (including health information) will be handled.

How long do we keep your personal information?

We will only keep your personal information we store for as long as is necessary for the purposes set out in this Privacy Policy or as required to comply with any applicable legal obligations.

When we no longer require your personal information (and in accordance with any applicable laws), we will take steps to delete, destroy or de-identify that information.

You are entitled to request access to any of your personal information that we have. To make such a request, please contact us using the relevant contact details set out below in section 17.

We will take reasonable steps to ensure that the personal information we collect, use or disclose is accurate, complete and up-to-date. You can help us to do this by letting us know if you notice errors or discrepancies in information we hold about you and informing us of any change in your personal details (for example, if your email address changes or if you move and change address).

If you consider any personal information we have about you is inaccurate, out-of-date, incomplete, irrelevant or misleading, you are also entitled to request correction of the information (again, please contact us). After receiving a request from you, we will take reasonable steps to correct your information.

We may decline your request to access or correct your information in certain circumstances in accordance with the applicable privacy laws. If we do refuse your request, we will provide you with a reason for our decision. In addition, in the case we refuse your request for correction, we will include a statement about your request with the personal information we store.

If you have any questions or concerns about this Privacy Policy or how we have handled your personal information, you may contact us at any time using the relevant contact details set out below in section 17.

Please also contact us if you have a complaint about privacy. If you make a complaint about privacy, the following steps will occur:

1. We will first consider your complaint to determine whether there are simple or immediate steps which can be taken to resolve the complaint. We will generally acknowledge your complaint within a week.
2. If your complaint requires more detailed consideration or investigation:

• • we will aim to acknowledge receipt of your complaint within a week and endeavour to complete our investigation into your complaint promptly; and
  • we may ask you to provide further information about your complaint and the outcome you are seeking.

3. We will then typically gather relevant facts, locate and review relevant documents and speak with the individuals involved.
4. In most cases, we will respond to your complaint within 30 business days from when we receive your complaint. If the matter is more complex or our investigation may take longer, we will let you know.

If you are not satisfied with our response to a complaint, or you consider that we may have breached the Privacy Act (including the Australian Privacy Principles), you are entitled to make a complaint to the Office of the Australian Information Commissioner (the Australian privacy regulator).

The Office of the Australian Information Commissioner can be contacted by telephone on 1300 363 992, or you can fill out an online form on their website to make a complaint about our handling of your personal information. Full contact details for the Office of the Australian Information Commissioner can be found online at www.oaic.gov.au.

We may make changes to this Privacy Policy, with or without notice to you. However, where we make a material change to the Privacy Policy, we will provide notice to you (including by updating our websites, and, where appropriate, notifying you directly). We recommend you visit this Privacy Policy regularly to keep you up to date with any changes we make.

You can contact us using the details below:

CTF GROUP

Phone: You can contact us during business hours (Sydney time) on (02) 8880 8328.

Email: info@charlieteofoundation.org.au

Postal Address: c/o The Commons, 32 York St, Sydney NSW 2000