Privacy Notice

The MSBase Foundation Limited
iMed Privacy Notice v1.0 | Effective Date:17 June 2020


1. GENERAL

1.1 The MSBase Foundation Ltd (ABN 23 109 714 310), (Foundation) is committed to protecting the privacy of personal information which the organisation, and/or the organisation’s Service Provider(s), collects, holds, and administers. Personal information is information which directly or indirectly identifies a person. This Privacy Notice (Privacy Notice) explains how we ensure that your personal data is handled in compliance with applicable legislation and sets out the principles governing our use of the personal information which we may obtain about you. The Privacy Notice applies to all users of the iMed Website (iMed.org) and the iMed User Portal (portal.imed.org), the iMed Software and related user Support Services, which are run and provided by the Foundation. We will only collect, store, and process your personal data as set out in this Privacy Notice. Below you will find information on how we use your personal data, for which purposes your personal data is used, with whom it is shared and what control and information rights you may have.

We define the following as our ‘’Online Services’’

• iMed Website www.imed.org
• iMed User Portal portal.imed.org

We define the following as our ‘’Licenced Products’’

• iMed Software

We define the following as our “Support Services

Correspondence to seek Support Services for the installation, use and maintenance of the Licenced Products and the Online Services.

1.2 By using the iMed Website, creating an iMed user account through the iMed User Portal, registering to download the iMed Software or receive Support Services, you agree to the use of your data according to this Privacy Notice. We ask you to read this Privacy Notice carefully.

1.3 We need to use your personal data to be able to operate our business and meet our obligations and responsibilities in relation to our clients, applicable legislation, and good industry practice.

2. DATA CONTROLLER AND DATA PROTECTION OFFICER

2.1 The Foundation is the data controller for the processing of your personal data and is responsible for ensuring that the processing is carried out in accordance with applicable legislation. If you have any questions regarding the processing of your personal data, you will find our contact details at the end of this Privacy Notice.

2.2 We have designated a data protection officer (DPO) who will monitor our compliance with applicable data protection legislation. You can contact the DPO on the contact details provided at the end of the Privacy Notice.

3. OUR USE OF YOUR PERSONAL DATA

3.1 In general, we collect, use, store and process your personal information to provide our Services, and to fix and improve them.

3.2 If you wish to access our Online Services, Support Services or download the iMed Software, you may provide your personal data for the following purposes:

To use the iMed.org Website
To create an iMed user account through the iMed User Portal
To register to receive downloads of the iMed Software and user Support Services
To enter into agreements with the Foundation regarding your use of the Online Services, iMed Software, and Support Services
To allow the Foundation to keep a record of registered users and audit trails
To allow users to securely install and use the iMed Software
To allow the Foundation to send users notifications and news about the iMed Software and Services

3.3 Below you can find more information about our processing of your personal data.

4. COLLECTION OF PERSONAL DATA

4.1 The personal data that we process about you are data that you have provided us with or that we have otherwise acquired during our business relationship. You may provide the Foundation with personal information about yourself when you:

Visit the iMed.org Website or the iMed User Portal
Create an iMed user account through the iMed User Portal
Log in to your iMed user account or edit your iMed user account
Register to download the iMed Software
Contact the Foundation or its third-party Service Providers to request Support Services by way of email correspondence or other written documentation such as letters, or by telephone
When you share information with us through other means, such as meetings, conversations, social media, events, or online forms
When you enter into agreements with the Foundation

4.2 We may also collect or receive information about you from other sources, such as:

The MSBase Registry owned and operated by the Foundation
The Foundation’s contracted third-party service providers

5. RETENTION OF PERSONAL DATA

5.1 We retain your personal data only for as long as is necessary for the purposes for which we originally collected the data in accordance with this Privacy Notice. The length of time for which we retain personal information depends on the context and cannot in all cases be specified in advance. When we no longer need to save your data, we will remove it from our systems.

5.2 See section 7 for choices about storage of your personal information.

6. WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

6.1 We may share personal data with third parties that are trusted recipients and with whom we have an agreement ensuring that your personal data is processed in accordance with this Privacy Notice. We may therefore share data with:

Service Providers. We share your personal information with other companies we use to support our Services. These companies provide customer and IT support. We have contracts with our Service Providers that address the safeguarding and proper use of your personal information.
Regulatory bodies. We may share your personal information to follow applicable law or to respond to a legal process.
Consent.  We may share your personal information in other ways if you have asked us to do so or have given consent. For example, with your consent, we post user testimonials that may identify you.

6.2 In certain circumstances, we may need to disclose data upon the request from authorities or to third parties in connection with court proceedings or business acquisition or combination processes or other similar processes.

6.3 We will not sell your personal data.

7. WHERE DO WE STORE YOUR PERSONAL DATA?

7.1 The Foundation will mostly only process your personal data within Australia or Switzerland. Personal data is stored in Microsoft Azure servers in South East Australia. We may also store some personal data on Atlassian Cloud, JIRA Service Desk to assist us in providing professional Support Services. As part of our performance of client matters, we may in individual cases need to transfer personal data to third countries. If we engage in such transfer, we will ensure that there is a legal basis for the transfer and that the level of protection is equivalent to that applicable within the EU/EEA, either by ensuring that the country has an adequate level of protection, that we have taken adequate protective measures, that you have given your explicit consent or that the transfer is necessary with regards to the purposes set out in article 49 of the GDPR.

8. YOUR RIGHTS

This section describes many of the actions you can take to change or limit the collection or use of your personal information.

8.1 Our responsibility for your rights

8.1.1 In capacity of data controller, we are responsible for ensuring that your personal data is processed in compliance with the law and that you can exercise your rights. You may contact us at any time if you wish to exercise your rights. You will find the contact details at the end of this Privacy Notice.

8.1.2 We have an obligation to respond to your requests to exercise your rights without undue delay and in any event within one month of receiving your request. If your request is complex or if we have received many requests, we have the right to extend this deadline by two more months. If we are unable to take the action you request within one month, we will inform you of the reason for the delay and of your right to lodge a complaint with a supervisory authority and to seek a judicial remedy.

8.1.3 You will not be charged for any information, communication, or measures that we implement. However, if your request is manifestly unfounded or excessive, we may charge an administrative fee for providing the information or taking the action requested or refuse to act on your request altogether.

8.2 Your rights to access, rectification, erasure, and restriction

You have the right to request:

8.2.1 Access to your personal data. This means that you have the right to request access to personal data that we hold about you. You also have the right to be provided, at no cost to yourself, with a copy of the personal data that we are processing. We have the right to charge a reasonable administration fee if you request further copies. If you make a request in electronic form, e.g. via email, we will provide you with the information in a commonly used electronic format.

8.2.2 Rectification of your personal data. At your request or on our own initiative, we will correct, anonymise, delete, or complete data that we know to be inaccurate, incomplete, or misleading. You also have the right to complete any incomplete personal data if something relevant is missing.

8.2.3 Erasure of your personal data. You have the right to request that we delete your personal data if there is no compelling reason for us to continue processing the data. Personal data should therefore be erased if:

      • they are no longer needed for the purpose for which we collected them,
      • we process your data based on consent provided by you and you withdraw your consent,
      • you object to us processing your data after a legitimate interest assessment and we have no compelling interest that overrides your interests and rights,
      • we have processed the personal data unlawfully, or
      • we have a legal obligation to erase the personal data.

    8.2.4 However, there may be legal requirements or other compelling reasons that prevent us from immediately erasing your personal data. We will then stop processing your personal data for purposes other than compliance with the law or where there are no compelling legitimate grounds for doing so.

    8.2.5 We will take all reasonable measures possible to notify everyone who has received personal data as stated in Section 6 and 7 above if we have rectified, erased or restricted access to your personal data after you have requested us to do so. If you request information on recipients of your personal data, we will inform you about the recipients.

        • you consider your data to be inaccurate and you have requested rectification as defined in paragraph 8.2.2, while we establish the accuracy of the data,
        • the processing is unlawful, and you do not want the data to be erased,
        • as the personal data controller, we no longer need the personal data for our processing purposes, but you need them to be able to establish, exercise or defend a legal claim, or
        • you have objected to processing as defined in paragraph 8.3.1, while waiting for us to consider whether our legitimate interests override yours.

    8.3 Your right to object to processing

    8.3.1 You have the right to object to the processing of your personal data if our processing is based upon legitimate interests or public task. If you object to such processing, we will only continue to process your data if we have compelling reasons for doing so that override your interests.

    8.4 Your right to data portability

    8.4.1 You have the right to data portability. This means the right to receive your personal data in a structured, commonly used, and machine-readable format, and to request that these data are transferred to another personal data controller. The right to data portability only applies when the processing is being carried out by automated means and our lawful basis for processing your data is your consent or for the performance of a contract between you and us.

    8.5 Your right to object

    8.5.1 You have the right to raise questions or complaints with your local data protection authority at any time

    9. PROTECTION OF YOUR PERSONAL DATA

    9.1 We want you to feel confident about providing us with your personal data at all times. We have therefore taken appropriate security measures to protect your personal data against unauthorised access, alteration, and erasure. Should a security breach occur that may materially impact you or your personal data, e.g. risk of fraud or identity theft, we will contact you to explain what action you can take to mitigate potential adverse effects of the breach.

    10. COOKIES

    10.1 What are cookies and how do we use them

    10.1.1 We may use Cookies (Cookies), which are text files containing small amounts of information that are downloaded on your device to store or collect information when you visit our Website.

    10.1.2 Some Cookies are required for technical reasons to allow us to provide you with the Online Services and for you to be able to use some features, such as access to secure areas. These Cookies are called “strictly necessary” or “essential” Cookies. We use these Cookies to:

    • Log you into the iMed User Portal
    • Protect your security
    • Help us detect and fight spam, abuse and other activities that may violate the Foundation’s user terms and conditions
    • Authenticate your access to the Online Services

    10.2 Types of Cookies we use and the purposes they perform

    The following types of cookies are placed:

    10.2.1 First-party Cookies. Cookies set by the Foundation (the owner of the Online Services), are called “first-party Cookies”. Cookies set by parties other than the Foundation are called “third-party Cookies’’. The Foundation only makes use of first-party Cookies.

    10.2.1.1 Strictly necessary Cookies. These Cookies are first-party Cookies that are essential for you to browse the iMed Website and allow you to use some of the features of the iMed Website, such as accessing secure areas of the site e.g. the iMed User Portal.

    10.2.1.2 Because Strictly Necessary Cookies are essential to deliver the Online Services, they do not require your consent.

    10.2.1.3 You can block or delete Strictly Necessary Cookies by changing your web browser settings. If you chose to reject Cookies, you may still use our Online Services, but we cannot guarantee that the Website will function correctly and you may not be able to access certain areas of the iMed Website.

    11. CHANGES TO THE PRIVACY NOTICE

    11.1 We have the right to make changes to this Privacy Notice at any time. When we make changes that are not purely editorial, such as formatting, typographical error corrections or other changes that do not materially affect you, we will inform you by posting on the iMed Website or by email before the changes become effective. Please periodically review this Privacy Notice and carefully review any changes made to this Privacy Notice

    12. HOW TO CONTACT US

    12.1 Do not hesitate to contact us if you have any questions about this Privacy Notice, or the use of your personal information, or if you wish to exercise your rights. The Foundation’s Data Protection Officer can be contacted at the details provided below:

    MSBase Foundation (ABN 23 109 714 310)

    Address: The Alfred Centre, Level 6, 99 Commercial Rd. Melbourne VIC 3004, Australia

    Telephone: +61 3 9342 8070

    E-mail: info@msbase.org