Privacy Policy

Purpose

We, the VCCC Alliance Ltd (ABN 84 140 233 790), manage a powerful partnership of leading research, academic and clinical institutions (the Alliance) working together to accelerate and amplify leading-edge cancer research, knowledge and expertise to benefit the Victorian community. Our multi-site, multi-disciplinary model brings together the complementary strengths of our members and associates. 

We are committed to respecting the privacy and security of personal information relating to individuals who participate in our programs and activities. 

Policy updates

We reserve the right to modify, amend or replace this Privacy Policy at our discretion. Revisions will take effect upon its publication on our website. We encourage individuals to review our Privacy Policy periodically for any changes. 

This version of the Privacy Policy published on 23 January 2026 is the latest version of our Privacy Policy. The past version can be viewed below:

Privacy Policy - 22 March 2022 (superseded)

Compliance with privacy laws

We comply with all applicable privacy laws of Australia, including the Australian Privacy Principles (APPs), which are part of the Privacy Act 1988 (Cth) (Privacy Act) and the Health Privacy Principles (HPPs), which are part of the Health Records Act 2001 (Vic). Where required, we also seek to comply with the Privacy and Data Protection Act 2014 (Vic) (PDPA). In circumstances where the European Union General Data Protection Regulation (GDPR) applies to our activities, we will act in accordance with its requirements, as set out in paragraph 4.

What this Policy covers

This Privacy Policy explains:

1. The kinds of personal information we collect and hold
2. How we collect and hold personal information
3. The purposes for which we collect, hold, use and disclose personal information
4. To whom we will disclose personal information
5. What are our other obligations – research and GDPR
6. How an individual may access their personal information and seek its correction
7. How an individual may complain to us if he or she believes we are not meeting our obligations under the privacy laws of Australia
8. If we use any automated decision-making tools, and if so, what personal information is used by an automated decision-making system, the types of decisions made, and whether the decisions are made by the computer program (solely)
9. How to contact us

1. Kinds of personal information we collect and hold 

What we mean by personal information and sensitive information? 

“Personal information” is any information, or an opinion, about an identified individual or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not. What is personal information will vary. Personal Information may include information such as an individual’s name, date of birth, gender identity, sex, signature, mailing address, e-mail address, phone number, and employment record, to the extent the individual concerned is identified or reasonably identifiable. It may also include the internet protocol (IP) address of the individual’s computer or mobile device, and location data, if such address or information can be reasonably linked to the individual. 

“Sensitive information” is a subset of personal information, and includes information, or an opinion, about an individual’s racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, trade union membership, professional or trade association memberships, sexuality, criminal record, health information, genetic information not otherwise health information, as well as biometric information that is to be used for the purpose of automated biometric verification or biometric identification, or biometric templates. Generally, sensitive information has a higher level of privacy protection than other personal information. 

Kinds of personal information 

We collect and hold different types of personal information about individuals depending on the relationship we have with them. Please refer to the table in Part A of the Schedule for the types of personal information and sensitive information we may collect and hold depending on the circumstance. 

We only collect and hold personal information about an individual if the information is necessary for one or more of our functions or activities. 

Wherever feasible, we will collect and hold de-identified data (data from which personal identifiers such as name and contact details are removed to conduct research and provide services).  In certain instances, we will replace personal identifiers with unique identifiers like codes. 

We will notify individuals at, or before the time, or as soon as practicable thereafter, if we collect personal information about them and will notify individuals of further information on what personal information we will collect/have collected and why, and how it will be used and disclosed, and the consequences of not providing such information. 

Credit card information 

We do not collect any credit card information from individuals. If payment is required, we will use a secure third-party payment gateway provider who will process the payment. Please refer to the third-party payment gateway provider’s privacy policy on its website for information about how the provider collects credit card information. 

Biometric information 

We do not collect any biometric information from individuals. However, we may use third party tools which may collect biometric information from an individual for the purposes of verifying an individual’s identity. If this is the case, please refer to the third-party provider’s privacy policy on its website for more information about how the provider collects biometric information. 

2.  How we collect and hold personal information 

We only collect and hold personal information about an individual by lawful and fair means and not in an unreasonably intrusive way. Where it is reasonable and practicable to do so, we endeavour to collect and hold personal information about an individual directly from the individual. 

When it comes to sensitive information, we only collect and hold sensitive information with the prior informed consent of the individual unless an exception applies or authorised or required by law.

Ways we collect personal information are set out in Part B of the Schedule. 

In some circumstances, we may obtain personal information about an individual from third parties. Third parties may include members and associates of the Alliance, authorised hospitals, and authorised general practitioners. In such cases, we will ensure that such third parties have confirmed that they are legally permitted to share such information with us.

Individuals generally have no obligation to provide personal information to us, however, if individuals choose not to provide information we need, we may not be able to provide them with the requested product or service.

Security of information

We protect personal information we collect and hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure by various means including firewalls, password access, use of secure VCCC Alliance and third party servers, internal information management policies, and staff training. We also use secure third-party programs for administration and management of our activities. Hard copy records, if any, will be stored securely in the VCCC Alliance facilities.

The VCCC Alliance will take reasonable technological and organisational measures as required by the amended APPs to destroy or permanently de-identify personal information it holds once the personal information is no longer needed for any authorised purpose.

3.  The purposes for which we collect, hold, use and disclose personal information 

The purposes for which we collect, hold, use, and disclose personal information vary. In addition to complying with legal and regulatory requirements, some other purposes for which we collect, hold, use and disclose personal information are outlined in Part C of the Schedule.

We will only collect personal information which is reasonably necessary for one or more of our functions or activities. 

Secondary use 

We will only use personal information for a secondary purpose if the individual has given consent, or if they would reasonably expect such use or disclosure, provided the information is4. Who we will disclose personal information to not sensitive and the secondary purpose is related to the primary purpose. If the information is sensitive information, we will ensure that any secondary use is directly related to the primary purpose of collection. Other secondary uses will only occur if required or authorised under applicable privacy laws of Australia. 

Direct marketing 

We may use personal information of an individual for the purpose of marketing events and activities to that individual unless they have requested not to receive such materials. An individual may opt out of these communications at any time by contacting us using the contact details below. 

4. Who we will disclose personal information to

We will only disclose an individual’s personal information if the individual consented to such disclosure or if such disclosure is permitted under the applicable privacy laws of Australia. 

We may disclose an individual’s personal information to the below range of people or entities: 

• Affiliated members and associates of the Alliance
• Service providers engaged by us to perform functions on our behalf e.g. processing credit card information, order fulfilment, mailouts, shipping, debt collection, marketing, research, advertising, and auditors
• Third parties authorised by an individual to receive information we hold
• Funding bodies, government authorities, law enforcement agencies and regulators when required
• External organisations involved in program delivery or placements (such as educational institutions or host organisations) 

 
Overseas recipients

It is unlikely that we will disclose individuals’ personal information outside of Australia. If we do disclose such information outside of Australia, we will notify and seek prior consent from individuals in advance. We will take reasonable steps to ensure that overseas recipients will handle individuals’ personal information in accordance with the Australian Privacy Principles.

From time to time, we may engage third party IT service providers (including cloud software providers) to assist with the collection, storage and processing of personal information. Some of these third parties may be located outside Australia. We will take all reasonable steps to ensure that these third parties comply with the applicable privacy laws of Australia in the transfer of individuals’ personal information.

5. Other obligations  

Research

All research in Australia involving humans must be reviewed and approved by the Human Research Ethics Committee (HREC). Before an individual takes part in a research project directly carried out by us, we will provide the individual with detailed information regarding:

• the purpose of the research project
• what is required from the individual to participate in the research project
• what personal information will be collected or created during the research project and how it will be used, stored and disclosed.

Participation in research projects is voluntary. If an individual does not wish to take part, the individual does not have to, and the individual can withdraw at any time. Not taking part in a research project does not affect the care that an individual receives. 

We will ensure our practices are consistent with the principles and responsibilities of the Australian Code for the Responsible Conduct of Research when we conduct research projects. We will obtain prior written consent from individuals before using their personal information in a research project directly carried out by us.

For some research projects directly carried out by us, after removing an individual’s name and other readily identifiable information (i.e. de-identification), we will share results obtained from the individual’s participation and other participants with the greater research community via established public scientific databases in Australia and overseas. Some of these databases are publicly viewable by anyone with internet access, and some are restricted to qualified researchers. Results of our research projects may also be presented in public talks or written articles, but information will not be presented that readily identifies an individual personally.

GDPR obligations 

When conducting activities outside Australia, the Alliance may also be subject to privacy laws of the jurisdiction in which they are operating. In respect of individuals who are European Union residents, the Alliance may also be subject to the privacy laws of the European Union.  Even where we are not bound by the privacy law of a jurisdiction, we strive to act consistently with the privacy principles and laws that apply wherever we operate. 

Where applicable, we will comply with the principles of data protection set out in the General Data Protection Regulation (GDPR) with respect to “personal data” collected from residents of the European Union. The meaning of personal data is similar to personal information as it includes any information relating to an identified or identifiable natural person. 

Under the GDPR principles: 

• we may process your personal data as a Processor and/or to the extent that we are a Controller as defined in the GDPR
• we must establish a lawful basis for processing your personal data. The legal basis for which we collect your personal data is set out in Part C of the Schedule and includes without limitation, where:
  •  it is necessary for our legitimate interests or to fulfil a contractual or legal obligation
  • it is necessary to protect your life or in a medical situation, it is necessary to carry out a public function, a task of public interest or if the function has a clear basis in law
• we will only collect your personal data with your express consent for a specific purpose, to the extent necessary and not excessive of that purpose
• we will keep your data secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage
• we do not collect or process any personal data from you that is considered sensitive personal information under the GDPR, such as personal data relating to your sexual orientation or ethnic origin unless we have obtained your explicit consent or it is being collected subject to and in accordance with the GDPR
• you must not provide us with your personal data if you are under the age of 16 without the consent of your parent or someone who has parental authority for you. We do not knowingly collect or process the personal data of children.

As the VCCC Alliance head office is based in Melbourne, Victoria, Australia, personal data collected from European residents will be transferred out of the European Union. We have implemented appropriate safeguards in connection with the transfer of personal data from the European Union. We will also use best endeavours to ensure that any third-party recipient located outside the European Union will take steps to safeguard the personal data transferred or disclosed to such a recipient.

6. Accessing and correcting personal information

The VCCC Alliance endeavours to ensure that the personal information it holds is accurate, complete and up to date. Individuals may contact us using the details below to request access to their personal information and to request for it to be corrected, updated, deleted, or transferred to another organisation. Individuals may also request that the processing of their personal data be restricted or object to their personal data being processed.

If an individual makes a request, we will ask the individual to verify his/her identity and specify the information he/she requires access/correction etc. The VCCC Alliance may charge a fee to cover the costs of fulfilling the request to the extent permitted by law.

7. Making a complaint 

An individual (the Complainant in this section) may make a complaint about our handling of personal information by writing to us using the details below. We will promptly acknowledge receipt of the complaint and will endeavour to deal with the complaint and to provide a response within a reasonable time following receipt of the complaint (generally within 30 days of receipt of complaint).  Where a complaint requires a more detailed investigation, it may take longer to resolve.  If this is the case, then we will provide the Complainant with regular progress reports.

We reserve the right to verify the identity of the Complainant and to seek further information from the Complainant if necessary.

We will provide our determination on the complaint to the Complainant in writing.

Please note that we may refuse to investigate or to otherwise deal with a complaint if we consider the complaint to be vexatious or frivolous.

If the Complainant is not satisfied with our response, the Complainant may contact the Office of the Australian Information Commissioner (OAIC). Further information can be found on the OAIC website.

Office of the Australian Information Commissioner
Postal address: GPO Box 5288 Sydney NSW 2001
Phone: 1300 363 992
Website: www.oaic.gov.au

8. Use of automated decision-making tools

We do not use automated decision-making tools. 

9. Contacting the VCCC Alliance

Any questions or comments that you have concerning this Privacy Policy or the VCCC Alliance's privacy practices, requests to not receive any marketing material, as well as any requests for access to your personal information held by the VCCC Alliance, or complaints should be directed to:

Craig Zanker, VCCC Alliance Chief Operating and Finance Officer
E: [email protected]